Merge remote-tracking branch 'raja/bad_ipv6_ra' into arraybolt3/trixie

README.md

@@ -124,8 +124,9 @@ configuration file and significant hardening is applied to a myriad of component
 - Disable source routing which allows users to redirect network traffic that
   can result in man-in-the-middle attacks.
 
-- Do not accept IPv6 router advertisements and solicitations.
-
+- Do not accept IPv6 router advertisements (RAs) and solicitations which can result
+  in both man-in-the-middle and denial-of-service attacks.
+  
 - Optional - Disable SACK and DSACK as they have historically been a known
   vector for exploitation.
 

usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared

@@ -521,7 +521,15 @@ net.ipv4.icmp_ignore_bogus_error_responses=1
 net.ipv4.conf.*.accept_source_route=0
 net.ipv6.conf.*.accept_source_route=0
 
-## Do not accept IPv6 router advertisements and solicitations.
+## Do not accept IPv6 router advertisements (RAs) and solicitations.
+## RAs are unsecured and unauthenticated and any device on the local link can send and accept them without verification.
+## Malicious RAs can activate IPv6 connectivity on dormant hosts leading to unauthorized access.
+## Flooding the network with malicious RAs can lead to denial of service attacks.
+## Rogue RAs can lead to interception of all network traffic by setting the attacker's system as the default gateway.
+##
+## https://datatracker.ietf.org/doc/html/rfc6104
+## https://datatracker.ietf.org/doc/html/rfc6105
+## https://archive.conference.hitb.org/hitbsecconf2012kul/materials/D1T2%20-%20Marc%20Heuse%20-%20IPv6%20Insecurity%20Revolutions.pdf
 ##
 net.ipv6.conf.*.accept_ra=0