Hi, On Mon, Oct 15, 2012 at 11:51 AM, Fernando Gont <[email protected]> wrote: > Hi, folks, > > > We have published a new IETF I-D that discusses the VPN traffic-leakage > issues that was briefly discussed on this mailing-list a few weeks ago. > > The I-D is available at: > <http://www.ietf.org/internet-drafts/draft-gont-opsec-vpn-leakages-00.txt> > > Any feedback will be really welcome.
The attack that i am most concerned about is that many folks assume the VPN will "lock the stack". And, the VPN software may in fact lock the IPv4 stack (on the WAN, only traffic to and from the VPN endpoints is allowed). But, in the case of dual stack, the VPN locks the IPv4 stack and the IPv6 stack is left wide open to a public WLAN. So, the attacker at a coffee shop can own the VPN users system via IPv6 and therefore access the secure corporate network over IPv4. This is not a case of protocol translation or traffic leaking, but a case of using a "jump host" to illicitly move from a public WLAN to a secure corporate network. I think there is also some additional ipv6 nuance that can be explored in this case of a dual-stack VPN. For example, how is LLA treated on the coffee shop WLAN? Also, the name server issue can be explored, if RA or DHCPv6 provides a DNS server, the VPN client should be sure to not use those since a rogue DNS server can create a situation where VPN traffic is leaked.... http://intranet is spoofed by the local attacker DNS server and skims login creds CB _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
