Layer-3 Virtual Private Network (VPN) tunnel traffic leakages in dual- stack hosts/networks
draft-ietf-opsec-vpn-leakages-05

The information below is for an old version of the document
Document Type Active Internet-Draft (opsec WG)
Last updated 2014-04-24
Replaces draft-gont-opsec-vpn-leakages
Stream IETF
Intended RFC status Informational
Formats plain text pdf html bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd Warren Kumari
Shepherd write-up Show (last changed 2013-10-21)
IESG IESG state IESG Evaluation::AD Followup
Consensus Boilerplate Yes
Telechat date
Needs a YES.
Responsible AD Joel Jaeggli
Send notices to opsec-chairs@tools.ietf.org, draft-ietf-opsec-vpn-leakages@tools.ietf.org
IANA IANA review state Version Changed - Review Needed
IANA action state None
opsec                                                            F. Gont
Internet-Draft                                       Huawei Technologies
Intended status: Informational                            April 24, 2014
Expires: October 26, 2014

 Layer-3 Virtual Private Network (VPN) tunnel traffic leakages in dual-
                          stack hosts/networks
                    draft-ietf-opsec-vpn-leakages-05

Abstract

   The subtle way in which the IPv6 and IPv4 protocols co-exist in
   typical networks, together with the lack of proper IPv6 support in
   popular Virtual Private Network (VPN) tunnel products, may
   inadvertently result in VPN tunnel traffic leaks.  That is, traffic
   meant to be transferred over an encrypted and integrity protected VPN
   tunnel may leak out of such tunnel and be sent in the clear on the
   local network towards the final destination.  This document discusses
   some scenarios in which such VPN tunnel traffic leakages may occur as
   a result of employing IPv6-unaware VPN software.  Additionally, this
   document offers possible mitigations for this issue.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on October 26, 2014.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of

Gont                    Expires October 26, 2014                [Page 1]
Internet-Draft            VPN traffic leakages                April 2014

   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  IPv4 and IPv6 co-existence  . . . . . . . . . . . . . . . . .   4
   4.  Virtual Private Networks in IPv4/IPv6 dual-stack
       hosts/networks  . . . . . . . . . . . . . . . . . . . . . . .   5
   5.  Inadvertent VPN tunnel traffic leakages in legitimate
       scenarios . . . . . . . . . . . . . . . . . . . . . . . . . .   5
   6.  VPN tunnel traffic leakage attacks  . . . . . . . . . . . . .   6
   7.  Mitigations to VPN tunnel traffic leakage vulnerabilities . .   6
     7.1.  Fixing VPN client software  . . . . . . . . . . . . . . .   7
     7.2.  Operational Mitigations . . . . . . . . . . . . . . . . .   8
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .   8
   10. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   9
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     11.1.  Normative References . . . . . . . . . . . . . . . . . .   9
     11.2.  Informative References . . . . . . . . . . . . . . . . .   9
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  10

1.  Introduction

   It is a very common practice for users to employ VPN software when
   employing a public (and possibly-rogue) local network.  This is
   typically done not only to gain access to remote resources that may
   not otherwise be accessible from the public Internet, but also to
   secure the host's traffic against attackers that might be connected
   to the same local network as the victim host.  The latter case
   constitutes the problem space of this document.  Indeed, it is
   sometimes assumed that employing a VPN tunnel makes the use of
   insecure protocols (e.g., that transfer sensitive information in the
   clear) acceptable, as a VPN tunnel provides security services (such
   as data integrity and/or confidentiality) for all communications made
   over it.  However, this document illustrates that under certain
   circumstances, some traffic might not be mapped onto the VPN tunnel
   and thus be sent in the clear on the local network.

   Many VPN products that are typically employed for the aforementioned
Show full document text