[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts
Lets assume that a host where I work is dual homed and that I can connect to it
at work using IPv4 or IPv6.
Since the network where I work is a private network (10, etc), I can only
connect to it using a VPN however for IPv6, the address is globally visible.
This may make it seem like I can connect to that internal host from anywhere on
the Internet but that's not exactly right. For me to be able to do that, the
place that I work needs to allow IPv6 connections from the Internet to an
And that last point is the key.
So far as IPv6 being a problem is concerned, the only way in which a leak is
possible is if (for example), the firewall policy for said institution allows
IPv6 traffic directly in/out. If it did, then simply closing that hole would be
enough to prevent any IPv6 leaks without needing to touch any VPN software.
Otherwise I'm somewhat mystified as to how (for example) a CIFS IPv6 connection
would be formed, never mind leak confidential information but then maybe I'm
To go one step further with this, maybe https://internal-host.com has an IPv6
address that is reachable from anywhere on the Internet and that there is no
need to tunnel that traffic, whereas providing the same connectivity for IPv4
https is much harder. Rinse and repeat for the SSL versions of IMAP and SMTP.
In this case, pushing all IPv6 traffic over a VPN may actually be harmful.
Main Index |
Thread Index |