Last Call Review of draft-ietf-opsec-vpn-leakages-02
review-ietf-opsec-vpn-leakages-02-secdir-lc-moriarty-2013-12-12-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The document is almost ready for publication, but could benefit from proving
better descriptions in the introduction of the work.  The Security
Considerations probably has the most crisp statement of the draft purpose.

The reference to VPN, never distinguishes if the document is referring to an
IPSec or TLS VPN.  I suspect IPSec from the document, but making this clear
would be helpful to the reader.  TLS has become popular when providing
restricted access and may be just an encrypted session to a particular service
as opposed to a full VPN with routed traffic using IPSec.  Unfortunately,
language has blurred here, mostly because of marketing, so clarity would be
helpful to avoid possible confusion for the reader.

I would recommend introducing the comparison of slit-tunneling earlier in the
document as this is a similar issue (IPv6 getting routed separately from the
VPN traffic), although split-tunneling is an intentional configuration option.

Is the draft intended for developers/implementers or operational teams/VPN
users -- or both?  The proposed fixes could be done by the VPN software or
operators could disable interfaces, the former would obviously be preferred and
the abstract mentions products, so you may want to repeat that preference later
in the document.

Thank you,
Kathleen