Rewrite traffic forwarding requirements to new format

| UC-2, UC-4       | MI-DNSL-1, MI-DNSL-3, MI-DNSL-4                       |

| UC-3             | MI-DNSL-1, MI-DNSL-2, MI-DNSL-3, MI-DNSL-4, MI-DNSL-5 |

### 5.2.X **TR-EISO**: Endpoint isolation

The VPN provider shall by default not establish routes between different client endpoints.

#### 5.2.X.x **MI-EISO**: No route between different endpoints

The VPN connection shall by default not establish routes between different client endpoints.

The VPN provider shall by default not establish routes between different client endpoints.

* Test: Connect two endpoints and attempt to connect to a port on the other endpoint

* Result: Connection fails

* Output: Log message

  * Reference: TR-EISO

  * Objective: Prevent unauthorized network access to endpoints

  * Preparation: None

  * Activities: Connect two endpoints and attempt to connect to a port on the other endpoint

  * Verdict: Connection not possible or connection fails => PASS, otherwise FAIL

  * Evidence: Log messages, packet capture

### 5.2.X **TR-TRAF**: No traffic through the node you haven't explicitly approved

### 5.2.X **TR-TRAF**: No traffic through the node unless explicitly approved

The VPN provider shall not route traffic through the endpoint from sources/destinations other than the endpoint without the user's explicit informed consent, and it shall not be necessary for the use of any unrelated function.

The VPN client shall not route traffic through the endpoint from sources/destinations other than the endpoint without the user's explicit informed consent, and such routing shall not be necessary for the use of any unrelated function.

#### 5.2.X.x **MI-TRAF-1**:

The VPN provider shall not implement the capability for routing traffic through endpoints.

* Test: Connect an endpoint and capture the traffic on all interfaces

* Result: No forwarded traffic

* Output: Packet capture with labeling of packets as to origin, etc.

The VPN client shall not implement the capability for routing traffic from sources/destinations other than the endpoint through an endpoint.

* Test: Look at configuration options???

* Result: No option to allow forwarded traffic

* Output: Configuration stuff???

  * Reference: TR-TRAF

  * Objective: Prevent unauthorized network access to endpoints

  * Preparation: None

  * Activities: Connect an endpoint and capture the traffic on all interfaces

  * Verdict: No traffic originating from the VPN provider for sources/destinations other than the endpoint => PASS, otherwise FAIL

  * Evidence: Packet capture with annotations of origin of packet

#### 5.2.X.x **MI-TRAF-2**:

The VPN provider shall disable by default the capability to forward traffic through an endpoint.

The VPN client shall disable by default the capability for routing traffic from sources/destinations other than the endpoint through an endpoint.

* Applicability: If there is a feature allowing traffic forwarding

* Test: Connect an endpoint and capture the traffic on all interfaces, then enable it, then capture again

* Result: No forwarded traffic, then forwarded traffic

* Output: Packet capture with labeling of packets as to origin, etc.

  * Reference: TR-TRAF

  * Objective: Prevent unauthorized network access to endpoints

  * Preparation: None

  * Activities: Connect an endpoint and capture the traffic on all interfaces

  * Verdict: No traffic originating from the VPN provider for sources/destinations other than the endpoint => PASS, otherwise FAIL

  * Evidence: Packet capture with annotations of origin of packet

#### 5.2.X.x **MI-TRAF-3**:

The VPN provider shall alert the user if traffic can be forwarded through the endpoint.

The VPN client shall alert the user if traffic if the endpoint is allowing traffic from sources/destinations other than the endpoint to be routed through the endpoint.

* Applicability: If there is a feature allowing traffic forwarding

* Test: Connect an endpoint, enable the forwarding through it

* Result: Some indication to the user such as a UI change or sound or log message or notification

* Output: Record of UI change

  * Reference: TR-TRAF

  * Objective: Prevent unauthorized network access to endpoints

  * Preparation: None

  * Activities: Connect an endpoint, enable the routing of external traffic through it, and observe the UI and system

  * Verdict: User receives some alert or notification that clearly indicates forwarding is enabled => PASS, FAIL

  * Evidence: Record of UI change

#### 5.2.X.x **MI-TRAF-4**:

The VPN client shall not require routing of traffic from sources/destinations other than the endpoint to use services that do not require such routing.

  * Reference: TR-TRAF

  * Objective: Prevent unauthorized network access to endpoints

  * Preparation: None

  * Activities: Create a list of services that can only be used if routing of external traffic is enabled, and document why each service requires routing of external traffic to function

  * Verdict: All such services are documented, explanation is convincing => PASS, otherwise FAIL

  * Evidence: Documentation of services

#### 5.2.X.x Mapping of mitigations to risk factors and security profiles

| Risk factors | Requires mitigations                |

|--------------|------------------------------|

| any          | TRAF-2, TRAF-3 if applicable |

| DAT >= 2     | TRAF-1                       |

|--------------|-------------------------------------|

| any          | TRAF-1 or (TRAF-2 & TRAF-3 & TRAF-4 |

| DAT > 1      | TRAF-1                              |

| Security Profile | Requires mitigations                |

|------------------|-------------------------------------|

| UC-1, UC-2, UC-4 | TRAF-1 or (TRAF-2 & TRAF-3 & TRAF-4 |

| UC-3             | TRAF-1                              |

### 5.2.X **TR-DMIN**: Data minimization