As a security best practice, verify that your VMware virtual appliance host machines deny IPv6 ICMP redirect messages.

About this task

Routers use ICMP redirect messages to tell hosts that a more direct route exists for a destination. A malicious ICMP redirect message can facilitate a man-in-the-middle attack. These messages modify the host's route table and are unauthenticated. Ensure your system is configured to ignore them if they not otherwise needed.

Procedure

  1. Run the # grep [01] /proc/sys/net/ipv6/conf/*/accept_redirects|egrep "default|all" command on the VMwarevirtual appliance host machines to confirm that they deny IPv6 redirect messages.

    If the host machines are configured to deny IPv6 redirects, this command returns the following:

    /proc/sys/net/ipv6/conf/all/accept_redirects:0

    /proc/sys/net/ipv6/conf/default/accept_redirects:0

  2. To configure a virtual appliance host machine to deny IPv4 redirect messages, open the /etc/sysctl.conf file in a text editor.
  3. Check the values of the lines that begin with net.ipv6.conf.

    If the values for the following entries in the are not set to zero or if the entries do not exist, add them to the file or update the existing entries accordingly.

    net.ipv6.conf.all.accept_redirects=0
    net.ipv6.conf.default.accept_redirects=0
  4. Save the changes and close the file.