IETF Logo Mail Archive

[secdir] Sec-Dir review of draft-ietf-opsec-vpn-leakages-02

"Moriarty, Kathleen" <kathleen.moriarty@emc.com> Mon, 09 December 2013 22:21 UTC

Return-Path: <kathleen.moriarty@emc.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03DEC1AE0F1; Mon, 9 Dec 2013 14:21:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id drNvzBpUHUgR; Mon, 9 Dec 2013 14:21:47 -0800 (PST)
Received: from mailuogwdur.emc.com (mailuogwdur.emc.com [128.221.224.79]) by ietfa.amsl.com (Postfix) with ESMTP id 1181F1AE11F; Mon, 9 Dec 2013 14:21:46 -0800 (PST)
Received: from maildlpprd52.lss.emc.com (maildlpprd52.lss.emc.com [10.106.48.156]) by mailuogwprd53.lss.emc.com (Sentrion-MTA-4.3.0/Sentrion-MTA-4.3.0) with ESMTP id rB9MLdRF031206 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 9 Dec 2013 17:21:41 -0500
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd53.lss.emc.com rB9MLdRF031206
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1386627701; bh=iXgf8VUa9StmxZwxMeXNi5hWGIc=; h=From:To:CC:Date:Subject:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=XOovJZxtjLRowNaENoSsW6Si55ENdYcHpC/PkaK61g/cG8MhiB6AuNcZqL52//5qI 7c3xFLF0susrZDSWWGXSrEn0Ce+FN+5PEu74eO3uyaKTSJjUoNLUqr+WdwQ7tXAcyR 6fEr8v74zl8MtH2rpRE9+QkGG4LglyR784urIy4Y=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd53.lss.emc.com rB9MLdRF031206
Received: from mailusrhubprd02.lss.emc.com (mailusrhubprd02.lss.emc.com [10.253.24.20]) by maildlpprd52.lss.emc.com (RSA Interceptor); Mon, 9 Dec 2013 17:21:25 -0500
Received: from mxhub05.corp.emc.com (mxhub05.corp.emc.com [128.222.70.202]) by mailusrhubprd02.lss.emc.com (Sentrion-MTA-4.3.0/Sentrion-MTA-4.3.0) with ESMTP id rB9MLNjc016254 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 9 Dec 2013 17:21:24 -0500
Received: from mx15a.corp.emc.com ([169.254.1.239]) by mxhub05.corp.emc.com ([128.222.70.202]) with mapi; Mon, 9 Dec 2013 17:21:23 -0500
From: "Moriarty, Kathleen" <kathleen.moriarty@emc.com>
To: "draft-ietf-opsec-vpn-leakages.all@tools.ietf.org" <draft-ietf-opsec-vpn-leakages.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Date: Mon, 09 Dec 2013 17:21:23 -0500
Thread-Topic: Sec-Dir review of draft-ietf-opsec-vpn-leakages-02
Thread-Index: AQHO9Sz9Ph/A/AxGxUW94J8D5d0W7A==
Message-ID: <F5063677821E3B4F81ACFB7905573F240653E7FF01@MX15A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd02.lss.emc.com
X-RSA-Classifications: DLM_1, public
Cc: "fgont@si6networks.com" <fgont@si6networks.com>
Subject: [secdir] Sec-Dir review of draft-ietf-opsec-vpn-leakages-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2013 22:21:50 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The document is almost ready for publication, but could benefit from proving better descriptions in the introduction of the work.  The Security Considerations probably has the most crisp statement of the draft purpose.

The reference to VPN, never distinguishes if the document is referring to an IPSec or TLS VPN.  I suspect IPSec from the document, but making this clear would be helpful to the reader.  TLS has become popular when providing restricted access and may be just an encrypted session to a particular service as opposed to a full VPN with routed traffic using IPSec.  Unfortunately, language has blurred here, mostly because of marketing, so clarity would be helpful to avoid possible confusion for the reader.

I would recommend introducing the comparison of slit-tunneling earlier in the document as this is a similar issue (IPv6 getting routed separately from the VPN traffic), although split-tunneling is an intentional configuration option.

Is the draft intended for developers/implementers or operational teams/VPN users -- or both?  The proposed fixes could be done by the VPN software or operators could disable interfaces, the former would obviously be preferred and the abstract mentions products, so you may want to repeat that preference later in the document.  

Thank you,
Kathleen

v2.23.0 | Report a Bug | By Email