Am Tuesday, den 03.07.2018, 19:01 +0200 schrieb Reyk Floeter:
> A dual-homed host should not have IPsec on v4 and "open" v6 at the
> same time; the leakage is a real risk. I did add it intentionally;
> we've discussed it in depth when the problem was reported by Gont.
I guess with "dual-homed" you meant "dual-stacked"?
Yes, I see the problem. It mostly applies mostly to "IPsec clients"
which are usually not multi-homed.
> Putting this as a note into
> /etc/examples/iked.conf and not turning it on by default is almost
> useless.
This would also be the wrong place. Flow definitions go to ipsec.conf,
a file that's otherwise primarily used for isakmpd.
A better place for the "documentation only" solution would be
iked.conf(5), analogous to the PACKET FILTERING section. PACKET
FILTERING already includes an alternative solution which uses pf
instead of flows:
block on ix0
pass in on ix0 proto udp from 192.168.3.2 to 192.168.3.1 \
port {500, 4500}
pass out on ix0 proto udp from 192.168.3.1 to 192.168.3.2 \
port {500, 4500}
pass in on ix0 proto esp from 192.168.3.2 to 192.168.3.1
pass out on ix0 proto esp from 192.168.3.1 to 192.168.3.2
> My suggestion:
> 1. Fix the manpage as suggested (but add the RFC in the STANDARDS
> section)
Yes, but having read the RFC, it should not be implied that RFC 7359
would demands this behaviour. Probably more along the lines of this:
iked tries prevent leakage of IPv6 traffic in situations where only
an IPv4 tunnel has been configured on dual-stacked systems (compare
RFC 7359). This is achieved by installing an IPsec "deny" policy
which blocks all IPv6 traffic. Blocking of IPv6 is the default
behavior, if iked is not started with -n and no IPv6 policies are
configured in iked.conf(5).
The options are as follows:
-6 Disable automatic blocking of IPv6 traffic
> 2. Add a log_debug() (only visible when running iked in
> foreground/verbose)
ACK.
> 3. Fix iked to really only load the deny flow if no IPv6 is
> configured!
>
> The 3rd one used to be the case: iked only installed the
> "deny-all-IPv6" flow when there was no IPv6 configured in iked.conf.
This behaviour would be "unless a policy for this address family has
been configured". It is slightly but significantly different than the
current documented behaviour "unless a flow for this address family has
been negotiated" and also makes more sense.
BTW, a behaviour a bit more in line with the RFC would be to block IPv6
only if there is an IPv4 default policy and no IPv6 policy.
Cheers,
David
