IETF Logo Mail Archive

[OPSEC] RFC7359: VPN leakages, roughly ten years later

Fernando Gont <fernando.gont@edgeuno.com> Mon, 31 January 2022 07:30 UTC

Return-Path: <fernando.gont@edgeuno.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8E1D3A255C for <opsec@ietfa.amsl.com>; Sun, 30 Jan 2022 23:30:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=edgeuno.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nmXAp9wq__TZ for <opsec@ietfa.amsl.com>; Sun, 30 Jan 2022 23:30:31 -0800 (PST)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2126.outbound.protection.outlook.com [40.107.237.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6A5D3A255B for <opsec@ietf.org>; Sun, 30 Jan 2022 23:30:30 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OQNMCEd2FKxZadXgs4wCFTUAyf22jmNeekZRGoGDBqg76mwAoU8680/mODwX3S5EdCStZiYMVurDbT10/o24j7ZuvHnl4HFvhPziK8tL2ypJxmrwO0PZm78KVfOEJC2QrRTAAt9QtRTb2hLpsCz4+mp+edxrOVV+TK5r4hlikatRbJulNC0qIw0NMmG0SjilxhJiPa0uU29fAuQoY2ktWX6P8MLulaEb/YHdTDolxcoF2egk55NYZVd0n0XSG7pBBcMrGj0h15HlqA8B8iFAtrRchgX6kbPdn1JjGsG4OInzi/puzJUTs5M0Y5DMpTShZl3oIfGiC2si6O35bg7ykg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9e/ATIDudZClyqRDW8cwPZOm5Emozk4GpICabewqNgk=; b=RzyeKg77R9xlhfGy5K4XhFpF6jsRkoOJCr3jwDAaZ66BKyytOKal28/oIweBQRmdSYRRp916VRYzkafORI7NNeiAtfxktFt+9GAEYmN3Z49Zy4Izm8URWyb1+aDBRdYxyefQNlDeJ166OjkvrJR9SB0oZ17nJCkfyw7Af6e3MTYRCjl7t48zCNhJq9aEYr4LYBiJvsOpMZc+Aqth39XiQLqGzHVDCE9C187ZQQt0JusfoR6NzAY01XEJPeICjGkJgez89MR27/0vgiWUi60+SvU2A90qQh/KZx9d4WtSfQ7k6qpNYtjwfPhaK/x3ExXwfBxL6rFwVAsbW9RfTvIbbg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=edgeuno.onmicrosoft.com; s=selector1-edgeuno-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9e/ATIDudZClyqRDW8cwPZOm5Emozk4GpICabewqNgk=; b=SfV59EpmeMvtFZdulQsgk4IsI/aMtZ12CwLI9nAVtHimldD2o6Buybz+58NB430iaoQEVBNihjgeQP6i8SKTlRVXCBLWiefIFrCLx5HgTLWjR9nQ2jZjgo2DiGnD0rjUpoRdWa8Y1hyrr6wbzT9O2W6RTY74Ktmkyk67Sw8TWpo=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=edgeuno.com;
Received: from CO1PR05MB8039.namprd05.prod.outlook.com (2603:10b6:303:f0::7) by SJ0PR05MB7803.namprd05.prod.outlook.com (2603:10b6:a03:2e3::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4951.6; Mon, 31 Jan 2022 07:30:27 +0000
Received: from CO1PR05MB8039.namprd05.prod.outlook.com ([fe80::6194:fa22:9cb1:cc96]) by CO1PR05MB8039.namprd05.prod.outlook.com ([fe80::6194:fa22:9cb1:cc96%6]) with mapi id 15.20.4951.010; Mon, 31 Jan 2022 07:30:27 +0000
Message-ID: <4ffff4c6-c29d-6a90-20bb-9d97ba7c1371@edgeuno.com>
Date: Mon, 31 Jan 2022 04:30:19 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
From: Fernando Gont <fernando.gont@edgeuno.com>
To: opsec@ietf.org
Content-Language: en-US
