diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index 9b314b2a62..1225561433 100644
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -22,6 +22,10 @@ parameters:
     default: 1048576
     description: Configures sysctl kernel.pid_max key
     type: number
+  KernelDisableIPv6:
+    default: 0
+    description: Configures sysctl net.ipv6.{default/all}.disable_ipv6 keys
+    type: number
 
 outputs:
   role_data:
@@ -57,6 +61,10 @@ outputs:
             value: 500000
           net.netfilter.nf_conntrack_max:
             value: 500000
+          net.ipv6.conf.default.disable_ipv6:
+            value: {get_param: KernelDisableIPv6}
+          net.ipv6.conf.all.disable_ipv6:
+            value: {get_param: KernelDisableIPv6}
           # prevent neutron bridges from autoconfiguring ipv6 addresses
           net.ipv6.conf.all.accept_ra:
             value: 0
diff --git a/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml b/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml
new file mode 100644
index 0000000000..8b57f5879c
--- /dev/null
+++ b/releasenotes/notes/add-ipv6-diable-options-9aaee219bb87ac6a.yaml
@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    Add IPv6 disable option and make it configurable for user to disable IPv6
+    when it's not used, this will descrease the risk of ipv6 attack.
+    Both net.ipv6.conf.default.disable_ipv6 & net.ipv6.conf.all.disable_ipv6
+    will be explicitly set to the default value (0) which is enabled.