On Sat, Nov 28, 2015 at 03:19:20PM +0100, Gregor Best wrote:
> Hi bugs@,
>
> it turns out it was just a concidence that I've only noticed the
> broken IPv6 setup after the upgrade. The real cause of the problem
> was a half-set up iked which installed
>
> flow esp out from ::/0 to ::/0 type deny
>
> as a default IPSEC flow. This persisted after a reboot because I had
> already enabled iked to be started by default. Martin requesting
> configuration files then caused me to cut down the set up so I could
> provide a minimal configuration that yields the problem and of
> course after disabling iked and rebooting, everything worked fine.
>
> The bottom line is: nothing to see here but a stupid operator.
> Thanks and sorry for wasting your time :)
>
You're not the only one who fell into this trap.
But it is documented, right in the beginning of the iked(8) manpage:
---snip---
The options are as follows:
-6 Disable automatic blocking of IPv6 traffic. By default, iked
blocks any IPv6 traffic unless a flow for this address family has
been negotiated. This option is used to prevent VPN traffic
leakages on dual stack hosts.
---snap---
So what should I do, disable this because people don't read the main
and well-written manpage?
It was added in 2012 to prevent "VPN leakages", following a report from Gont:
----------------------------
date: 2012/11/29 15:08:08; author: reyk; state: Exp; lines: +9 -2;
Prevent VPN traffic leakages in dual-stack hosts/networks.
See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to
::/0 type deny" unless the protocol is used in any of the flows. Note
that this will block any IPv6 traffic, superseding routes and pf, on
the host by default when iked is running with IPv4 flows only. This
auto-blocking feature can be disabled by specifying the "-6" command
line flag to iked.
----------------------------
The draft turned into rfc7259. We certainly have to check if the RFC
adds any significant changes to the suggested countermeasures.
https://tools.ietf.org/rfcdiff?url1=draft-ietf-opsec-vpn-leakages-00&url2=rfc7359
Reyk
