Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts

To: Gert Doering <gert%greenie.muc.de@localhost>
Subject: Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts
From: Darren Reed <darrenr%netbsd.org@localhost>
Date: Mon, 03 Dec 2012 00:51:36 +0100

On Sun, Dec 2, 2012, at 01:17 PM, Gert Doering wrote:
> Hi,
> 
> I see this as being not only about security, but also about usability.
> 
> On Sun, Dec 02, 2012 at 04:24:08PM +1100, Darren Reed wrote:
> > Lets assume that a host where I work is dual homed and that
> > I can connect to it at work using IPv4 or IPv6.
> > 
> > Since the network where I work is a private network (10, etc),
> > I can only connect to it using a VPN however for IPv6, the address
> > is globally visible. This may make it seem like I can connect to
> > that internal host from anywhere on the Internet but that's not exactly 
> > right.
> > For me to be able to do that, the place that I work needs to allow
> > IPv6 connections from the Internet to an internal host.
> > 
> > And that last point is the key.
> 
> Let's stay in that example.  Your "inside" host has IPv4 and IPv6, your
> VPN only does IPv4, and you click on http://intranet.corp/ in your web
> browser.
> 
> Now, in many cases your browser will try IPv6 first, wait for the result
> of that, then go to IPv4.  *If* your corp firewall returns a RST right
> away, this failover will be quick.  If it just drops the SYN, IPv4
> failover
> will only occur after a lengthy timeout - so users turn off IPv6 to
> remediate this.  Wrong message.

Right, so that is a firewall configuration issue for the firewall
that connects the corporate network to the Internet. But most
likely the people that see the timeouts won't understand that
it is IPv6 or how to disable IPv6 and thus they'll complain to
their corporate IT staff who should fix the external firewall.

> The security aspect comes if someone manages to MITM the IPv6 connection,
> and puts up some sort of phishing portal looking halfway official
> ("due to more and more attacks to our VPN users, the management has 
> decided that all connections via VPN to http://intranet.corp must do
> an extra login via web browser first, before permitted access").  From
> experience with audits, half your users will happily fill in the web
> form...  of course to make this official, you need to target individual
> companies, with proper web page logos and so on, but it is a viable
> attack that the VPN is supposed to prevent.

Again, the only way an IPv6 connection can be attacked with a
MITM attack is if the external firewall permits an insecure protocol
across its boundary. If I can access http://intranet.corp through
the firewall when then VPN is not working then that is a much
bigger issue than just IPv6 packets getting through.

Darren

Follow-Ups:
- Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts
  - From: Gert Doering

References:
- VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts
  - From: Fernando Gont
- Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts
  - From: Darren Reed
- Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts
  - From: Gert Doering

Prev by Date: Re: re(4) MAC address
Next by Date: Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts
Previous by Thread: Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts
Next by Thread: Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts
Indexes:

Home | Main Index | Thread Index | Old Index