[ipv6hackers] IPv6 implications on IPv4 nets: IPv6 RAs, IPv4, and VPN "evasion"

Tor Houghton torh-ipv6hackers at bogus.net
Wed Sep 5 16:27:34 CEST 2012


On Tue, Sep 04, 2012 at 11:48:58AM -0300, Fernando Gont wrote:
> 
> If any of the remote nodes the victim is trying to "visit" is
> IPv6-enabled, then it's possible/likely that the IPv6 destination
> address will be used over the IPv4 one. in which case the victim will
> send his traffic on the local network, as opposed to "through the VPN".
> 
> Assuming the VPN product does not disable local v6 support, and that the
> VPN does not provide IPv6 connectivity (*), this attack vector could
> prove to be an interesting one ("unexpected", to some extent).
> 

FWIW, the VPN solution we use (Check Point SecureClient) is configured to
use split tunneling (historic reasons unknown, perhaps due to capacity
issues that likely no longer exist). However, it also pushes a policy (even
when the connection is inactive, as I found out), where IPv6 communication
is denied (I was unable to test any of your code without first removing said
client from my Mac). I do not believe this is the default behaviour, though.

Kind regards,

Tor 



More information about the Ipv6hackers mailing list