Out of curiosity, how are you prevent IPv6 addresses from flowing? Is this at the router/L3 switch or firewall level?
What about non-routable link local addresses? > On May 23, 2019, at 1:21 PM, Sallee, Jake via PacketFence-users > <[email protected]> wrote: > > Max: > > This strikes me as an uninformed opinion. > > While a lot of tools don't speak IPv6, very little of the world runs IPv6 ... > even though its over a decade old. Most IPv6 providers run an IPv6to4 > gateway and technically all IPv6 traffic will run through a 6to4 gateway > somewhere or else they would not have access to traditional IPv4 networks ... > AKA the bulk of the internet. > > Once your traffic has gone through the gateway it is essentially classic IPv4 > and thus is readable by all those tools you were trying to avoid. > > In my network IPv6 flat doesn't work. If you have your computer configured > with an IPv6 address your traffic will not flow ... at all. So ... problem > solved : ) > > Also, plenty of "defensive" tools support IPv6. My NSM distro of choice is > SecurityOnion and it fully supports IPv6. > > As a final note I would hold anyone under strict suspicion who says they can > move around a network undetected. You may go unnoticed for a number of > reasons, but it is *literally* impossible to be undetectable on a network. > And, if the network team wants to find you bad enough, they will. Trust me. > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > WWW.UMHB.EDU > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658 > Phax: 254-295-4221 > > ________________________________________ > From: Max McGrath via PacketFence-users > <[email protected]> > Sent: Thursday, May 23, 2019 12:08 PM > To: ML PF > Cc: Max McGrath > Subject: [PacketFence-users] NAC bypass > > EXTERNAL Exercise Caution > Hello - > > I've been looking into NAC Bypass lately and came across the following: > > Most defensive tools exclusively look at IPv4 addresses. Forcing traffic over > IPv6 yields a high chance you will go undetected and be unchallenged. > > Would this be true in PacketFence, or would it depend on my specific > configuration? > > Max > -- > Max McGrath > [https://static.licdn.com/scds/common/u/img/webpromo/btn_profile_greytxt_80x15.png] > > <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_in_max-2Dmcgrath-2Da299124b&d=DwMFaQ&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA&m=kpvMAJTEdvMKZ0D2qE8FzWouIHwKlexZ01KQD1TSKvo&s=OTRA2r5e4HRmG2Uaf8oKT7uy56LDd0Fks4eAjh8nDvg&e=> > Infrastructure and Security Manager > Carthage College > 262-551-6666 > [email protected]<mailto:[email protected]> > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
