As a security best practice, verify that the host system ignores IPv6 Internet Control Message Protocol (ICMP) redirect messages. A malicious ICMP redirect message might allow a man-in-the-middle attack to occur. Routers use ICMP redirect messages to tell hosts that a more direct route exists for a destination. These messages modify the host's route table and are unauthenticated.

Procedure

  1. Run the # grep [01] /proc/sys/net/ipv6/conf/*/accept_redirects|egrep "default|all" command on the host system and check whether it ignores IPv6 redirect messages.
  2. Configure the host system to ignore IPv6 ICMP redirect messages.
    1. Open the /etc/sysctl.conf to configure the host system to ignore the IPv6 redirect messages.
    2. If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0. 
      net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
    3. Save the changes and close the file.
    4. Run # sysctl -p to apply the configuration.