Description of problem:
RHEL automatically enables IPv6 autoconfiguration and will accept RAs by default on all interfaces, even those that are not configured for IPv6. We should document how to disable IPv6 entirely for security hardening.
Version-Release number of selected component (if applicable):
All versions
Steps to Reproduce:
1. Configure Director network templates, with no IPv6 configuration
2. Deploy
3.
Actual results:
IPv6 autoconfiguration is enabled
Expected results:
IPv6 should not be enabled in environments where it is unused or disabled by policy.
Additional info:
In order to correctly turn off all IPv6 communication, the following sysctl settings should be set:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.default.autoconf = 0
For additional security, RAs may be disabled, this will ensure that routes cannot be hijacked if an IPv6 interface is enabled in the future:
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
This can be done through Director by customizing the composable services file that configures kernel parameters, with is located in openstack-tripleo-heat-templates/puppet/services/kernel.yaml. The following content should be added to the file alongside other kernel parameters:
sysctl_settings:
net.ipv6.conf.all.disable_ipv6:
value: 1
net.ipv6.conf.default.disable_ipv6:
value: 1
net.ipv6.conf.all.autoconf:
value: 0
net.ipv6.conf.default.autoconf:
value: 0
net.ipv6.conf.all.accept_ra:
value: 0
net.ipv6.conf.default.accept_ra:
value: 0
This should be added to the documentation alongside the descriptions of configuring IPv6, with a link to the instructions to disable IPv6 in the section that described IPv4 configuration.