[ipv6hackers] IPv6 implications on IPv4 nets: IPv6 RAs, IPv4, and VPN "evasion"

[Marc Heuse]

Hmm the VPN software versions I have seen prevent you from using any
other IP connections that into the tunnel.

Where this is not the case or where there is a bug, this however would
be a problem. (I remember somone tellimg me that the Cisco VPN client
has or had this bug, that IPv6 was still possible while IPv4
connectivity was filtered for non-tunnel destinations.)

so I think the answer it "it depends" and would require reviewing the
top 5 VPN solutions ...

Greets,
Marc

Am 04.09.2012 16:48, schrieb Fernando Gont:
> Folks,
> 
> draft-gont-opsec-ipv6-implications-on-ipv4-nets has been adopted as an
> IETF opsec wg item (please see:
> <http://tools.ietf.org/html/draft-ietf-opsec-ipv6-implications-on-ipv4-nets>)
> 
> I was thinking about discussing the following scenario, that I came up
> with a few days ago:
> 
> A dual-stacked user (v6 enabled by default) "visits" an IPv4-only
> network, and establish his VPN with his office (for "mitigating"
> sniffing attacks, etc.).
> 
> A local attacker sends forged ICMPv6 RAs, thus triggering IPv6
> configuration at the victim nodes.
> 
> If any of the remote nodes the victim is trying to "visit" is
> IPv6-enabled, then it's possible/likely that the IPv6 destination
> address will be used over the IPv4 one. in which case the victim will
> send his traffic on the local network, as opposed to "through the VPN".
> 
> Assuming the VPN product does not disable local v6 support, and that the
> VPN does not provide IPv6 connectivity (*), this attack vector could
> prove to be an interesting one ("unexpected", to some extent).
> 
> (*) even then, this attack might still work.
> 
> Thoughts?
> 
> P.S.: Comments on the current version of the aforementioned
> Internet-Draft will be welcome, too.
> 
> Thanks!
> 
> Best regards,
> 

--
Marc Heuse
www.mh-sec.de

PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A