Re: iked(8): get rid of IPv6 flow and -6 flag?

2020-01-15 Thread Tobias Heider
On Wed, Jan 15, 2020 at 07:41:46PM +, Stuart Henderson wrote:
> On 2020/01/14 21:48, Stuart Henderson wrote:
> > >   while ((c = getopt(argc, argv, "6dD:nf:vSTt")) != -1) {
> > >   switch (c) {
> > >   case '6':
> > > - opts |= IKED_OPT_NOIPV6BLOCKING;
> > > + log_warnx("the -6 option is deprecated and will be "
> > > + "removed in the future.");
> > 
> > "deprecated" implies that it still works but you shouldn't use it any more.
> > 
> > Perhaps "ignored" or "no longer supported" instead?
> > 
> 
> Now that this is committed anyway - can I do this or something similar?
> 
> deprecate -> "discouragement of use of some terminology, feature,
> design, or practice, typically because it has been superseded or is no
> longer considered efficient or safe, without completely removing it or
> prohibiting its use"
> 
> Index: iked.c
> ===
> RCS file: /cvs/src/sbin/iked/iked.c,v
> retrieving revision 1.39
> diff -u -p -r1.39 iked.c
> --- iked.c14 Jan 2020 22:28:29 -  1.39
> +++ iked.c15 Jan 2020 19:39:37 -
> @@ -76,7 +76,7 @@ main(int argc, char *argv[])
>   while ((c = getopt(argc, argv, "6dD:nf:vSTt")) != -1) {
>   switch (c) {
>   case '6':
> - log_warnx("the -6 option is deprecated and will be "
> + log_warnx("the -6 option is ignored and will be "
>   "removed in the future.");
>   break;
>   case 'd':
> 

I totally missed that part of your previous mail, sorry.
Reading the definition it seems you are right that "ignored" is the better
word here.

ok tobhe@



Re: iked(8): get rid of IPv6 flow and -6 flag?

2020-01-15 Thread Theo de Raadt
I strongly agree that we should avoid use of the word 'deprecated'
towards the public.  People interpret what it means differently,
so try to be EXACT.

'deprecated' is our choice to make the change, but 'ignored' is
the result of that decision upon the people.

Stuart Henderson  wrote:

> On 2020/01/14 21:48, Stuart Henderson wrote:
> > >   while ((c = getopt(argc, argv, "6dD:nf:vSTt")) != -1) {
> > >   switch (c) {
> > >   case '6':
> > > - opts |= IKED_OPT_NOIPV6BLOCKING;
> > > + log_warnx("the -6 option is deprecated and will be "
> > > + "removed in the future.");
> > 
> > "deprecated" implies that it still works but you shouldn't use it any more.
> > 
> > Perhaps "ignored" or "no longer supported" instead?
> > 
> 
> Now that this is committed anyway - can I do this or something similar?
> 
> deprecate -> "discouragement of use of some terminology, feature,
> design, or practice, typically because it has been superseded or is no
> longer considered efficient or safe, without completely removing it or
> prohibiting its use"
> 
> Index: iked.c
> ===
> RCS file: /cvs/src/sbin/iked/iked.c,v
> retrieving revision 1.39
> diff -u -p -r1.39 iked.c
> --- iked.c14 Jan 2020 22:28:29 -  1.39
> +++ iked.c15 Jan 2020 19:39:37 -
> @@ -76,7 +76,7 @@ main(int argc, char *argv[])
>   while ((c = getopt(argc, argv, "6dD:nf:vSTt")) != -1) {
>   switch (c) {
>   case '6':
> - log_warnx("the -6 option is deprecated and will be "
> + log_warnx("the -6 option is ignored and will be "
>   "removed in the future.");
>   break;
>   case 'd':
> 



Re: iked(8): get rid of IPv6 flow and -6 flag?

