Last Call Review of draft-ietf-opsec-vpn-leakages-02
review-ietf-opsec-vpn-leakages-02-genart-lc-housley-2013-12-13-00

Request Review of draft-ietf-opsec-vpn-leakages
Requested rev. no specific revision (document currently at 06)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2013-12-16
Requested 2013-12-05
Draft last updated 2013-12-13
Completed reviews Genart Last Call review of -02 by Russ Housley (diff)
Genart Telechat review of -03 by Russ Housley (diff)
Genart Telechat review of -04 by Russ Housley (diff)
Secdir Last Call review of -02 by Kathleen Moriarty (diff)
Opsdir Last Call review of -02 by Dan Romascanu (diff)
Assignment Reviewer Russ Housley
State Completed
Review review-ietf-opsec-vpn-leakages-02-genart-lc-housley-2013-12-13
Reviewed rev. 02 (document currently at 06)
Review result Almost Ready
Review completed: 2013-12-13

Review
review-ietf-opsec-vpn-leakages-02-genart-lc-housley-2013-12-13

I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at
<

http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Please resolve these comments along with any other Last Call comments
you may receive.

Document: draft-ietf-opsec-vpn-leakages-02
Reviewer: Russ Housley
Review Date: 2013-12-12
IETF LC End Date: 2013-12-16
IESG Telechat date: Unknown

Summary:  The document is almost ready for publication as a
informational RFC.  I raise minor concerns that should be resolved
before IESG evaluation.

Major Concern:

This document is about encrypted tunnels, and I am asking for this to
be stated very early in the document.  Sadly, the IETF uses VPN to mean
two very different things, please tell the reader which one is being
discussed in the abstract and the introduction of the document.  IPsec
and L3VPN demonstrate the two very different meanings for VPN, and
"VPN leakage" has meaning in both of them.  

Personal Observation:

I do not find this document very helpful.  It can be summarized as:

   If IPv6 is not supported in your VPN software, then disable IPv6
   support in all network interfaces before you try to use it.

I do not know why the OPSEC WG thinks that this message is worthy of
an RFC.