On Fri, May 17, 2019 at 3:54 PM Brian E Carpenter <[email protected]> wrote: > > On 18-May-19 09:07, Kurt Buff - GSEC, GCIH wrote: > > On Fri, May 17, 2019 at 1:59 PM Enno Rey <[email protected]> wrote: > >> > >> Hi, > >> > >> On Fri, May 17, 2019 at 01:45:56PM -0700, Kurt Buff - GSEC, GCIH wrote: > >>> Forgive the intrusion, as I seek a bit of clarity. > >>> > >>> MSFT DirectAccess seems to use the address range in question: > >>> > >>> Tunnel adapter iphttpsinterface: > >>> > >>> Connection-specific DNS Suffix . : > >>> IPv6 Address. . . . . . . . . . . : > >>> 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff > >>> Temporary IPv6 Address. . . . . . : > >>> 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff > >>> Temporary IPv6 Address. . . . . . : > >>> 2002:4332:aaaa:bbbb:cccc:dddd:eeee:ffff > >>> Link-local IPv6 Address . . . . . : fe80::75e4:c4b3:fae6:237c%2 > >>> Default Gateway . . . . . . . . . : > >>> > >>> It seems to me that filtering this range might hurt a bit, unless I'm > >>> mistaking what some are proposing. > >> > >> not being an MS DirectAccess expert I'd say that - given DA is a VPN > >> technology, using IP-HTTPS as a (somewhat proprietary) tunnel tech - these > >> addresses shouldn't be visible too much "in the [public] IPv6 Internet" so > >> the proposed filtering (of this thread) shouldn't come into play. > >> > >> cheers > >> > >> Enno > > > > So, network filters aren't going to gratuitously inspect IPv4 packets > > for IPv6 content. > > Let's hope not, but what possessed Microsoft to make them use the > 2002::/16 prefix in this way is an interesting question in itself. > In 6to4 format, 4332:aaaa would imply a site IPv4 address of > 67.50.170.170. And cccc:dddd:eeee:ffff doesn't look much like > a pseudo-random temporary interface identifier. > > Maybe it's never a good idea to look underneath the hood of a VPN.
LOL! Obfuscation has its uses... Kurt
