VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts

Folks, FYI. This is might affect OpenBSD users employing e.g. OpenVPN: http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages. For a project such as OpenVPN, a (portable) fix might be non-trivial. However, I guess OpenBSD might hook some PF rules when establishing the VPN tunnel, such that

Re: upstream vendors and why they can be really harmful

On Fri, Nov 23, 2012 at 5:11 AM, Marc Espie es...@nerim.net wrote: On Thu, Nov 22, 2012 at 01:27:46PM -0430, Andres Perera wrote: why would the runtime be attractive for rop? what configuration vm needs syscalls that would be attractive to an attacker that can change the address of a jump?

Re: upstream vendors and why they can be really harmful

Guys are not probably reading you enough. See http://lists.gnu.org/archive/html/gnu-system-discuss/2012-11/msg0.html and https://news.ycombinator.com/item?id=4821488 :-) Can you please take this to another mailing list or off-list? Developer's Lists These lists are for technical

Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts

On Fri, Nov 23, 2012 at 12:44:32PM +0100, Henning Brauer wrote: * Fernando Gont ferna...@gont.com.ar [2012-11-23 12:09]: FYI. This is might affect OpenBSD users employing e.g. OpenVPN: http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages. we're way less affected than other OSes, since

Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts

On 11/23/2012 08:44 AM, Henning Brauer wrote: * Fernando Gont ferna...@gont.com.ar [2012-11-23 12:09]: FYI. This is might affect OpenBSD users employing e.g. OpenVPN: http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages. we're way less affected than other OSes, since we prefer inet over

set ifp-if_baudrate with IF_Gbps() / IF_Mbps()

set ifp-if_baudrate with IF_Gbps() / IF_Mbps(). OK ? Index: if_ste.c === RCS file: /cvs/src/sys/dev/pci/if_ste.c,v retrieving revision 1.48 diff -u -p -r1.48 if_ste.c --- if_ste.c18 Oct 2012 21:44:21 - 1.48 +++ if_ste.c

Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts

On 11/23/2012 11:12 AM, Reyk Floeter wrote: In the section Mitigations to VPN traffic-leakage vulnerabilities of Fernando's paper it is suggested that a VPN client disables IPv6 globally if it is not going to send all IPv6 traffic over the tunnel as well. The problem is that even if you

Re: set ifp-if_baudrate with IF_Gbps() / IF_Mbps()

On Fri, Nov 23, 2012 at 11:57:50AM -0200, Gleydson Soares wrote: set ifp-if_baudrate with IF_Gbps() / IF_Mbps(). OK ? Index: if_ste.c === RCS file: /cvs/src/sys/dev/pci/if_ste.c,v retrieving revision 1.48 diff -u -p -r1.48

Re: login_yubikey case-insensitive hex decoding

On 11/23/12 02:17, Philip Guenther wrote: On Thu, Nov 22, 2012 at 5:28 PM, Alexander Hall alexan...@beard.se wrote: The corresponding part in yubikey_hex_decode is for consistency and, IMO, sanity, allowing mixed case hex strings, e.g. /var/db/yubikey/*. Comments? OK? (Don't mess with the

Re: Display hardmtu with ifconfig hwfeatures

On Fri, Nov 23, 2012 at 04:04:20PM +, Stuart Henderson wrote: This adds an ioctl to retrieve if_hardmtu, and adds code to display it via ifconfig hwfeatures. $ ifconfig em0 hwfeatures em0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500

Re: Display hardmtu with ifconfig hwfeatures

Stuart Henderson s...@spacehopper.org wrote: This adds an ioctl to retrieve if_hardmtu, and adds code to display it via ifconfig hwfeatures. I'm worried that our drivers don't set this or that the value doesn't accurately reflect the capabilities of chip/driver. -- Christian naddy Weisgerber

Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts

On Fri, Nov 23, 2012 at 05:01:16PM +0100, Reyk Floeter wrote: Actually, in the iked(8)/IPsec case we could even block all v6 traffic without using PF by simply inserting a single deny flow. For example: # ping6 -w ff02::1%em0 # ipsecctl -vf /etc/ipsec-block.conf flow esp out from ::/0 to

Re: Display hardmtu with ifconfig hwfeatures

On Fri, Nov 23, 2012 at 05:46:27PM +, Christian Weisgerber wrote: Stuart Henderson s...@spacehopper.org wrote: This adds an ioctl to retrieve if_hardmtu, and adds code to display it via ifconfig hwfeatures. I'm worried that our drivers don't set this or that the value doesn't

Re: Display hardmtu with ifconfig hwfeatures

On 2012/11/23 17:46, Christian Weisgerber wrote: Stuart Henderson s...@spacehopper.org wrote: This adds an ioctl to retrieve if_hardmtu, and adds code to display it via ifconfig hwfeatures. I'm worried that our drivers don't set this or that the value doesn't accurately reflect the

Re: Display hardmtu with ifconfig hwfeatures

On Fri, Nov 23, 2012 at 5:16 PM, Reyk Floeter r...@openbsd.org wrote: On Fri, Nov 23, 2012 at 04:04:20PM +, Stuart Henderson wrote: This adds an ioctl to retrieve if_hardmtu, and adds code to display it via ifconfig hwfeatures. $ ifconfig em0 hwfeatures em0:

Re: powerpc: Keep track of uncached managed memory

Date: Fri, 23 Nov 2012 12:23:19 +0100 From: Martin Pieuchot mpieuc...@nolizard.org Ok, a bit of explanation first. On macppc because the AGP chips do not translate pages, the kernel and the applications have access to the AGP memory regions through standard mappings. Because these

Re: login_yubikey case-insensitive hex decoding

On Fri, 23 Nov 2012, Alexander Hall wrote: On 11/23/12 02:17, Philip Guenther wrote: ... The argument to tolower() must be a value in the range [EOF, 0..UCHAR_MAX]. When taking characters from a char * string, you need to cast the value to (unsigned char), ala tolower((unsigned