Configure the Host
System to Deny IPv6 Router Advertisements
As a security best
practice, verify that the host system denies the acceptance of router
advertisements and Internet Control Message Protocol (ICMP) redirects unless
necessary. A feature of IPv6 is how systems can configure their networking
devices by automatically using information from the network. From a security
perspective, it is preferable to manually set important configuration
information rather than accepting it from the network in an unauthenticated
way.
- Run the# grep [01] /proc/sys/net/ipv6/conf/*/accept_ra|egrep "default|all"command on the host system to verify whether the system denies the acceptance of router advertisements and ICMP redirects unless necessary.
- Configure the host system to deny IPv6 router advertisements.
- Open the/etc/sysctl.conffile.
- If the values are not set to0, add the following entries to the file or update the existing entries accordingly. Set the value to0.net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0
- Save the changes and close the file.
- Run# sysctl -pto apply the configuration.