On 2018/07/03 07:35, Theo de Raadt wrote: > Stefan Sperling <[email protected]> wrote: > > > On Tue, Jul 03, 2018 at 12:54:36PM +0100, Stuart Henderson wrote: > > > On 2018/07/03 13:42, Stefan Sperling wrote: > > > > On Tue, Jul 03, 2018 at 01:34:09PM +0200, David Dahlberg wrote: > > > > > Am Tuesday, den 03.07.2018, 13:29 +0200 schrieb Stefan Sperling: > > > > > > Not a bug. This behaviour is intentional and avoids VPN traffic > > > > > > leakage. > > > > > > See RFC 7359 and the iked(8) man page. Use the -6 option (risks > > > > > > leakage), > > > > > > > > > > Then sorry for the noise. I extensively seached for documentation of > > > > > this behaviour - apparently using the wrong keywords. > > > > > > > > > > Cheers, > > > > > David > > > > > > > > > > > > > I think the documentation could be improved. > > > > > > > > Would you be able to send a patch for the iked man page which > > > > explicitly mentions VPN traffic leakage and RFC 7359 (in the > > > > STANDARDS section, perhaps)? > > > > > > > > > > It would easily be missed if only looking at iked.conf(5), but iked(8) > > > seems > > > reasonably clear? > > > > > > The options are as follows: > > > > > > -6 Disable automatic blocking of IPv6 traffic. By default, iked > > > blocks > > > any IPv6 traffic unless a flow for this address family has been > > > negotiated. This option is used to prevent VPN traffic > > > leakages on > > > dual stack hosts. > > > > > > > No, this is not good enough. That last sentence is rather misleading (-6 > > *allows* > > for leakage since it disables blocking). "RFC 7359" should be mentioned > > since > > it provides a wealth of context the man page cannot provide (to be fair, > > this > > RFC number wasn't yet available when this feature was first committed). > > It might also make sense to add a brief sentence in DESCRIPTION which > > already > > lists other related RFCs. > > > > If iked.conf doesn't mention this behaviour, it probably should. > > > > I'm only making a fuss because this is not the first time I have seen > > someone stumble over this as an "issue", and because it's a small task we > > can delegate and offer up as an opportunity for contributing a patch :) > > This default behaviour is terrible. > > Please re-read the report. Apparently just starting iked without -6 > breaks *entirely unrelated* v6 traffic. > > If that is the case, what is going on here is unacceptable. >
That is exactly what was intended with the 2012/11/29 commit. This is the scenario it tries to avoid: - user has a vpn for 0.0.0.0/0 on a host with the intention of diverting all traffic from that machine over VPN - at some point later, host gains an IPv6 address and default route - now there is traffic to v6-capable hosts which is sent directly and in the clear rather than via vpn Whether it's acceptable or not I can't say, but it's working exactly as expected/advertised. If this is changed, we should probably add "flow esp out from ::/0 to ::/0 type deny" to examples/iked.conf with some description.
