From 0c8f2f1b44049b676251775d64e23651e9225d00 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Thu, 2 Oct 2025 07:05:00 +0000
Subject: [PATCH] Add docs about the risks associated with IPv6 RAs

---
 README.md                                              |  5 +++--
 .../990-security-misc.conf#security-misc-shared        | 10 +++++++++-
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index f784bbf4..9dc25bdd 100644
--- a/README.md
+++ b/README.md
@@ -121,8 +121,9 @@ configuration file and significant hardening is applied to a myriad of component
 - Disable source routing which allows users to redirect network traffic that
   can result in man-in-the-middle attacks.
 
-- Do not accept IPv6 router advertisements and solicitations.
-
+- Do not accept IPv6 router advertisements (RAs) and solicitations which can result
+  in both man-in-the-middle and denial-of-service attacks.
+  
 - Optional - Disable SACK and DSACK as they have historically been a known
   vector for exploitation.
 
diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
index fa7a97d7..75765c55 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
+++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
@@ -515,7 +515,15 @@ net.ipv4.icmp_ignore_bogus_error_responses=1
 net.ipv4.conf.*.accept_source_route=0
 net.ipv6.conf.*.accept_source_route=0
 
-## Do not accept IPv6 router advertisements and solicitations.
+## Do not accept IPv6 router advertisements (RAs) and solicitations.
+## RAs are unsecured and unauthenticated and any device on the local link can send and accept them without verification.
+## Malicious RAs can activate IPv6 connectivity on dormant hosts leading to unauthorized access.
+## Flooding the network with malicious RAs can lead to denial of service attacks.
+## Rogue RAs can lead to interception of all network traffic by setting the attacker's system as the default gateway.
+##
+## https://datatracker.ietf.org/doc/html/rfc6104
+## https://datatracker.ietf.org/doc/html/rfc6105
+## https://archive.conference.hitb.org/hitbsecconf2012kul/materials/D1T2%20-%20Marc%20Heuse%20-%20IPv6%20Insecurity%20Revolutions.pdf
 ##
 net.ipv6.conf.*.accept_ra=0