3.1.12 Set Strict Multihoming - Check ip_strict_dst_multihoming value. Expected value: 1.

Information

The ip_strict_dst_multihoming and ip6_strict_dst_multihoming parameters determines whether a packet arriving on a non -forwarding interface can be accepted for an IP address that is not explicitly configured on that interface. If ip_forwarding is enabled, or xxx:ip_forwarding (where xxx is the interface name) for the appropriate interfaces is enabled, then this parameter is ignored because the packet is actually forwarded.

Note - This setting will NOT persist between reboots.

Appendix B contains a script to create an SMF service to run the commands. If the SMF service is created as described in Appendix B, execute the following command for it to take effect-
cp cis_netconfig.sh /lib/svc/method
chmod 750 /lib/svc/method/cis_netconfig.sh
svccfg import cis_netconfig.xml
When the service is enabled or system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date.

Solution

See the notes in Item 3.4 Modify Network Parameters regarding a master script that will be executed at boot time to reconfigure various network parameters. The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh script will run on every system reboot to set the network parameters appropriately. Shown below is the ndd command that controls this particular parameter, but it does not persist between system reboots, which is the reason for creating the master script. Edit the script for the particular needs of your organization and place the script in /lib/svc/method.
IPv4-
ndd -set /dev/ip ip_strict_dst_multihoming 1
IPv6-
ndd -set /dev/ip ip6_strict_dst_multihoming 1

See Also

https://workbench.cisecurity.org/files/614

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(12), CSCv6|9.2

Plugin: Unix

Control ID: 72f54664ea7e8ed0d5d1f11bee2cda07492599bbabd7215f5ba26ea939eb7d64