Hi, Russ, Thanks so much for your feedback! Please find my comments in-line...
On 02/14/2014 02:06 PM, Russ Housley wrote: > > Summary: The document is almost ready for publication as a > informational RFC. I raise minor concerns that should be resolved > before IESG evaluation. > > Major Concern: > > In my review of -02, I said: >> >> This document is about encrypted tunnels, and I am asking for this to >> be stated very early in the document. Sadly, the IETF uses VPN to mean >> two very different things, please tell the reader which one is being >> discussed in the abstract and the introduction of the document. IPsec >> and L3VPN demonstrate the two very different meanings for VPN, and >> "VPN leakage" has meaning in both of them. > > I think it could be much more clear from the very beginning. > To this end I propose some alternate Abstract text: > > The subtle way in which the IPv6 and IPv4 protocols co-exist in > typical networks, together with the lack of proper IPv6 support in > popular Virtual Private Network (VPN) products, may inadvertently > result in VPN traffic leaks. That is, traffic meant to be > transferred over an encrypted and integrity protected VPN connection > may instead be transferred in the clear. This document discusses > some scenarios in which such VPN leakages may occur, either as a > side effect of enabling IPv6 on a local network, or as a result of a > deliberate act by a local attacker. Additionally, this document > offers possible mitigations for this issue. Will do. Thanks! > Personal Observation: > > I do not find this document very helpful. It can be summarized as: > > If IPv6 is not supported in your VPN software, then disable IPv6 > support in all network interfaces before you try to use it. > > I do not know why the OPSEC WG thinks that this message is worthy of > an RFC. While I cannot speak for the opsec wg myself, my understanding is that this document serves at these goals: * Raising awareness among VPN users * Suggesting workarounds to VPN users * Raising awareness among vendors -- some of them have implemented patches in response to this document. * Briefly describing some tricky issues that might bite implementations. Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ Gen-art mailing list [email protected] https://www.ietf.org/mailman/listinfo/gen-art
