Profile Applicability:
 • Level 1

Description:
 Secure ICMP redirects are a variant of ICMP redirect messages used in IPsec environments. Accepting these redirects can allow attackers to manipulate secure network paths, potentially leading to traffic interception or man-in-the-middle attacks. Disabling acceptance of secure ICMP redirects enhances system and network security.

Rationale:
 Rejecting secure ICMP redirects prevents malicious rerouting of IPsec-protected traffic, maintaining the integrity and confidentiality of secure communications.

Impact:
 Pros:

  • Mitigates risk of attacks on secure network communication paths.

  • Enhances protection of IPsec and other secure tunnels.

Cons:

  • May disrupt legitimate secure network routing in some complex environments.

Default Value:
 Many systems accept secure ICMP redirects by default unless configured otherwise.

Pre-requisites:

  • Root or sudo privileges to modify system network settings.

Remediation:

Test Plan:

Using Linux command line:

1. Check current settings for secure ICMP redirect acceptance:

sysctl net.ipv4.conf.all.accept_source_route  
sysctl net.ipv4.conf.default.accept_source_route

2. Confirm both values are set to 0 (disabled).

Implementation Plan:

Using Linux command line:

1. Disable acceptance of secure ICMP redirects temporarily:

sysctl -w net.ipv4.conf.all.accept_source_route=0  
sysctl -w net.ipv4.conf.default.accept_source_route=0

2. Persist the settings by adding to /etc/sysctl.conf or a file in /etc/sysctl.d/:

net.ipv4.conf.all.accept_source_route = 0  
net.ipv4.conf.default.accept_source_route = 0

3. Reload sysctl settings:

sysctl -p

Backout Plan:

Using Linux command line:

1. Re-enable acceptance of secure ICMP redirects if necessary:

sysctl -w net.ipv4.conf.all.accept_source_route=1  
sysctl -w net.ipv4.conf.default.accept_source_route=1

2. Update configuration files accordingly and reload sysctl.

References: