Profile Applicability:
 • Level 1

Description:
IPv6 router advertisements are used for network configuration in IPv6 environments. Accepting unsolicited or malicious router advertisements can lead to network misconfigurations or man-in-the-middle attacks. Disabling acceptance of IPv6 router advertisements enhances network security.

Rationale:
 Rejecting unauthorized IPv6 router advertisements helps prevent attackers from manipulating network settings and routing.

Impact:
 Pros:

  • Protects against malicious network configuration changes.

  • Enhances integrity of IPv6 routing.

Cons:

  • May disrupt legitimate IPv6 network functionality in some environments.

Default Value:
 Acceptance of IPv6 router advertisements may be enabled by default.

Pre-requisites:

  • Root or sudo privileges to modify IPv6 network settings.

Remediation:

Test Plan:

Using Linux command line:

1. Check current settings for IPv6 router advertisement acceptance:

sysctl net.ipv6.conf.all.accept_ra  
sysctl net.ipv6.conf.default.accept_ra

2. Confirm both values are set to 0 (disabled).

Implementation Plan:

Using Linux command line:

1. Disable acceptance of IPv6 router advertisements temporarily:

sysctl -w net.ipv6.conf.all.accept_ra=0  
sysctl -w net.ipv6.conf.default.accept_ra=0


2. Persist the settings by adding to /etc/sysctl.conf or a file in /etc/sysctl.d/:

net.ipv6.conf.all.accept_ra = 0  
net.ipv6.conf.default.accept_ra = 0

Backout Plan:

Using Linux command line:

1. Re-enable acceptance of IPv6 router advertisements if necessary:

sysctl -w net.ipv6.conf.all.accept_ra=1  
sysctl -w net.ipv6.conf.default.accept_ra=1

2. Update configuration files accordingly and reload sysctl.

References: