Virtual Private Network (VPN) traffic leakages in dual-stack hosts/ networks
draft-ietf-opsec-vpn-leakages-03

The information below is for an old version of the document
Document Type Active Internet-Draft (opsec WG)
Last updated 2014-02-20 (latest revision 2014-01-23)
Replaces draft-gont-opsec-vpn-leakages
Stream IETF
Intended RFC status Informational
Formats plain text pdf html bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd Warren Kumari
Shepherd write-up Show (last changed 2013-10-21)
IESG IESG state IESG Evaluation::AD Followup
Consensus Boilerplate Yes
Telechat date
Needs a YES.
Responsible AD Joel Jaeggli
Send notices to opsec-chairs@tools.ietf.org, draft-ietf-opsec-vpn-leakages@tools.ietf.org
IANA IANA review state IANA OK - No Actions Needed
IANA action state None
Operational Security Capabilities for                            F. Gont
IP Network Infrastructure (opsec)                    Huawei Technologies
Internet-Draft                                          January 23, 2014
Intended status: Informational
Expires: July 27, 2014

  Virtual Private Network (VPN) traffic leakages in dual-stack hosts/
                                networks
                    draft-ietf-opsec-vpn-leakages-03

Abstract

   The subtle way in which the IPv6 and IPv4 protocols co-exist in
   typical networks, together with the lack of proper IPv6 support in
   popular Virtual Private Network (VPN) products, may inadvertently
   result in VPN traffic leaks.  That is, traffic meant to be
   transferred over a VPN connection may leak out of such connection and
   be transferred in the clear from the local network to the final
   destination.  This document discusses some scenarios in which such
   VPN leakages may occur, either as a side effect of enabling IPv6 on a
   local network, or as a result of a deliberate attack from a local
   attacker.  Additionally, it discusses possible mitigations for the
   aforementioned issue.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 27, 2014.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal

Gont                      Expires July 27, 2014                 [Page 1]
Internet-Draft            VPN traffic leakages              January 2014

   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  4
   3.  IPv4 and IPv6 co-existence . . . . . . . . . . . . . . . . . .  5
   4.  Virtual Private Networks in IPv4/IPv6 dual-stack
       hosts/networks . . . . . . . . . . . . . . . . . . . . . . . .  6
   5.  Inadvertent VPN traffic-leakages in legitimate scenarios . . .  7
   6.  VPN traffic-leakage attacks  . . . . . . . . . . . . . . . . .  8
   7.  Mitigations to VPN traffic-leakage vulnerabilities . . . . . .  9
     7.1.  Fixing VPN client software . . . . . . . . . . . . . . . .  9
     7.2.  Operational Mitigations  . . . . . . . . . . . . . . . . . 10
   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 11
   9.  Security Considerations  . . . . . . . . . . . . . . . . . . . 12
   10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13
   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
     11.1. Normative References . . . . . . . . . . . . . . . . . . . 14
     11.2. Informative References . . . . . . . . . . . . . . . . . . 14
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 16

Gont                      Expires July 27, 2014                 [Page 2]
Internet-Draft            VPN traffic leakages              January 2014

1.  Introduction

   It is a very common practice for employees working at remote
   locations to establish a VPN connection with their office or home
   office.  This is typically done to gain access to some resources only
   available within the company's network, but also to secure the host's
   traffic against attackers that might be connected to the same remote
   location.  The same is true for mobile nodes that establish VPN
   connections to secure their traffic while they roam from one network
   to another.  In some scenarios, it is even assumed that employing a
   VPN connection makes the use of insecure protocols (e.g. that
   transfer sensitive information in the clear) acceptable, as the VPN
   provides security services (such as data integrity and/or
   confidentiality) for all communications made over the VPN.

   Many VPN products that are typically employed for the aforementioned
Show full document text