Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts

[Gert Doering <gert%greenie.muc.de@localhost>]

Hi,

On Mon, Dec 03, 2012 at 12:51:36AM +0100, Darren Reed wrote:
> > The security aspect comes if someone manages to MITM the IPv6 connection,
> > and puts up some sort of phishing portal looking halfway official
> > ("due to more and more attacks to our VPN users, the management has 
> > decided that all connections via VPN to http://intranet.corp must do
> > an extra login via web browser first, before permitted access").  From
> > experience with audits, half your users will happily fill in the web
> > form...  of course to make this official, you need to target individual
> > companies, with proper web page logos and so on, but it is a viable
> > attack that the VPN is supposed to prevent.
> 
> Again, the only way an IPv6 connection can be attacked with a
> MITM attack is if the external firewall permits an insecure protocol
> across its boundary. If I can access http://intranet.corp through
> the firewall when then VPN is not working then that is a much
> bigger issue than just IPv6 packets getting through.

Please be a bit more imaginative.  That attack would work perfectly well -
even if the firewall would block it, if the attacker can see and modify
(=MITM) the packets destined to the intranet site, he can put up something
that looks legit, and then redirect the client to the IPv4 intranet 
site, catching login credentials like hell, most likely without anybody
reporting anything unusual.

But this is kind of moot: you have made your point perfectly clear: this 
is all someone else's problem.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             
gert%greenie.muc.de@localhost
fax: +49-89-35655025                        
gert%net.informatik.tu-muenchen.de@localhost