Hi, Joel,
Thanks so much for your efforts in this area.
Short version of my answer: "This is fine. Please go ahead and push
the document forward".
Long version of my answer:
This note is meant to reflect an IESG opinion, so I respect it as
such. I'd note that I don't know of any other case where the VPN
supports more than one address family that is not "IPv4 and IPv6"
("IPv4 and OSI"?). Additionally, if the "leak" occurs because of a
split tunnel, then that's not a leak, but rather the result of an
explicit decision (the split policy established by the administrator).
But I'm fine with having different views on the topic.
Thanks,
Fernando
On 06/22/2014 12:36 AM, joel jaeggli wrote:
> Thoughts would be appreciated.
>
> joel ---
>
> This document describes a problem of information leakage in VPN
> software and attributes that problem to the software's inability to
> deal with IPv6. We do not think this is an appropriate
> characterization of the problem. It is true that when a device
> supports more than one address family, the inability to apply
> policy to more than one address family on that device is a defect.
> Despite that, inadvertent or maliciously-induced information
> leakage may also occur due to the existence of any unencrypted
> interface allowed on the system, including the configuration of
> split tunnels in the VPN software itself.
--
Fernando Gont
SI6 Networks
e-mail: [email protected]
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
_______________________________________________
OPSEC mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsec
