Hi, Joel, On 03/23/2014 02:57 PM, joel jaeggli wrote: > > https://datatracker.ietf.org/doc/draft-ietf-opsec-vpn-leakages/ > > 1. Does the working-group view view disabling IPV6 in deployed > equipment due to operational necessity as a desirable outcome.
This should not be characterized as a "desired outcome". The document describes a problem, and discusses possible mitigations. It never says or suggests that this is the desired outcome -- if anything, just a possible "last resort" scenario. For instance, this is what the document says: "While the desired mitigation for the issues discussed in this document is for VPN clients to be IPv6-aware, we note that in scenarios where this would be unfeasible, and administrator may want to disable IPv6 connectivity on all network interfaces of the node employing the IPv6-unaware VPN client." As a guy that both normally employs IPv6 and that also employs an IPv6-unaware client (OpenVPN), I face this problem very frequently. What I usually do is that, whenever I really mean to employ my VPN client, I resort to disabling IPv6. This is certainly not a desired outcome... but a tradeoff between "having my taffic sent out in the clear when I mean it to be encrypted" and "employing IPv6". The desired outcome (albeit noted in the I-D) is that VPN clients successfully support IPv6. But at times this not under the control of the folk employing the VPN client. > 2. Does the working-group characterize the problem of vpn leakages > captured in this document as being distinct from the problems posed > by split-tunnels in general. The problem is different because this problem arises from a (usually overseen) interaction between the two protocols (which are usually assumed to be separate worlds). FWIW, this wan not only discussed in opsec, but we also presented this document in at the ipsecme wg. Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
