Thanks for your review, Russ. Is there a new version coming up? Jari
On Feb 14, 2014, at 7:27 PM, Fernando Gont <[email protected]> wrote: > Hi, Russ, > > Thanks so much for your feedback! Please find my comments in-line... > > On 02/14/2014 02:06 PM, Russ Housley wrote: >> >> Summary: The document is almost ready for publication as a >> informational RFC. I raise minor concerns that should be resolved >> before IESG evaluation. >> >> Major Concern: >> >> In my review of -02, I said: >>> >>> This document is about encrypted tunnels, and I am asking for this to >>> be stated very early in the document. Sadly, the IETF uses VPN to mean >>> two very different things, please tell the reader which one is being >>> discussed in the abstract and the introduction of the document. IPsec >>> and L3VPN demonstrate the two very different meanings for VPN, and >>> "VPN leakage" has meaning in both of them. >> >> I think it could be much more clear from the very beginning. >> To this end I propose some alternate Abstract text: >> >> The subtle way in which the IPv6 and IPv4 protocols co-exist in >> typical networks, together with the lack of proper IPv6 support in >> popular Virtual Private Network (VPN) products, may inadvertently >> result in VPN traffic leaks. That is, traffic meant to be >> transferred over an encrypted and integrity protected VPN connection >> may instead be transferred in the clear. This document discusses >> some scenarios in which such VPN leakages may occur, either as a >> side effect of enabling IPv6 on a local network, or as a result of a >> deliberate act by a local attacker. Additionally, this document >> offers possible mitigations for this issue. > > Will do. Thanks! > > > >> Personal Observation: >> >> I do not find this document very helpful. It can be summarized as: >> >> If IPv6 is not supported in your VPN software, then disable IPv6 >> support in all network interfaces before you try to use it. >> >> I do not know why the OPSEC WG thinks that this message is worthy of >> an RFC. > > While I cannot speak for the opsec wg myself, my understanding is that > this document serves at these goals: > > * Raising awareness among VPN users > > * Suggesting workarounds to VPN users > > * Raising awareness among vendors -- some of them have implemented > patches in response to this document. > > * Briefly describing some tricky issues that might bite implementations. > > Thanks! > > Best regards, > -- > Fernando Gont > SI6 Networks > e-mail: [email protected] > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > > > > _______________________________________________ > Gen-art mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/gen-art _______________________________________________ Gen-art mailing list [email protected] https://www.ietf.org/mailman/listinfo/gen-art
