@@ -402,6 +402,32 @@ FIXME is this useful? Is there a use case where the VPN client sends PII to the
| UC-1, UC-2, UC-4 | NPII-1, NPII-2 |
| UC-3 | NPII-1, NPII-2, NPII-3 |
### 5.2.X **[TR-IPV6]** Secure IPv6 Handling
The VPN product shall handle IPv6 traffic in a secure manner that prevents data leaks.
#### 5.2.X.x **[MI-IPV6-1]** Block IPv6 if Unsupported
If the VPN provider does not support IPv6, the VPN client shall block all IPv6 traffic to prevent it from leaking outside the VPN tunnel.
* Reference: TR-IPV6
* Objective: Prevent IPv6 traffic leaks
* Preparation: None
* Activities: On a network with IPv6 connectivity, connect to the VPN and attempt to access an IPv6-only service.
* Verdict: The connection to the IPv6-only service fails.
* Evidence: Packet capture showing that no IPv6 traffic is leaving the device.
#### 5.2.X.x **[MI-IPV6-2]** Full Support if Claimed
If the VPN provider claims to support IPv6, it shall provide full, native IPv6 connectivity, and all security requirements in this standard shall apply to IPv6 traffic.
* Reference: TR-IPV6
* Objective: Ensure full IPv6 support if claimed
* Preparation: None
* Activities: On a network with IPv6 connectivity, connect to the VPN and verify that the client has a globally routable IPv6 address assigned by the VPN provider. All tests in this standard should be repeated over the IPv6 connection.
* Verdict: The client has a globally routable IPv6 address and all tests in this standard pass over IPv6.
* Evidence: Network configuration details, packet captures, and test results for all requirements over IPv6.
