Virtual Private Network (VPN) traffic leakages in dual-stack hosts/ networks
draft-ietf-opsec-vpn-leakages-04

The information below is for an old version of the document
Document Type Active Internet-Draft (opsec WG)
Last updated 2014-03-03
Replaces draft-gont-opsec-vpn-leakages
Stream IETF
Intended RFC status Informational
Formats plain text pdf html bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd Warren Kumari
Shepherd write-up Show (last changed 2013-10-21)
IESG IESG state IESG Evaluation::AD Followup
Consensus Boilerplate Yes
Telechat date
Needs a YES.
Responsible AD Joel Jaeggli
Send notices to opsec-chairs@tools.ietf.org, draft-ietf-opsec-vpn-leakages@tools.ietf.org
IANA IANA review state Version Changed - Review Needed
IANA action state None
opsec                                                            F. Gont
Internet-Draft                                       Huawei Technologies
Intended status: Informational                             March 3, 2014
Expires: September 4, 2014

  Virtual Private Network (VPN) traffic leakages in dual-stack hosts/
                                networks
                    draft-ietf-opsec-vpn-leakages-04

Abstract

   The subtle way in which the IPv6 and IPv4 protocols co-exist in
   typical networks, together with the lack of proper IPv6 support in
   popular Virtual Private Network (VPN) products, may inadvertently
   result in VPN traffic leaks.  That is, traffic meant to be
   transferred over an encrypted and integrity protected VPN connection
   may leak out of such connection and be sent in the clear on the local
   network towards the final destination.  This document discusses some
   scenarios in which such VPN leakages may occur as a result of
   employing IPv6-unaware VPN software.  Additionally, this document
   offers possible mitigations for this issue.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 4, 2014.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of

Gont                    Expires September 4, 2014               [Page 1]
Internet-Draft            VPN traffic leakages                March 2014

   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  IPv4 and IPv6 co-existence  . . . . . . . . . . . . . . . . .   4
   4.  Virtual Private Networks in IPv4/IPv6 dual-stack
       hosts/networks  . . . . . . . . . . . . . . . . . . . . . . .   4
   5.  Inadvertent VPN traffic-leakages in legitimate scenarios  . .   5
   6.  VPN traffic-leakage attacks . . . . . . . . . . . . . . . . .   5
   7.  Mitigations to VPN traffic-leakage vulnerabilities  . . . . .   6
     7.1.  Fixing VPN client software  . . . . . . . . . . . . . . .   6
     7.2.  Operational Mitigations . . . . . . . . . . . . . . . . .   7
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   10. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   7
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
     11.1.  Normative References . . . . . . . . . . . . . . . . . .   8
     11.2.  Informative References . . . . . . . . . . . . . . . . .   8
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction

   It is a very common practice for users to employ VPN software when
   employing a public (and possibly-rogue) local network.  This is
   typically done not only to gain access to remote resources may not
   otherwise accessible from the public Internet, but also to secure the
   host's traffic against attackers that might be connected to the same
   local network as the victim host.  The latter case constitutes the
   problem space of this document.  Indeed, it is sometimes assumed that
   employing a VPN connection makes the use of insecure protocols (e.g.,
   that transfer sensitive information in the clear) acceptable, as a
   VPN provides security services (such as data integrity and/or
   confidentiality) for all communications made over that VPN.  However,
   this document illustrates that under certain circumstances, some
   traffic might not be mapped onto the VPN and thus be sent in the
   clear on the local network.

   Many VPN products that are typically employed for the aforementioned
   VPN connections only support the IPv4 protocol: that is, they perform
Show full document text