2020-01-15 Thread Stuart Henderson
On 2020/01/14 21:48, Stuart Henderson wrote:
> > while ((c = getopt(argc, argv, "6dD:nf:vSTt")) != -1) {
> > switch (c) {
> > case '6':
> > -   opts |= IKED_OPT_NOIPV6BLOCKING;
> > +   log_warnx("the -6 option is deprecated and will be "
> > +   "removed in the future.");
> 
> "deprecated" implies that it still works but you shouldn't use it any more.
> 
> Perhaps "ignored" or "no longer supported" instead?
> 

Now that this is committed anyway - can I do this or something similar?

deprecate -> "discouragement of use of some terminology, feature,
design, or practice, typically because it has been superseded or is no
longer considered efficient or safe, without completely removing it or
prohibiting its use"

Index: iked.c
===
RCS file: /cvs/src/sbin/iked/iked.c,v
retrieving revision 1.39
diff -u -p -r1.39 iked.c
--- iked.c  14 Jan 2020 22:28:29 -  1.39
+++ iked.c  15 Jan 2020 19:39:37 -
@@ -76,7 +76,7 @@ main(int argc, char *argv[])
while ((c = getopt(argc, argv, "6dD:nf:vSTt")) != -1) {
switch (c) {
case '6':
-   log_warnx("the -6 option is deprecated and will be "
+   log_warnx("the -6 option is ignored and will be "
"removed in the future.");
break;
case 'd':



Re: iked(8): get rid of IPv6 flow and -6 flag?

2020-01-14 Thread Stuart Henderson
On 2020/01/14 21:48, Stuart Henderson wrote:
> On 2020/01/14 21:03, Tobias Heider wrote:
> > On Tue, Jan 14, 2020 at 09:17:11AM -0700, Theo de Raadt wrote:
> > > Stuart Henderson  wrote:
> > > 
> > > > On 2020/01/13 20:51, Klemens Nanni wrote:
> > > > > I'm in favour of removing the option and OK with your diff, but simply
> > > > > removing it is probably a bad idea given its nature.
> > > > > 
> > > > > What about printing a deprecation warning so that users can safely
> > > > > adjust their rcctl flags instead of running into "iked(failed)" on the
> > > > > next snapshot.
> > > > 
> > > > Yes please make -6 a noop or a warning rather than an error. Sometimes
> > > > breakage is unavoidable, but this isn't one of those cases.
> > > 
> > > I agree.
> > > 
> > 
> > Makes sense. I added a warning and a notice in current.html.
> > 
> > ok?
> > 
> > Index: www/faq/current.html
> > ===
> > RCS file: /cvs/www/faq/current.html,v
> > retrieving revision 1.1017
> > diff -u -p -r1.1017 current.html
> > --- www/faq/current.html31 Dec 2019 02:18:01 -  1.1017
> > +++ www/faq/current.html14 Jan 2020 19:32:25 -
> > @@ -135,6 +135,12 @@ or they can be rebuilt from ports.
> >  
> >  
> > +2020/1/14 - iked(8) automatic IPv6 blocking removed 
> > 
> > +
> > +https://man.openbsd.org/iked.8";>iked(8) no longer 
> > automatically adds
> > +an IPv6 blocking IPsec flow.
> > +The -6 option is deprecated and should be removed from
> > + > href="https://man.openbsd.org/rc.conf.local.8";>/etc/rc.conf.local.
> 
> How about this?
> 
> 
> Index: current.html
> ===
> RCS file: /cvs/www/faq/current.html,v
> retrieving revision 1.1017
> diff -u -p -r1.1017 current.html
> --- current.html  31 Dec 2019 02:18:01 -  1.1017
> +++ current.html  14 Jan 2020 21:47:35 -
> @@ -136,6 +136,33 @@ or they can be rebuilt from ports.
>  -->
>  
>  
> +2020/1/14 - iked(8) automatic IPv6 blocking removed 
> +
> +https://man.openbsd.org/iked.8";>iked(8) no longer automatically
> +blocks unencrypted outbound IPv6 packets.
> +This feature was intended to avoid accidental leakage, but in practice was
> +found to mostly be a cause of misconfiguration.
> +The -6 flag was used to disable this feature but is now no 
> longer
> +needed and should be removed from  +href="https://man.openbsd.org/rc.conf.local.8";>/etc/rc.conf.local
> +if used.
> +
> +Instead, if you would like to explicitly block these packets, add the 
> following

Actually, on reading it back now I've posted it, "instead" is bad here,
with the previous sentence it makes it seem like this is something to do
if you *did* use -6, when actually it's something to do if you *didn't*
use -6 and want to keep the feature.

...

