Hi, after some discussions, we found a better approach and a way to improve this. Please hold on for a few days.
Reyk > Am 03.07.2018 um 21:42 schrieb David Dahlberg <[email protected]>: > > Am Tuesday, den 03.07.2018, 19:01 +0200 schrieb Reyk Floeter: >> A dual-homed host should not have IPsec on v4 and "open" v6 at the >> same time; the leakage is a real risk. I did add it intentionally; >> we've discussed it in depth when the problem was reported by Gont. > > I guess with "dual-homed" you meant "dual-stacked"? > > Yes, I see the problem. It mostly applies mostly to "IPsec clients" > which are usually not multi-homed. > >> Putting this as a note into >> /etc/examples/iked.conf and not turning it on by default is almost >> useless. > > This would also be the wrong place. Flow definitions go to ipsec.conf, > a file that's otherwise primarily used for isakmpd. > > A better place for the "documentation only" solution would be > iked.conf(5), analogous to the PACKET FILTERING section. PACKET > FILTERING already includes an alternative solution which uses pf > instead of flows: > > block on ix0 > pass in on ix0 proto udp from 192.168.3.2 to 192.168.3.1 \ > port {500, 4500} > pass out on ix0 proto udp from 192.168.3.1 to 192.168.3.2 \ > port {500, 4500} > pass in on ix0 proto esp from 192.168.3.2 to 192.168.3.1 > pass out on ix0 proto esp from 192.168.3.1 to 192.168.3.2 > >> My suggestion: >> 1. Fix the manpage as suggested (but add the RFC in the STANDARDS >> section) > > Yes, but having read the RFC, it should not be implied that RFC 7359 > would demands this behaviour. Probably more along the lines of this: > > iked tries prevent leakage of IPv6 traffic in situations where only > an IPv4 tunnel has been configured on dual-stacked systems (compare > RFC 7359). This is achieved by installing an IPsec "deny" policy > which blocks all IPv6 traffic. Blocking of IPv6 is the default > behavior, if iked is not started with -n and no IPv6 policies are > configured in iked.conf(5). > > The options are as follows: > > -6 Disable automatic blocking of IPv6 traffic > >> 2. Add a log_debug() (only visible when running iked in >> foreground/verbose) > > ACK. > >> 3. Fix iked to really only load the deny flow if no IPv6 is >> configured! >> >> The 3rd one used to be the case: iked only installed the >> "deny-all-IPv6" flow when there was no IPv6 configured in iked.conf. > > This behaviour would be "unless a policy for this address family has > been configured". It is slightly but significantly different than the > current documented behaviour "unless a flow for this address family has > been negotiated" and also makes more sense. > > BTW, a behaviour a bit more in line with the RFC would be to block IPv6 > only if there is an IPv4 default policy and no IPv6 policy. > > Cheers, > David >