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-ClientProxiedBy: CP3P284CA0125.BRAP284.PROD.OUTLOOK.COM (2603:10d6:103:6a::10) To CO1PR05MB8039.namprd05.prod.outlook.com (2603:10b6:303:f0::7)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: fcf19ef6-7ac5-4a22-5195-08d9e48b8cfc
X-MS-TrafficTypeDiagnostic: SJ0PR05MB7803:EE_
X-Microsoft-Antispam-PRVS: <SJ0PR05MB7803EB35AE773A74ECF108B2E5259@SJ0PR05MB7803.namprd05.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8273;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: y3XsOqnSnhmNXQgXc1UNKtf1sWWdyaC23HWlmTBs9QeUb2BHi4wb4oVPN6C0nK9nNAuDf8dXZjZ+Nxgm/ZCwWhqKouajguqk05T08jH2arjLXMQGdaHyBbIpnZIZxuLhMH3dTvblEO5g45ZU40uHW7u200kr58yyjSWUGWhO74s7VooGxdPVg9LWq6XuE1k5cPT15vFv4f/m9+hiwoqz++1hK1wd86t9ioLIIbNJT4Igds8AiD2EFTouoLYHLwF3ipHa6bwMjf+AbTEijau3KOL44D5NRcULdWRYx66xCE7JoUID0kB4e+rBgXsdYxes7NxxSeBj6zRrN32swmTfLdYRcsHCp6O4WhXDVWAuV82hUb7NUl3e9c4Fq6bzXmE+KCqHaA1wUhXd6G7SbJxMADlIvi2VVLzwVqkDAZCu5w66wjCPpkwVo/OZp+c1KtFLrmVXla9NUuT2e/679yJiyjlYLyhSNr8sVZJwmj+4h7qnMAOAtG3A07Z7yfUJ3HiQ4d5lemGQXnayXC4FQwMMLaANRxse5jJvTdaV3mi/Sq84t0r+P+JnquDAxD68AHraUZauHJQLh8gwIvfGgfmdLiut4j/Mvkfl5A8vPeIZxRAgl+1D4mg6Pe+9HoAM5B8mBxMACtbAS6x2OdYuFnTDLk0x0xcWT9Nin94mSjgtSVr9kOcDvSeKJwhh7dAkQp4pW1N048Qo1r2LXtq4ShDBry/or1/Umdsu61pc5Fz7jN3GRFIgZuLTV6ulcz75/ZCRBby3VBYrBlta8EZjHC/kQQ==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR05MB8039.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(396003)(366004)(136003)(39830400003)(346002)(376002)(6512007)(5660300002)(6916009)(38100700002)(38350700002)(6486002)(83380400001)(6666004)(26005)(186003)(508600001)(8676002)(8936002)(6506007)(2906002)(66556008)(36756003)(66946007)(316002)(86362001)(52116002)(44832011)(2616005)(31696002)(31686004)(66476007)(43740500002)(45980500001)(20210929001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: DeYTQFoHjJoUnY4e8M+jAqrDKd9q7jekUi5i9D6sDsWo5MjmwBuhc3M2wdW4KIP0OhEBzOm/m9Tdk/p5T+eMfWZc0ElcwUt8hU5zHhmYQ6aeO24+UKeqjoCvGWnwzSC2Ub+QDqIdZJpXoHWuAcoD911zl83YzeJqI7sQqxnVZj06ZhsKdGW/9rMJ37IprICNvhGABGtIguI2dYtcNGrNiowuoMv2q9m0xfZ8E7wicIVK/ptSNW/kOT9bm38Yf7goyF9YTO+V/lW20RpCHudn6RPxA9HIzP4wNxhlJvH03F1MRrzBiPAw7HPhHIzP8RTX50fKUty9agKa1JDGlUFFftr7A/x2Y7utFYmfyYvP3TXaFfDmsIVPHUJemDKLWhj61vbYH3ra+oDsi/NTdRyg98EMBNESG6R2Dnuks/+mwn5wn4HwHzbMR+7SyxhM67eRgUnWu9px9Q+tCoBawzKDL9brJd0AUp89NGpydIZ+MtMzSSz8fRKdXyQSZO3CIy+/h374EuEPzQUhu/qdJZs99WrpVCn9TKfICaQGj00HYlJlEMpqAQM1mly6aM8rLG40kkS2HAJuCogmJu93Vq8qYTR6XqIXiDk3O8s+mWNnzBrC4KY2UuWz7GTCHG9QCCaSZuxRYwNPVwdP3YBP4MQW3WiUVPKgQh0D+bvB8fekWxdM9cWS12e9sUAMnIJCqNsYbNlMithwVRoGYEbKf9NovsfEB/jAMrnMjigCkk+3m+pew4VcZuVnPpqREH1bo1B6drSSdLf3BG93KSstTZ2GQEtiq5Y50dChOENAK2uJ5pvhYazOdrHEtQvgJ5dEp7Z8bhRx5CMEIHE3qIZ0lzIc0kXa0J+EAa/Qi51Tn92546u66Tm06h2+8+hlrHTgh852UpgbFLKfgv1PVLOQ1rWTHnnnK6QQypuWDdFepOS3V1/9PrYkvr3Pj8TerwHwSsUld9RJKv07QEzwe2D6s8i+65