Router advertisements must be suppressed on all external-facing IPv6-enabled interfaces.
Many of the known attacks in stateless autoconfiguration are defined in RFC 3756 were present in IPv4 ARP attacks. IPSec AH was originally suggested as mitigation for the link local attacks, but has since been found to have bootstrapping problems and to be very administrative intensive. Due to first requiring an IP address in order to set up the IPSec security association creates the chicken-before-the-egg dilemma. There are solutions being developed (Secure Neighbor Discovery and Cryptographic Generated Addressing) to secure these threats but are not currently available at the time of this writing.
To mitigate these vulnerabilities, links that have no hosts connected such as the interface connecting to external gateways will be configured to suppress router advertisements.
Disable (or do not configure) all IPv6 Neighbor Discovery functions across tunnels including the Neighbor Unreachability Detection (NUD) function. Note- this is applicable only when the inner IP layer is IPv6 since IPv4 does not have the Neighbor Discovery functionality.
Configure the network device to enable route advertisement suppression on all external facing have IPv6 enabled on the interface.
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Cisco.