Verify that VMware host machines deny the acceptance of router advertisements and ICMP redirects unless otherwise required for system operation.

About this task

IPv6 enables systems to configure their networking devices by automatically using information from the network. From a security perspective, manually configuring important configuration information is preferable to accepting it from the network in an unauthenticated way.

Procedure

  1. Run the # grep [01] /proc/sys/net/ipv6/conf/*/accept_ra|egrep "default|all" command on the VMware appliance host machines to verify that they deny router advertisements.

    If the host machines are configured to deny IPv6 router advertisements, this command will return values of 0:

    /proc/sys/net/ipv6/conf/all/accept_ra:0
    /proc/sys/net/ipv6/conf/default/accept_ra:0

    If the host machines are configured correctly, no further action is necessary.

  2. If you need to configure a host machine to deny IPv6 router advertisements, open the /etc/sysctl.conf file in a text editor.
  3. Check for the following entries.
    net.ipv6.conf.all.accept_ra=0
    net.ipv6.conf.default.accept_ra=0

    If these entries do not exist, or if their values are not set to zero, add the entries or update the existing entries accordingly.

  4. Save any changes you made and close the file.