As a security best practice, verify that the host system denies the acceptance of router advertisements and Internet Control Message Protocol (ICMP) redirects unless necessary. A feature of IPv6 is how systems can configure their networking devices by automatically using information from the network. From a security perspective, it is preferable to manually set important configuration information rather than accepting it from the network in an unauthenticated way.

Procedure

  1. Run the # grep [01] /proc/sys/net/ipv6/conf/*/accept_ra|egrep "default|all" command on the host system to verify whether the system denies the acceptance of router advertisements and ICMP redirects unless necessary.
  2. Configure the host system to deny IPv6 router advertisements.
    1. Open the /etc/sysctl.conf file.
    2. If the values are not set to 0, add the following entries to the file or update the existing entries accordingly. Set the value to 0. 
      net.ipv6.conf.all.accept_ra=0 
net.ipv6.conf.default.accept_ra=0
    3. Save the changes and close the file.
    4. Run # sysctl -p to apply the configuration.