[ipv6hackers] IPv6 implications on IPv4 nets: IPv6 RAs, IPv4, and VPN "evasion"

TJ trejrco at gmail.com
Tue Sep 4 18:38:02 CEST 2012


On Tue, Sep 4, 2012 at 12:22 PM, Marc Heuse <mh at mh-sec.de> wrote:

> Hmm the VPN software versions I have seen prevent you from using any
> other IP connections that into the tunnel.
>

"Split-tunneling" - enabled or disabled?
*... and regardless, separate IP version may be handled separately.*
/TJ


Am 04.09.2012 16:48, schrieb Fernando Gont:
> > Folks,
> >
> > draft-gont-opsec-ipv6-implications-on-ipv4-nets has been adopted as an
> > IETF opsec wg item (please see:
> > <
> http://tools.ietf.org/html/draft-ietf-opsec-ipv6-implications-on-ipv4-nets
> >)
> >
> > I was thinking about discussing the following scenario, that I came up
> > with a few days ago:
> >
> > A dual-stacked user (v6 enabled by default) "visits" an IPv4-only
> > network, and establish his VPN with his office (for "mitigating"
> > sniffing attacks, etc.).
> >
> > A local attacker sends forged ICMPv6 RAs, thus triggering IPv6
> > configuration at the victim nodes.
> >
> > If any of the remote nodes the victim is trying to "visit" is
> > IPv6-enabled, then it's possible/likely that the IPv6 destination
> > address will be used over the IPv4 one. in which case the victim will
> > send his traffic on the local network, as opposed to "through the VPN".
> >
> > Assuming the VPN product does not disable local v6 support, and that the
> > VPN does not provide IPv6 connectivity (*), this attack vector could
> > prove to be an interesting one ("unexpected", to some extent).
> >
> > (*) even then, this attack might still work.
>



More information about the Ipv6hackers mailing list