[ipv6hackers] IPv6 implications on IPv4 nets: IPv6 RAs, IPv4, and VPN "evasion"

Bjoern A. Zeeb bzeeb-lists at lists.zabbadoz.net
Tue Sep 4 22:52:46 CEST 2012


On Tue, 4 Sep 2012, Fernando Gont wrote:

Hi,

> draft-gont-opsec-ipv6-implications-on-ipv4-nets has been adopted as an
> IETF opsec wg item (please see:
> <http://tools.ietf.org/html/draft-ietf-opsec-ipv6-implications-on-ipv4-nets>)
>
> I was thinking about discussing the following scenario, that I came up
> with a few days ago:
>
> A dual-stacked user (v6 enabled by default) "visits" an IPv4-only
> network, and establish his VPN with his office (for "mitigating"
> sniffing attacks, etc.).
>
> A local attacker sends forged ICMPv6 RAs, thus triggering IPv6
> configuration at the victim nodes.
>
> If any of the remote nodes the victim is trying to "visit" is
> IPv6-enabled, then it's possible/likely that the IPv6 destination
> address will be used over the IPv4 one. in which case the victim will
> send his traffic on the local network, as opposed to "through the VPN".
>
> Assuming the VPN product does not disable local v6 support, and that the
> VPN does not provide IPv6 connectivity (*), this attack vector could
> prove to be an interesting one ("unexpected", to some extent).
>
> (*) even then, this attack might still work.

I haven't read the draft (yet) but you

1) get what you pay for, and
2) we have the technology to prevent all of this

so it's not science or research anymore but a problem of monkeys.

/bz hoping to find the draft is no more than 8 pages.

And to finish my thoughts, is this any worse than an ipv6-only VPN
on a say dual stack network (or any other combination)?  People need
to stop thinking that it's worse with v6; it's bad enough with v4.

-- 
Bjoern A. Zeeb                                 You have to have visions!
          Stop bit received. Insert coin for new address family.



More information about the Ipv6hackers mailing list