IPv6 link-local and VPS-cloud services: an hidden threat?

As many IT folks, I have my VPS (for instance, this website is running on it). I use this virtual server mainly to host my blog and some other websites that I own. The main reason why I use a "server" (and not an "hosting solution") is that, in this case, I have complete access to the machine. I like to be able to customize my services from top to bottom, even if it's a simple blog.

The provider (Netsons) is not currently providing any IPv6 connectivity to VPSes. Even my home ISP is not providing IPv6 connectivity. Wonderful...

Some years ago I requested an account and a /48 subnet to Hurricane Electric IPv6 broker service for my house. It's working very well (consider that it's a VPN, only that it's not "private").

Then, last month I began to play with the network configuration of the VPS to check if everything is ok (I was wondering to request another tunnel for my server), and I discovered that, thanks to Link-Local IPv6 addresses, pretty much every host in my server network was reachable. No firewall, no ACLs.

If you don't know what is a Link-Local address, let me explain you: there are some standard (one for IPv6, another for IPv6) which allows the host to autoconfigure a network interface with an IP address (IPv4 addresses are in 169.254.0.0/16, IPv6 addresses are in fe80::/64). This is optional in IPv4, but in IPv6 it's needed for many network services. The way it works it's quite simple: the host picks a random IP (in case of IPv6, it may use the MAC Address), then query the network if anyone has that IP address (in v4, a simple ARP request is sufficient). If there is a collision, another IP is chosen.

Link-local addresses were invented in order to satisfy the plug-and-play concept: you can plug two or more devices in an unconfigured network (no DHCP, no static IPs, ...), yet these devices will be capable to talk each other (for example, a brand new PC and a printer).

Remember: even if your network is not running IPv6 (native or not), this doesn't mean that your host cannot do IPv6 traffic. So, if you don't use IPv6 at all (very bad move), you need to disable it completely, or you can configure a firewall rule to block all IPv6 packets.