So here's some reordering that works better:

Index: current.html
===
RCS file: /cvs/www/faq/current.html,v
retrieving revision 1.1017
diff -u -p -r1.1017 current.html
--- current.html31 Dec 2019 02:18:01 -  1.1017
+++ current.html14 Jan 2020 21:53:31 -
@@ -136,6 +136,34 @@ or they can be rebuilt from ports.
 -->
 
 
+2020/1/14 - iked(8) automatic IPv6 blocking removed 
+
+https://man.openbsd.org/iked.8";>iked(8) no longer automatically
+blocks unencrypted outbound IPv6 packets.
+This feature was intended to avoid accidental leakage, but in practice was
+found to mostly be a cause of misconfiguration.
+Instead, if you would like to explicitly block these packets, add the following
+line to https://man.openbsd.org/ipsec.conf.5";>/etc/ipsec.conf
+(not iked.conf):
+
+
+flow esp out from ::/0 to ::/0 type deny
+
+
+and enable loading it with
+
+
+# rcctl enable ipsec   # to load at boot
+# ipsecctl -f /etc/ipsec.conf  # to load immediately
+
+
+If you previously used https://man.openbsd.org/iked.8";>iked(8)'s
+-6 flag to disable this feature, it is no longer needed and should
+be removed from https://man.openbsd.org/rc.conf.local.8";>/etc/rc.conf.local
+if used.
+
+
 

Re: iked(8): get rid of IPv6 flow and -6 flag?

2020-01-14 Thread Stuart Henderson
On 2020/01/14 21:03, Tobias Heider wrote:
> On Tue, Jan 14, 2020 at 09:17:11AM -0700, Theo de Raadt wrote:
> > Stuart Henderson  wrote:
> > 
> > > On 2020/01/13 20:51, Klemens Nanni wrote:
> > > > I'm in favour of removing the option and OK with your diff, but simply
> > > > removing it is probably a bad idea given its nature.
> > > > 
> > > > What about printing a deprecation warning so that users can safely
> > > > adjust their rcctl flags instead of running into "iked(failed)" on the
> > > > next snapshot.
> > > 
> > > Yes please make -6 a noop or a warning rather than an error. Sometimes
> > > breakage is unavoidable, but this isn't one of those cases.
> > 
> > I agree.
> > 
> 
> Makes sense. I added a warning and a notice in current.html.
> 
> ok?
> 
> Index: www/faq/current.html
> ===
> RCS file: /cvs/www/faq/current.html,v
> retrieving revision 1.1017
> diff -u -p -r1.1017 current.html
> --- www/faq/current.html  31 Dec 2019 02:18:01 -  1.1017
> +++ www/faq/current.html  14 Jan 2020 19:32:25 -
> @@ -135,6 +135,12 @@ or they can be rebuilt from ports.
>  
>  
> +2020/1/14 - iked(8) automatic IPv6 blocking removed 
> +
> +https://man.openbsd.org/iked.8";>iked(8) no longer automatically 
> adds
> +an IPv6 blocking IPsec flow.
> +The -6 option is deprecated and should be removed from
> + href="https://man.openbsd.org/rc.conf.local.8";>/etc/rc.conf.local.

How about this?


Index: current.html
===
RCS file: /cvs/www/faq/current.html,v
retrieving revision 1.1017
diff -u -p -r1.1017 current.html
--- current.html31 Dec 2019 02:18:01 -  1.1017
+++ current.html14 Jan 2020 21:47:35 -
@@ -136,6 +136,33 @@ or they can be rebuilt from ports.
 -->
 
 
+2020/1/14 - iked(8) automatic IPv6 blocking removed 
+
+https://man.openbsd.org/iked.8";>iked(8) no longer automatically
+blocks unencrypted outbound IPv6 packets.
+This feature was intended to avoid accidental leakage, but in practice was
+found to mostly be a cause of misconfiguration.
+The -6 flag was used to disable this feature but is now no longer
+needed and should be removed from https://man.openbsd.org/rc.conf.local.8";>/etc/rc.conf.local
+if used.
+
+Instead, if you would like to explicitly block these packets, add the following
+line to https://man.openbsd.org/ipsec.conf.5";>/etc/ipsec.conf
+(not iked.conf):
+
+
+flow esp out from ::/0 to ::/0 type deny
+
+
+and enable loading it with
+
+
+# rcctl enable ipsec   # to load at boot
+# ipsecctl -f /etc/ipsec.conf  # to load immediately
+
+
+
 

Re: iked(8): get rid of IPv6 flow and -6 flag?

2020-01-14 Thread Klemens Nanni
On Tue, Jan 14, 2020 at 09:03:04PM +0100, Tobias Heider wrote:
> Makes sense. I added a warning and a notice in current.html.
OK kn



Re: iked(8): get rid of IPv6 flow and -6 flag?

