As a security best practice, verify that the host system denies IPv6 router prefix information unless necessary. The accept ra pinfo
setting controls whether the system accepts prefix information from the router. If addresses are statically assigned, the system does not receive any router prefix information.
Procedure
- Run the # grep [01] /proc/sys/net/ipv6/conf/*/accept_ra_pinfo|egrep "default|all" to verify if that system denies IPv6 router prefix information.
- Configure the host system to deny IPv6 router prefix.
- Open the /etc/sysctl.conf file.
- If the values are not set to
0
, add the following entries to the file or update the existing entries accordingly. Set the value to0
.net.ipv6.conf.all.accept_ra_pinfo=0 net.ipv6.conf.default.accept_ra_pinfo=0
- Save the changes and close the file.
- Run
# sysctl -p
to apply the configuration.