Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts

[Darren Reed <darrenr%netbsd.org@localhost>]

Lets assume that a host where I work is dual homed and that I can connect to it 
at work using IPv4 or IPv6.

Since the network where I work is a private network (10, etc), I can only 
connect to it using a VPN however for IPv6, the address is globally visible. 
This may make it seem like I can connect to that internal host from anywhere on 
the Internet but that's not exactly right. For me to be able to do that, the 
place that I work needs to allow IPv6 connections from the Internet to an 
internal host.

And that last point is the key.

So far as IPv6 being a problem is concerned, the only way in which a leak is 
possible is if (for example), the firewall policy for said institution allows 
IPv6 traffic directly in/out. If it did, then simply closing that hole would be 
enough to prevent any IPv6 leaks without needing to touch any VPN software.

Otherwise I'm somewhat mystified as to how (for example) a CIFS IPv6 connection 
would be formed, never mind leak confidential information but then maybe I'm 
missing something.

To go one step further with this, maybe https://internal-host.com has an IPv6 
address that is reachable from anywhere on the Internet and that there is no 
need to tunnel that traffic, whereas providing the same connectivity for IPv4 
https is much harder. Rinse and repeat for the SSL versions of IMAP and SMTP. 
In this case, pushing all IPv6 traffic over a VPN may actually be harmful.

Darren