Hey Fernando, Some minor editorial nits and a question...
Section 1. "Section 2 provides some background about IPv6 and IPv4 co-existence, summarizing how IPv4 and IPv4 interact on a typical dual-stacked network" I think you meant IPv4 and IPv6 here Section 3. "Therefore, for dual-stacked systems, it is not possible to secure secure the communication with another system without securing both protocols (IPv6 and IPv4)." You repeat secure twice Now for the question: While I understand the premise of the problem here and agree that there is potential for VPN traffic leakages, I am trying to understand the scope of this threat in typical VPN setups. Let's say user Bob wants to access his files from a file server on his enterprise network while enjoying a latte from a cafe. He pulls up his vpn client, establishes a secure connection and tries to connect to filer1.example.com. To me, the use of a VPN client implies that the server is not publicly accessible over the Internet. Now, he gets back an A and AAAA record for filer1.example.com. Typically, that name would resolve to IPvX addresses that are only accessible from within the network. Common security best practices regardless of IPv4 or IPv6 would suggest that you achieve this by either applying appropriate filtering policies to prevent access from the outside world and/or only advertising prefixes that you want global reachability to/from. Let's say that Bob's host prefers the AAAA record and uses IPv6, his request for accessing the files would probably go out in the clear over IPv6 but will most likely end up being dropped either at the local IPv6 router because it has no routes to this protected network, or at the edge of his corporate network by some ACL that blocks access from the outside world. Granted, there is still the potential of one-way communication attempts going out in clear text on Bob's LAN at the cafe and subject to interception. So my question is, is the premise here that the network behind the VPN head end globally routable without any filtering mechanisms in place? If that's the case then yes, VPN leakage here can be severe and detrimental. Thanks, KK On Mon, Oct 15, 2012 at 11:51 AM, Fernando Gont <[email protected]>wrote: > Hi, folks, > > > We have published a new IETF I-D that discusses the VPN traffic-leakage > issues that was briefly discussed on this mailing-list a few weeks ago. > > The I-D is available at: > <http://www.ietf.org/internet-drafts/draft-gont-opsec-vpn-leakages-00.txt> > > Any feedback will be really welcome. > > Thanks! > > Best regards, > Fernando > >
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
