Kicksecure IPv6 Default Settings (17.4.4.6 Feedback)

exfil · January 4, 2026, 7:27pm

Installation Details

Version: Kicksecure 17.4.4.6

Install medium: Sandisk USB

Partition format: ext4 (auto-formatted)

I recall reading that the security‑misc profile disables the entire IPv6 stack. After installing, however, I verified that IPv6 is still active:
Upon post install I checked and cat /proc/sys/net/ipv6/conf/all/disable_ipv6 returned 0 (enabled) and ip -6 addr show returned a inet6 address.

I had to create a config file /etc/sysctl.d/99_disable-ipv6.conf with these lines to disable it:

net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1

Upon further looking at the github README:

Networking:

Optional - Disable the entire IPv6 stack to reduce attack surface.

But it doesn’t point to the exact configuration file that implements this.

I’m not using this installation as a server, and I’m skeptical of the “IPv6 evangelism” that circulates in many networking sysadmin circles, not Kicksecure. My concerns stem mainly from two points:

IPv6 doesn’t provide the implicit NAT barrier that IPv4 does.
Privacy implications of EUI‑64 that can expose hardware identifiers.

So here are two questions about IPv6 and Kicksecure.

1. Does Disabling IPv6 reduce Tor Anonymity set?

Does disabling the IPv6 network stack on my machine then in return prevent the Tor Daemons from using IPv6 relays? (Reduced relay pool to select from)
Will Tor only connect to IPv4 relays and ignore IPv6 relays?

2. Can we have IPv6 privacy extensions enabled without breaking root DHCP server?

Can we enable full IPv6 (for Tor daemon’s IPv6 relay access and machine outbound) with privacy extensions, while maintaining a stable IPv6 address bound to your DHCPv6 server’s DUID for reliable client leasing and server reachability as to not add breakage for users needing the IPv6 server?

Config note here worth mentioning man nm-settings-dbus

The special values “llt” and “ll” will generate a DUID of type LLT or LL (see RFC 3315) based on the current MAC address of the device.
dhcp-duid=ll # Fallbacks to link-local DUID for IPv6

The bottom line is can we keep a stable, DUID derived address for server accessibility while also generating temporary privacy focused addresses for outbound traffic (Tor relay/daemon and general machine use like e.g. in a users post about reticulum use)?

arraybolt3 · January 5, 2026, 12:26am

For guard relays, almost certainly yes. If your machine can’t connect to other machines over IPv6, Tor won’t be able to either. The guard relays however might then talk to other relays that do have IPv6 support.

Not sure, research in this area would be welcome if a contributor is interested in working on it. My experience with IPv6 automatic address assignment is mostly with SLAAC, so I don’t have much insight into what can be done with DHCPv6.

Patrick · January 5, 2026, 8:04am

Optional: Meaning, not by default.

/etc/default/grub.d/40_kernel_hardening.cfg

#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ipv6.disable=1"

The ipv6.disable=1 is commented out (disabled) by default, it has no effect. See also Commenting Syntax and Effects.

Since we don’t enable ipv6.disable=1, IPv6 remains enabled by default.

Btw: Search the Source Code

Unspecific to Kicksecure:

Suitable for:

exfil · January 10, 2026, 6:23pm

There’s gotta be some configuration way? But then again NetworkManager amiright lol like just how its hardcoded to list SSID’s alphabetically with no option to list by signal strength. Atleast I haven’t found any such option. Something I noticed today when looking for my network in the wave of signals.

exfil · January 10, 2026, 6:24pm

Well kinda since Kicksecure ships the tor daemon for updates and sdwdate…but like you stated IPv6 is not disabled by default so it wouldn’t effect that point