tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts



Darren Reed <darrenr%netbsd.org@localhost> writes:

> Lets assume that a host where I work is dual homed and that I can
> connect to it at work using IPv4 or IPv6.

Your example isn't about the case that I think people care about.

  A company has some internal network, which is heavily firewalled.

  Employees have computers, and they VPN in.  Once in, their traffic is
  subject to monitoring, etc.

  There's a policy that says you can be connected inside only, or outside
  only.  (This is based on a notion that using a computer as a stepping
  stone is a significant issue, compared to persistent malware.  But it's
  common thinking, basically fighting the war of the 90s, and probably
  helpful now even if it isn't the main threat.)

  A user starts up the VPN, which is v4 only.   But, they're still on
  their local network, and possibly on the internet.  Hence a policy
  violation.

But on the other hand I agree with Darren's points.  This is a policy
matter, and NetBSD as an OS should be neutral, allowing users to set
policy.  So I'd say that VPN packages (as opposed to what's in the
NetBSD base system) should handle this, offering a configuration option.

I disagree with Fernando's characterization that IPv6 traffic not going
in a VPN (or being blocked0 when a v4 VPN is configuration is
necessarily a bug.  For the totally-controlling corporate policy types,
yes, but for many no.   So I'd say that it's a bug for a VPN package not
to make this configurable; perhaps that's what he meant.

Attachment: pgpnlpy0Z5FmW.pgp
Description: PGP signature



Home | Main Index | Thread Index | Old Index