Re: [secdir] Sec-Dir review of draft-ietf-opsec-vpn-leakages-02
Fernando Gont <fgont@si6networks.com> Tue, 10 December 2013 07:54 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 940BF1AE13E; Mon, 9 Dec 2013 23:54:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 35XRGKpY-BRM; Mon, 9 Dec 2013 23:54:36 -0800 (PST)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id 1B9931AE081; Mon, 9 Dec 2013 23:54:35 -0800 (PST)
Received: from [186.137.77.127] (helo=[192.168.3.102]) by web01.jbserver.net with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.80.1) (envelope-from <fgont@si6networks.com>) id 1VqI95-0002hA-N6; Tue, 10 Dec 2013 08:54:19 +0100
Message-ID: <52A6C883.2080709@si6networks.com>
Date: Tue, 10 Dec 2013 04:53:39 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: "Moriarty, Kathleen" <kathleen.moriarty@emc.com>, "draft-ietf-opsec-vpn-leakages.all@tools.ietf.org" <draft-ietf-opsec-vpn-leakages.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
References: <F5063677821E3B4F81ACFB7905573F240653E7FF01@MX15A.corp.emc.com>
In-Reply-To: <F5063677821E3B4F81ACFB7905573F240653E7FF01@MX15A.corp.emc.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [secdir] Sec-Dir review of draft-ietf-opsec-vpn-leakages-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Dec 2013 07:54:38 -0000
Hi, Kathleen,
Thanks so much for your feedback! Please find my comments in-line...
On 12/09/2013 07:21 PM, Moriarty, Kathleen wrote:
> The reference to VPN, never distinguishes if the document is
> referring to an IPSec or TLS VPN.
That's intentional. At the end of the day, what you use to tunnel your
packets does not really affect the underlying issues.
> I suspect IPSec from the document,
> but making this clear would be helpful to the reader. TLS has become
> popular when providing restricted access and may be just an encrypted
> session to a particular service as opposed to a full VPN with routed
> traffic using IPSec. Unfortunately, language has blurred here,
> mostly because of marketing, so clarity would be helpful to avoid
> possible confusion for the reader.
As noted above, this is actually intentional, and I'd personally leave
this "as is" -- put please let me know what you think.
> I would recommend introducing the comparison of slit-tunneling
> earlier in the document as this is a similar issue (IPv6 getting
> routed separately from the VPN traffic), although split-tunneling is
> an intentional configuration option.
Could you please clarify what you have in mind?
> Is the draft intended for developers/implementers or operational
> teams/VPN users -- or both?
Both.
> The proposed fixes could be done by the
> VPN software or operators could disable interfaces, the former would
> obviously be preferred and the abstract mentions products, so you may
> want to repeat that preference later in the document.
So far, the I-D proposes that the fixes should be implemented by the VPN
client. ONly the "Security Considerations" section mentions "disabling
IPv6" as a mitigation (i.e., "last resort" thing).
I guess possible options are:
1) Leaving the I-D "as is", or,
2) Have a "Mitigations" section where the current Section 6
("Mitigations to VPN traffic-leakage vulnerabilities") is incorporated
as subsection 6.1 (and possibly renamed "Fixing VPN client software"),
and then adding another subsection entitled "Operational mitigations" or
the like, essentially discussing manually disabling IPv6 on the local
system.
I'm inclined to "1)", but nevertheless open to "2)".
Thoughts?
Thanks!
Best regards,
--
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- [secdir] Sec-Dir review of draft-ietf-opsec-vpn-l… Moriarty, Kathleen
- Re: [secdir] Sec-Dir review of draft-ietf-opsec-v… Fernando Gont
- Re: [secdir] Sec-Dir review of draft-ietf-opsec-v… Stephen Kent
- Re: [secdir] Sec-Dir review of draft-ietf-opsec-v… Moriarty, Kathleen
- Re: [secdir] Sec-Dir review of draft-ietf-opsec-v… Paul Hoffman
- Re: [secdir] Sec-Dir review of draft-ietf-opsec-v… Fernando Gont
- Re: [secdir] Sec-Dir review of draft-ietf-opsec-v… Moriarty, Kathleen
- Re: [secdir] Sec-Dir review of draft-ietf-opsec-v… Moriarty, Kathleen