> Out of curiosity, how are you prevent IPv6 addresses from flowing? Is this at > the router/L3 switch or firewall level?
That's a good question! The answer is both firewall and L3. I have lots of internal vlans ... like ... a lot. So, so many ... I may have a psychological problem. All my vlan interfaces do not have IPv6 addresses and the switches and routers will not forward v6 packets (I'm not running an IPv6 capable routing protocol). All modern OSes will tunnel your IPv6 over IPv4 (windows does this by default IIRC) but that is a 6to4 gateway and brings the conversation full circle. I also run a cluster of internal segmentation firewalls which do not permit IPv6 to pass through them. So IPv6 is dropped either at the router or FW if it is seen by them, and if the OS tunnels IPv6 through a v4 connection that is no different than regular traffic. Bada-bing bada-boom! No IPv6 for you! Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________________ From: Louis Scaringella <[email protected]> Sent: Thursday, May 23, 2019 2:07 PM To: [email protected] Cc: Sallee, Jake Subject: Re: [PacketFence-users] NAC bypass EXTERNAL Exercise Caution Out of curiosity, how are you prevent IPv6 addresses from flowing? Is this at the router/L3 switch or firewall level? What about non-routable link local addresses? > On May 23, 2019, at 1:21 PM, Sallee, Jake via PacketFence-users > <[email protected]> wrote: > > Max: > > This strikes me as an uninformed opinion. > > While a lot of tools don't speak IPv6, very little of the world runs IPv6 ... > even though its over a decade old. Most IPv6 providers run an IPv6to4 > gateway and technically all IPv6 traffic will run through a 6to4 gateway > somewhere or else they would not have access to traditional IPv4 networks ... > AKA the bulk of the internet. > > Once your traffic has gone through the gateway it is essentially classic IPv4 > and thus is readable by all those tools you were trying to avoid. > > In my network IPv6 flat doesn't work. If you have your computer configured > with an IPv6 address your traffic will not flow ... at all. So ... problem > solved : ) > > Also, plenty of "defensive" tools support IPv6. My NSM distro of choice is > SecurityOnion and it fully supports IPv6. > > As a final note I would hold anyone under strict suspicion who says they can > move around a network undetected. You may go unnoticed for a number of > reasons, but it is *literally* impossible to be undetectable on a network. > And, if the network team wants to find you bad enough, they will. Trust me. > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > http://WWW.UMHB.EDU > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658 > Phax: 254-295-4221 > > ________________________________________ > From: Max McGrath via PacketFence-users > <[email protected]> > Sent: Thursday, May 23, 2019 12:08 PM > To: ML PF > Cc: Max McGrath > Subject: [PacketFence-users] NAC bypass > > EXTERNAL Exercise Caution > Hello - > > I've been looking into NAC Bypass lately and came across the following: > > Most defensive tools exclusively look at IPv4 addresses. Forcing traffic over > IPv6 yields a high chance you will go undetected and be unchallenged. > > Would this be true in PacketFence, or would it depend on my specific > configuration? > > Max > -- > Max McGrath > [https://urldefense.proofpoint.com/v2/url?u=https-3A__static.licdn.com_scds_common_u_img_webpromo_btn-5Fprofile-5Fgreytxt-5F80x15.png&d=DwIFAg&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA&m=FIAzVlcOPqEjodnFXQemsWqyIMKywyq4ELlpTMYAu04&s=_1sSp07FqWczc33G7UfwhDpzdO-wcx8mlprAX0poUyc&e= > ] > <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_in_max-2Dmcgrath-2Da299124b&d=DwMFaQ&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA&m=kpvMAJTEdvMKZ0D2qE8FzWouIHwKlexZ01KQD1TSKvo&s=OTRA2r5e4HRmG2Uaf8oKT7uy56LDd0Fks4eAjh8nDvg&e=> > Infrastructure and Security Manager > Carthage College > 262-551-6666 > [email protected]<mailto:[email protected]> > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers&d=DwIFAg&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA&m=FIAzVlcOPqEjodnFXQemsWqyIMKywyq4ELlpTMYAu04&s=q4xPBr0KB-Z2W9d0NzWNI0vKJ4sWjVQyltlpPA-Ne1E&e= The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
