Joel, On 03/29/2014 11:26 AM, joel jaeggli wrote: >> >> In addition to some responses below, it appears that my review >> comments sent to opsec are yet to be addressed: >> http://www.ietf.org/mail-archive/web/opsec/current/msg01477.html >> "The only remaining bit is the issue raised by Carlos which we'll >> hopefully address in the next rev." >> http://www.ietf.org/mail-archive/web/opsec/current/msg01447.html >> >> It seems the remaining bit is still remaining. Frankly, I am >> still concerned that this doc still refers to "VPN Leakages" >> while its applicability and scope is a small subset of "VPNs". > > the problem I take it with respect to aplicability is that the > draft targets a narrow subset of vpns. The problem of exposure via > split tunnels or in fact multi-interface issues is covers a whole > range of issues, some of which are deliberate, some accidental or > in this case inadvertent.
As noted by Gert and myself, this document raises awareness about a specific (yet common) problem scenario where, as a result of the interactions between IPv4 and IPv6, your traffic may (either deliberately or inadvertently) leak out of your VPN software. This problem has affected (and in some cases "is still affecting") products from vendors (Cisco, Juniper, OpenVPN, etc.). The solution, as noted by Gert, is non-trivial. Raising awareness of this issue has led a number of folks (including vendors) from at least paying attention and consider doing something about this. And, at the same time, for folks employing the said VPN software to be aware of these issues. This kind of thing <http://marc.info/?l=openbsd-cvs&m=135420170107687&w=2> should be an indication of why the document is important. Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: [email protected] PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
