[ipv6hackers] IPv6 implications on IPv4 nets: IPv6 RAs, IPv4, and VPN "evasion"
torh-ipv6hackers at bogus.net
Wed Sep 5 16:27:34 CEST 2012
On Tue, Sep 04, 2012 at 11:48:58AM -0300, Fernando Gont wrote:
> If any of the remote nodes the victim is trying to "visit" is
> IPv6-enabled, then it's possible/likely that the IPv6 destination
> address will be used over the IPv4 one. in which case the victim will
> send his traffic on the local network, as opposed to "through the VPN".
> Assuming the VPN product does not disable local v6 support, and that the
> VPN does not provide IPv6 connectivity (*), this attack vector could
> prove to be an interesting one ("unexpected", to some extent).
FWIW, the VPN solution we use (Check Point SecureClient) is configured to
use split tunneling (historic reasons unknown, perhaps due to capacity
issues that likely no longer exist). However, it also pushes a policy (even
when the connection is inactive, as I found out), where IPv6 communication
is denied (I was unable to test any of your code without first removing said
client from my Mac). I do not believe this is the default behaviour, though.
More information about the Ipv6hackers