Apologies for the lateness of these two small comments, and if it has been made before --
Looking only at the title and first sentence of the Abstract: --->8--- Virtual Private Network (VPN) traffic leakages in dual-stack hosts/networks Abstract The subtle way in which the IPv6 and IPv4 protocols co-exist in typical networks, together with the lack of proper IPv6 support in popular Virtual Private Network (VPN) products, may inadvertently result in VPN traffic leaks. --->8--- I have one concern and one small comment: First, "VPN" is a pseudo-technical term, or a meta-term. If I understand, this document refers to a very narrow slice of "VPNs" (not to L1VPNs, not to L2VPNs, not to MP-BGP/MPLS IP VPNs, not to...). The document seems to be (only?) focusing on client/concentrator VPNs, and within these ones the IPsec ones. Can we make this very explicit in the 1. title, 2. abstract, and even 3. a formal definition of scope? Second, are these "leakages" if the packets are not destined to go in the tunnel? I guess if the "traffic" (i.e., payload) is not sent on the IPsec tunnel, then it is leaked. But it is a bit borderline... The second is not a big deal, the first one is, IMHO. Thanks, -- Carlos. On Dec 2, 2013, at 7:53 AM, The IESG <[email protected]> wrote: > > The IESG has received a request from the Operational Security > Capabilities for IP Network Infrastructure WG (opsec) to consider the > following document: > - 'Virtual Private Network (VPN) traffic leakages in dual-stack hosts/ > networks' > <draft-ietf-opsec-vpn-leakages-02.txt> as Informational RFC > > The IESG plans to make a decision in the next few weeks, and solicits > final comments on this action. Please send substantive comments to the > [email protected] mailing lists by 2013-12-16. Exceptionally, comments may be > sent to [email protected] instead. In either case, please retain the > beginning of the Subject line to allow automated sorting. > > Abstract > > > The subtle way in which the IPv6 and IPv4 protocols co-exist in > typical networks, together with the lack of proper IPv6 support in > popular Virtual Private Network (VPN) products, may inadvertently > result in VPN traffic leaks. That is, traffic meant to be > transferred over a VPN connection may leak out of such connection and > be transferred in the clear from the local network to the final > destination. This document discusses some scenarios in which such > VPN leakages may occur, either as a side effect of enabling IPv6 on a > local network, or as a result of a deliberate attack from a local > attacker. Additionally, it discusses possible mitigations for the > aforementioned issue. > > > > > The file can be obtained via > http://datatracker.ietf.org/doc/draft-ietf-opsec-vpn-leakages/ > > IESG discussion can be tracked via > http://datatracker.ietf.org/doc/draft-ietf-opsec-vpn-leakages/ballot/ > > > No IPR declarations have been submitted directly on this I-D. > > > _______________________________________________ > OPSEC mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/opsec
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
