I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
Please resolve these comments along with any other Last Call comments you may receive. Document: draft-ietf-opsec-vpn-leakages-03 Reviewer: Russ Housley Review Date: 2014-02-14 IETF LC End Date: 2013-12-16 IESG Telechat date: 2014-02-20 Summary: The document is almost ready for publication as a informational RFC. I raise minor concerns that should be resolved before IESG evaluation. Major Concern: In my review of -02, I said: > > This document is about encrypted tunnels, and I am asking for this to > be stated very early in the document. Sadly, the IETF uses VPN to mean > two very different things, please tell the reader which one is being > discussed in the abstract and the introduction of the document. IPsec > and L3VPN demonstrate the two very different meanings for VPN, and > "VPN leakage" has meaning in both of them. I think it could be much more clear from the very beginning. To this end I propose some alternate Abstract text: The subtle way in which the IPv6 and IPv4 protocols co-exist in typical networks, together with the lack of proper IPv6 support in popular Virtual Private Network (VPN) products, may inadvertently result in VPN traffic leaks. That is, traffic meant to be transferred over an encrypted and integrity protected VPN connection may instead be transferred in the clear. This document discusses some scenarios in which such VPN leakages may occur, either as a side effect of enabling IPv6 on a local network, or as a result of a deliberate act by a local attacker. Additionally, this document offers possible mitigations for this issue. Personal Observation: I do not find this document very helpful. It can be summarized as: If IPv6 is not supported in your VPN software, then disable IPv6 support in all network interfaces before you try to use it. I do not know why the OPSEC WG thinks that this message is worthy of an RFC. _______________________________________________ Gen-art mailing list [email protected] https://www.ietf.org/mailman/listinfo/gen-art
