Fernando, On Dec 22, 2013, at 4:06 PM, Fernando Gont <[email protected]> wrote:
> Hi, Carlos, > > On 12/22/2013 05:54 PM, Carlos Pignataro (cpignata) wrote: >>> FWIW, this is what we hae at the time of this writing (still subject to >>> comments and edits); >>> >>> ---- cut here ---- >>> When employing the term VPN (or its acronym, "VPN"), this document >>> refers to IPsec-based or TLS-based tunnels, where traffic is >>> encapsulated and sent from a client to a middle-box, to access >>> multiple network services (potentially emplying different transport >>> and/or application protocols). >> >> I do not think this is the best approach. Here you are saying: “when we >> say VPN we actually mean this, so we will make statements about VPNs”. >> Instead, I’d suggest the more precise approach is to say “in this document >> we consider Foobar VPNs, so we will make statements about Foobar VPNs” >> (where Foobar is a modifier/qualifier of VPN, defined in the document). > > If you know of such modifier/qualifier, I'd like to know -- particularly > if it's a one/two word thing that will not result in cumbersome text > throughout the document. > > Besides, at the end of the day, foobar VPN would still be one definition > of ours, so... I'm not sure that would make the text any more precise > (as long as the terminoogy is clarified up frnt, as with a "Terminology" > section). > I proposed a couple, I think they are better than nothing but certainly not great. Perhaps a potentially good one is hub-and-spoke (like in the softwires terminology, as I understand you are talking always about cases with a VPN Concentrator (hub), and the vulnerability in the (software) clients (spokes)). In any case, my main point is that saying "VPN leakages in dual-stack networks" is not correct, as it overgeneralizes. And I think that "foobar VPN" is much better than "VPN", provided that "foobar" is defined in the document. It's OK to create a new term if it is needed and none exists. > > >>> Our use of the term "Virtual Private Networks" excludes the so-called >>> SSL/TLS VPN portals (a front-end provided by the middlebox to add >>> security to a normally-unsecured site). Further discussion of SSL- >>> based VPNs can be found in [SSL-VPNs]. >> >> Additionally, this talks about a specific view from the user (it is not a >> provider provisioned VPN for example). So I’d define what it is and not >> what it is not. > > Not sure what you mean. > > > >>>>> Regarding the title... I'm not sure it's easy to come up with >>>>> something simple that makes this clear (particularly when, as you >>>>> correctly state, "VPN" is kind of a meta-term)... Do you have any >>>>> suggestions for some alternative title? >>>> >>>> I think that, for the title, saying ³VPN traffic leakages² is too >>>> generic >>>> to be accurate, and you need to qualify ³VPN². >>> >>> Is that possible in a one-liner? >> >> It is necessary, in a one- or two-liner. > > So far we have tried to do that with the terminology Section -- and I > doubt that can be clearly one with a one liner. But if you have any > suggestions, I'm all ears. > See above (although you'd need to be "all eyes" or use a text-to-speach interface :-) Net-net -- given the number of different types of VPNs, if the leakage does not apply to all (or even most) of them, I still think that technically the title/abstract/doc needs to narrow scope. > > >> The IETF has defined terminology and taxonomy for VPNs. For example: >> http://tools.ietf.org/html/rfc2764 >> http://tools.ietf.org/html/rfc3809 >> http://tools.ietf.org/html/rfc4026 for PP-VPNs, esp. S. 3, 3.10, 4 >> http://tools.ietf.org/html/rfc4110#section-1.5 >> >> And as you acknowledge it is a meta term (and an overused one); I’d talk >> about Foobar-VPNs, with narrow definitions. > > I'll check the references, and will also let others weigh in. Sounds good -- thanks. Carlos Pignataro. > > Thanks, > -- > Fernando Gont > SI6 Networks > e-mail: [email protected] > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > > >
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
