Network stack

You can file an issue about it and ask that it be added.

---

Table of Contents

• Network stack
  • IPv6 redirects
  • IPv6 router advertisements
  • IPv6 support automatic loading
  • Source-routed packets

Network stack

IPv6 redirects

Rationale

An illicit ICMP redirect message could result in a man-in-the-middle attack.

Solution

On all interfaces

# Add to /etc/sysctl.d/network-stack.conf
net.ipv6.conf.all.accept_redirects = 0

^{C2S/CIS: CCE-80183-7 (Medium)}

By default

# Add to /etc/sysctl.d/network-stack.conf
net.ipv6.conf.default.accept_redirects = 0

^{C2S/CIS: CCE-80181-1 (Unknown)}

Useful resources

IPv6 router advertisements

Rationale

An illicit router advertisement message could result in a man-in-the-middle attack.

Solution

By default

# Add to /etc/sysctl.d/network-stack.conf
net.ipv6.conf.default.accept_ra = 0

^{C2S/CIS: CCE-80181-1 (Unknown)}

On all interfaces

# Add to /etc/sysctl.d/network-stack.conf
net.ipv6.conf.all.accept_ra = 0

^{C2S/CIS: CCE-80180-3 (Unknown)}

Useful resources

IPv6 support automatic loading

Rationale

Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation.

Solution

On all interfaces

# Add to /etc/sysctl.d/network-stack.conf
net.ipv6.conf.all.disable_ipv6 = 1

^{C2S/CIS: CCE-80175-3 (Medium)}

Useful resources

Source-routed packets

Rationale

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.

Solution

By default

# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.default.accept_source_route = 0

^{C2S/CIS: CCE-80162-1 (Medium)}

Useful resources