As a security best practice, verify that the host system denies IPv6 router advertisement Hop Limit settings from a router advertisement unless necessary. The accept_ra_defrtr setting controls whether the system will accept Hop Limit settings from a router advertisement. Setting it to 0 prevents a router from changing your default IPv6 Hop Limit for outgoing packets.

Procedure

  1. Run the # grep [01] /proc/sys/net/ipv6/conf/*/accept_ra_defrtr|egrep "default|all" command to verify that the host system denies IPv6 router Hop Limit settings.
  2. If the values are not set to 0, configure the host system to deny IPv6 router advertisement Hop Limit settings.
    1. Open the /etc/sysctl.conf file.
    2. If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0.
      net.ipv6.conf.all.accept_ra_defrtr=0 
      net.ipv6.conf.default.accept_ra_defrtr=0 
      
    3. Save the changes and close the file.