Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts

To: Darren Reed <darrenr%NetBSD.org@localhost>
Subject: Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts
From: Gert Doering <gert%greenie.muc.de@localhost>
Date: Sun, 2 Dec 2012 13:17:28 +0100

Hi,

I see this as being not only about security, but also about usability.

On Sun, Dec 02, 2012 at 04:24:08PM +1100, Darren Reed wrote:
> Lets assume that a host where I work is dual homed and that I can connect to 
> it at work using IPv4 or IPv6.
> 
> Since the network where I work is a private network (10, etc), I can only 
> connect to it using a VPN however for IPv6, the address is globally visible. 
> This may make it seem like I can connect to that internal host from anywhere 
> on the Internet but that's not exactly right. For me to be able to do that, 
> the place that I work needs to allow IPv6 connections from the Internet to an 
> internal host.
> 
> And that last point is the key.

Let's stay in that example.  Your "inside" host has IPv4 and IPv6, your
VPN only does IPv4, and you click on http://intranet.corp/ in your web
browser.

Now, in many cases your browser will try IPv6 first, wait for the result
of that, then go to IPv4.  *If* your corp firewall returns a RST right
away, this failover will be quick.  If it just drops the SYN, IPv4 failover
will only occur after a lengthy timeout - so users turn off IPv6 to
remediate this.  Wrong message.

The security aspect comes if someone manages to MITM the IPv6 connection,
and puts up some sort of phishing portal looking halfway official
("due to more and more attacks to our VPN users, the management has 
decided that all connections via VPN to http://intranet.corp must do
an extra login via web browser first, before permitted access").  From
experience with audits, half your users will happily fill in the web
form...  of course to make this official, you need to target individual
companies, with proper web page logos and so on, but it is a viable
attack that the VPN is supposed to prevent.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             
gert%greenie.muc.de@localhost
fax: +49-89-35655025                        
gert%net.informatik.tu-muenchen.de@localhost

Follow-Ups:
- Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts
  - From: Darren Reed

References:
- VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts
  - From: Fernando Gont
- Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts
  - From: Darren Reed

Prev by Date: Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts
Next by Date: Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts
Previous by Thread: Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts
Next by Thread: Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts
Indexes:

Home | Main Index | Thread Index | Old Index