[ipv6hackers] IPv6 implications on IPv4 nets: IPv6 RAs, IPv4, and VPN "evasion"

Jim Small jim.small at cdw.com
Thu Oct 18 15:12:49 CEST 2012


Hi Jónatan,

> Regarding the AnyConnect client and IPv6, currently it *will* break all native
> IPv6 connectivity.

I believe what you are saying is that while you are using AnyConnect for a VPN connection, it does not allow any IPv6 traffic.  This is correct and by design.  However, when you end the AnyConnect VPN session, IPv6 connectivity resumes.  It simply doesn't allow split-tunneling.

Consider for a moment the alternative.  If you allow IPv6 traffic to continue when a "full tunnel" VPN is established for IPv4, the VPN client can become a bridgehead into the remote network.  The VPN client can be compromised via IPv6 and then used as a relay into the "secured" network.  I think it is fair to say that the level of expertise for IPv6 is insufficient in must organizations and thus this is a sensible default.

> Cisco ties this behaviour to the fact that we didn't have IPv6 split-tunneling.
> ("CSCtb74535 ", viewable in the bug-toolkit)
> It did not matter whether the VPN connection as such is using IPv6 or not,
> "tunnel-all" is forced and therefore breaks native connectivity.

Correct - as explained above.

> According to the release-notes for AnyConnect 3.1 this has been fixed in two
> ways:
> 1. Split Tunneling for IPv6 network traffic is now an option.
> 2. Client Protocol Bypass, described as follows: " For example, assume that
> the ASA assigns only an IPv4 address to an AnyConnect connection and the
> endpoint is dual stacked. When the endpoint attempts to reach an IPv6
> address, if Client Bypass Protocol is disabled, the IPv6 traffic is dropped;
> however, if Client Bypass Protocol is enabled, the IPv6 traffic is sent from the
> client in the clear. "
> 
> However, some of the new IPv6 features in the AnyConnect 3.1, including
> those two mentioned here above, are tied to the upcoming version of ASA
> 9.x, which is "scheduled" in Q42012 (again, according to release notes).

Correct - release is imminent, should be out very soon.  These are nice enhancements but use them carefully.  A review of Marc and Ferando's work should be in order before enabling IPv6 split tunneling.

--Jim

> -----Original Message-----
> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-
> bounces at lists.si6networks.com] On Behalf Of Jim Small
> Sent: 15. október 2012 02:04
> To: Fernando Gont; IPv6 Hackers Mailing List
> Subject: Re: [ipv6hackers] IPv6 implications on IPv4 nets: IPv6 RAs, IPv4, and
> VPN "evasion"
> 
> Hi Fernando,
> 
> > On 09/05/2012 11:39 PM, Jim Small wrote:
> > >> I can confirm the same with F5 BigIP Edge Gateway SSL VPN software,
> > >> and Cisco VPN.
> > >
> > > So to clarify, the End of Life Cisco VPN Client (the older
> > > IPsec/IKEv1 client) is oblivious to IPv6.  Even if you have a full
> > > tunnel setup, it only works for IPv4.  IPv6 traffic completely
> > > bypasses the VPN.  This could be good or bad depending on your point
> > > of view.
> > >
> > > With the current VPN Client, AnyConnect (SSL/DTLS/IPsec+IKEv2), this
> > > is not true.  AnyConnect is IPv6 aware since v2.5 (released in early
> > > 2010).  AnyConnect fully supports IPv4/IPv6 including
> > > full/split-tunneling, filtering, or firewalling either one.
> >
> > Key question: what's the default setting?
> >
> 
> From a quick test of the current version of AnyConnect v3.1 (Cisco's current
> VPN client) on an ASA running 8.4.4.1 (Current version) with no explicit IPv6
> configuration it looks like it blocks all IPv6 traffic (Global and Link-Local).
> 
> --Jim
> 
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers



More information about the Ipv6hackers mailing list