Hi, On Sat, Mar 29, 2014 at 07:26:49AM -0700, joel jaeggli wrote: > the problem I take it with respect to aplicability is that the draft > targets a narrow subset of vpns. The problem of exposure via split > tunnels or in fact multi-interface issues is covers a whole range of > issues, some of which are deliberate, some accidental or in this case > inadvertent.
Well, one could argue that for the case of split tunnels, this is a
deliberate decision by the admin setting this up. For v4/v6 "split",
it might not be a conscious decision, but a lack of proper software
support - and in any case, I find it useful to raise awareness about
this problem.
Actually, looking at this from a different angle, namely that of a
developer of such VPN software, it's surprisingly difficult to make
"full tunneling" work with IPv6 in a hostile network - if you do not
want to go to "make a kernel module that overrides any routing decision
at lowest level", but take the portable approach OpenVPN does ("install
routes to a 'tun' interface, which hands the packet to userland for
encryption and forwarding"), it is really really hard to ensure that
*all* packets go into the tunnel, and nobody installs extra routes
via RA+PIO or RIO behind your back, siphoning off traffic to those
destinations.
In a portable way across 7 unix platforms and 3 windows variants.
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
pgpMS5a4DJWLU.pgp
Description: PGP signature
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
