On 9/11/2011 7:24 PM, Andrew McMillan wrote:
A classic example I saw was a bunch of folk from some government department showing up at an IPv6 conference in Canberra a few years ago and being told the wireless was IPv6 enabled they hooked up and said "we don't need to worry about this, we just VPN back to the office and our security policy insists that all web browsing happens across the VPN" then they clicked on a link to an IPv6-only website and promptly discovered all of their security was being bypassed, if the website was available on IPv6. Whoops.
They promptly started paying a lot more attention to the conference, and thinking a lot harder about why they needed security policy around IPv6.
I wouldn't be surprised to discover this to be a reasonably common issue for medium-sizeor larger organisations who think "we can ignore IPv6 for now, because we don't need or use it".
Oh yes. This is particularly true in enterprises that are starting the "BYO device" model, where there is no longer a Standard Operating Environment, and IPv6 may be enabled on the device. Other than your anecdote - which I've observed myself, and it makes it easy to continue to use your home printer/other devices when on the corporate VPN - my favorite is split-horizon DNS breaking spectacularly, given that Windows 7 at least will prefer to use IPv6 DNS servers (e.g. "Internet") vs. IPv4 DNS servers ("VPN"), meaning that the VPN comes up but nothing appears to actually work. It's quite interesting how the gradual rollout is breaking things in slightly unanticipated ways, although it does tend to result in people [recommending to] clicking "disable ipv6" :-(.