As a security best practice, verify that the host system denies IPv6 neighbor solicitations unless necessary. The dad_transmits
setting determines how many neighbor solicitations are to be sent out per address including global and link-local, when you bring up an interface to ensure that the desired address is unique on the network.
Procedure
- Run the # grep [01] /proc/sys/net/ipv6/conf/*/dad_transmits|egrep "default|all" command to verify whether the host system denies IPv6 neighbor solicitations.
- If the values are not set to
0
, configure the host system to deny IPv6 neighbor solicitations.- Open the /etc/sysctl.conf file.
- If the values are not set to
0
, add the following entries to the file or update the existing entries accordingly. Set the value to0
.net.ipv6.conf.all.dad_transmits=0 net.ipv6.conf.default.dad_transmits=0
- Save the changes and close the file.
- Run
# sysctl -p
to apply the configuration.