Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-25 15:47:25 -05:00
Code Issues Projects Releases Packages Wiki Activity

Add docs about the risks associated with IPv6 RAs

Browse source
This commit is contained in:
raja-grewal 2025-10-02 07:05:00 +00:00 committed by GitHub
parent dd961b8427
commit 0c8f2f1b44
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 12 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

10
usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
View file

@ -515,7 +515,15 @@ net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.conf.*.accept_source_route=0
net.ipv6.conf.*.accept_source_route=0
## Do not accept IPv6 router advertisements and solicitations.
## Do not accept IPv6 router advertisements (RAs) and solicitations.
## RAs are unsecured and unauthenticated and any device on the local link can send and accept them without verification.
## Malicious RAs can activate IPv6 connectivity on dormant hosts leading to unauthorized access.
## Flooding the network with malicious RAs can lead to denial of service attacks.
## Rogue RAs can lead to interception of all network traffic by setting the attacker's system as the default gateway.
##
## https://datatracker.ietf.org/doc/html/rfc6104
## https://datatracker.ietf.org/doc/html/rfc6105
## https://archive.conference.hitb.org/hitbsecconf2012kul/materials/D1T2%20-%20Marc%20Heuse%20-%20IPv6%20Insecurity%20Revolutions.pdf
##
net.ipv6.conf.*.accept_ra=0