YYAuq1xLk76wDBQgPE3fdLVPn33OO5S/Nhh3VUiuzGze1ZTdFahd2mZghJAQJ7CG+u/ich9y6k47qI9LgZeo10XZBs/qb2BLphct0A/G7FW+xplVfmv5c/huQzUTSy8oH/im5hDG3KE1D5BhRafJv9LsRcGavzJVmvcvnSHuuan5OnqoBhoIQbZDVzNMHUVw7g8UqiX1V7NrrySjrYiKAwPfUoEoqvAFEWI4TY5JBy3b8/kl/ao0Lj6/iD5eFakuSVyeFKOtnW2BsMTS1lelArSoPMG9/aHvMq9q2VpOMUoOfEMTF4rPjk61jt9htRr6r77MHhbARvfTgTJjDm3qSkDj5ZPmVxFeBejn4Y6FUA+nqIKKq8SdFtCJ2m5vP7Y3ibfNSZBbPPB+Uyox1r3y4mepglAI0YHboVJUNqFmjG0T2M4khB0OaxT2nbWA3SUBA8HCJgz/A+S0zZsyfYogTmiEGkLOMpB3z6ierd/EE1xD1SUvBRh6En8ln4nx4mX2ZFRpdB2LttW042SKFFz2iZvN6Rc1T9MVH1dfjaUl65tQp4ZfMqAXTFejLiL2MHuNq4L2ifmkrBrFeiGfHaqZVNQmDSriMS8SErli20ggyisJbQ6p8TGo2mobjmy2O23ow7/e8GIesNgW1ocBF7v1zp4dE6dxR2szhrsR1XF+sLw5MCaXMHfTXL8m9QDYPxUg==
X-OriginatorOrg: edgeuno.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fcf19ef6-7ac5-4a22-5195-08d9e48b8cfc
X-MS-Exchange-CrossTenant-AuthSource: CO1PR05MB8039.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Jan 2022 07:30:27.1568 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 20879dba-fabf-45da-8300-60b8ce560217
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: yiZQ5U+VOao1EY4zNEq+Z0rb2DTluuvvpRia3OQDqSYOjXnjUfPLBLkUnfLZGQNXNcJKse8y8sqOIlzTT7iCSxc3PpNljtkqVc2WK/lY0OI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR05MB7803
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/RbadHqNcvon2-PIwtg4vsTG5oGA>
Subject: [OPSEC] RFC7359: VPN leakages, roughly ten years later
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jan 2022 07:30:37 -0000

Folks,

In 2014 we published RFC7354, entitled "Layer 3 Virtual Private Network
(VPN) Tunnel Traffic Leakages in Dual-Stack Hosts/Networks".

One would have probably expected that by now, the problem of VPN
leakages due to lack of IPv6 support would be long gone (?).

However, the problem seems to be pretty current.

e.g., it seem Forticlient fails to support IPv6 for Linux and Apple
platforms. And, what's worse (?), there does not seem to be trivial way
to disable IPv6 on iOS. (i.e., "You cannot win, you cannot break even...
you can't even quit the game).

Any other current examples of this?

P.S.: Wasn't Apple requiring IPv6 support in all apps, anyway? :-?

Thanks,
--
Fernando Gont
Director of Information Security
EdgeUno
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531





“This communication is the property of EdgeUno or one of its group companies and/or affiliates. This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and if you are not the intended recipient be aware that any non-explicitly authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, and will be considered a criminal offense. Please notify legal@edgeuno.com about the unintended receipt of this electronic message and delete it.”

v2.23.0 | Report a Bug | By Email