[ipv6hackers] IPv6 implications on IPv4 nets: IPv6 RAs, IPv4, and VPN "evasion"

The Fungi fungi at yuggoth.org
Tue Sep 4 18:36:25 CEST 2012


On 2012-09-04 18:22:55 +0200 (+0200), Marc Heuse wrote:
> Hmm the VPN software versions I have seen prevent you from using any
> other IP connections that into the tunnel.
[...]

For enterprise employee VPNs, full-tunnel (the paradigm you
describe) is fairly common. On the other hand VPNs used by systems
administrators, who may need simultaneous access to mutiple VPN and
non-VPN-accessible resources from the same client system, often rely
on split-tunnel configuration (where only some specific prefixes get
a next-hop of the VPN concentrator). Of course care should be taken
when using these sorts of configurations from untrusted local
networks for the very reasons outlined in this thread.

This latter paradigm is also common amongst smaller companies who
may not be able to afford the bandwidth necessary for hair-pinning
all their remote VPN client systems back out to the Internet through
their office upstream circuits. All VPN client solutions I've ever
managed (and I've managed most of the major vendors' implementations
at some point, as well as a fair number of free/open source ones)
supported split-tunnel configurations.
-- 
{ IRL(Jeremy_Stanley); WWW(http://fungi.yuggoth.org/); PGP(43495829);
WHOIS(STANL3-ARIN); SMTP(fungi at yuggoth.org); FINGER(fungi at yuggoth.org);
MUD(kinrui at katarsis.mudpy.org:6669); IRC(fungi at irc.yuggoth.org#ccl); }



More information about the Ipv6hackers mailing list