Profile Applicability:
• Level 1
Description:
IPv6 router advertisements are used for network configuration in IPv6 environments. Accepting unsolicited or malicious router advertisements can lead to network misconfigurations or man-in-the-middle attacks. Disabling acceptance of IPv6 router advertisements enhances network security.
Rationale:
Rejecting unauthorized IPv6 router advertisements helps prevent attackers from manipulating network settings and routing.
Impact:
Pros:
Protects against malicious network configuration changes.
Enhances integrity of IPv6 routing.
Cons:
May disrupt legitimate IPv6 network functionality in some environments.
Default Value:
Acceptance of IPv6 router advertisements may be enabled by default.
Pre-requisites:
Root or sudo privileges to modify IPv6 network settings.
Remediation:
Test Plan:
Using Linux command line:
1. Check current settings for IPv6 router advertisement acceptance:
sysctl net.ipv6.conf.all.accept_ra sysctl net.ipv6.conf.default.accept_ra
2. Confirm both values are set to 0 (disabled).
Implementation Plan:
Using Linux command line:
1. Disable acceptance of IPv6 router advertisements temporarily:
sysctl -w net.ipv6.conf.all.accept_ra=0 sysctl -w net.ipv6.conf.default.accept_ra=0
2. Persist the settings by adding to /etc/sysctl.conf or a file in /etc/sysctl.d/:
net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0
Backout Plan:
Using Linux command line:
1. Re-enable acceptance of IPv6 router advertisements if necessary:
sysctl -w net.ipv6.conf.all.accept_ra=1 sysctl -w net.ipv6.conf.default.accept_ra=1
2. Update configuration files accordingly and reload sysctl.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
Linux sysctl Documentation