[ipv6hackers] IPv6 implications on IPv4 nets: IPv6 RAs, IPv4, and VPN "evasion"
cb.list6 at gmail.com
Tue Sep 4 20:17:22 CEST 2012
On Tue, Sep 4, 2012 at 10:33 AM, Owen DeLong <owend at he.net> wrote:
> Have you tested any of this, or is it just conjecture of possibilities?
> I would expect a VPN with split tunneling disabled to not allow this.
I tested it or similar over a year ago.
For a well known VPN client, it is certainly possible to have a
dual-stack LAN, "no split tunnel configured" ... which implied
something about "locking the stack", and access the PC via IPv6 on the
LAN ... thus, a local IPv6 LAN attack can access the PC and therefore
the tunnel. So, they sell it as being secure on untrusted LANs and
"locking the stack", but they only "lock" the v4 stack.
I reported this to the CERT team at said VPN client software vendor
about a year ago.... they said that that was not supported
configuration (dual stack LAN on XP) and therefore not a security
issue for them. IPv6 was only supported on their SSL version of the
VPN client, not IPsec VPN.
More information about the Ipv6hackers