2020-01-14 Thread Tobias Heider
On Tue, Jan 14, 2020 at 09:17:11AM -0700, Theo de Raadt wrote:
> Stuart Henderson  wrote:
> 
> > On 2020/01/13 20:51, Klemens Nanni wrote:
> > > I'm in favour of removing the option and OK with your diff, but simply
> > > removing it is probably a bad idea given its nature.
> > > 
> > > What about printing a deprecation warning so that users can safely
> > > adjust their rcctl flags instead of running into "iked(failed)" on the
> > > next snapshot.
> > 
> > Yes please make -6 a noop or a warning rather than an error. Sometimes
> > breakage is unavoidable, but this isn't one of those cases.
> 
> I agree.
> 

Makes sense. I added a warning and a notice in current.html.

ok?

Index: www/faq/current.html
===
RCS file: /cvs/www/faq/current.html,v
retrieving revision 1.1017
diff -u -p -r1.1017 current.html
--- www/faq/current.html31 Dec 2019 02:18:01 -  1.1017
+++ www/faq/current.html14 Jan 2020 19:32:25 -
@@ -135,6 +135,12 @@ or they can be rebuilt from ports.
 
 
+2020/1/14 - iked(8) automatic IPv6 blocking removed 
+
+https://man.openbsd.org/iked.8";>iked(8) no longer automatically 
adds
+an IPv6 blocking IPsec flow.
+The -6 option is deprecated and should be removed from
+https://man.openbsd.org/rc.conf.local.8";>/etc/rc.conf.local.
 
 

Re: iked(8): get rid of IPv6 flow and -6 flag?

2020-01-14 Thread David Riley
On Jan 13, 2020, at 11:55 AM, Tobias Heider  wrote:
> 
> Hi,
> 
> iked by default blocks all IPv6 traffic on a host unless any
> of the configured policies use v6.  This was originally meant
> as a measure to prevent VPN leakage for people who did not
> think of IPv6 when configuring IPsec.  With the -6 flag
> set, iked does not install this IPv6 blocking flow.
> 
> I think we should discuss whether we can remove the flow
> (and the -6 flag) as I constantly hear people complaining
> that it broke their setups and I don't think anyone
> expects some seemingly unrelated program breaking IPv6.

Ah, THAT's why iked nuked IPv6 on my router when I enabled it.

I am strongly in favor of this proposal, with the subsequent
recommendations to make it a warning instead of an error.


- Dave



Re: iked(8): get rid of IPv6 flow and -6 flag?

2020-01-14 Thread Theo de Raadt
Stuart Henderson  wrote:

> On 2020/01/13 20:51, Klemens Nanni wrote:
> > I'm in favour of removing the option and OK with your diff, but simply
> > removing it is probably a bad idea given its nature.
> > 
> > What about printing a deprecation warning so that users can safely
> > adjust their rcctl flags instead of running into "iked(failed)" on the
> > next snapshot.
> 
> Yes please make -6 a noop or a warning rather than an error. Sometimes
> breakage is unavoidable, but this isn't one of those cases.

I agree.



Re: iked(8): get rid of IPv6 flow and -6 flag?

2020-01-14 Thread Stuart Henderson
On 2020/01/13 23:31, Sebastian Benoit wrote:
> Alexander Bluhm(alexander.bl...@gmx.net) on 2020.01.13 18:19:31 +0100:
> > On Mon, Jan 13, 2020 at 05:55:06PM +0100, Tobias Heider wrote:
> > > I think we should discuss whether we can remove the flow
> > > (and the -6 flag) as I constantly hear people complaining
> > > that it broke their setups and I don't think anyone
> > > expects some seemingly unrelated program breaking IPv6.
> > 
> > A missing -6 flag on the iked command line, is a very unexpected
> > way to break your IPv6 setup.  So we should remove that.
> > 
> > OK bluhm@
> > 
> > If there is demand for such a feature, we could create an option
> > in the example/iked.conf that shows how to disable IPv6.
> > And perhaps one to disable IPv4 for the IPv6 hipser :-)
> 
> I'm ok with getting rid of it, but as kn@ suggests please with disable and
> warning. Please add comment /* XXX remove during OpenBSD 6.7-current */
> A current.html note is needed.
> 

I somehow doubt anybody will actually see a warning - is there a real
need to schedule it for removal rather than just keep it indefinitely?



Re: iked(8): get rid of IPv6 flow and -6 flag?

2020-01-14 Thread Sebastian Benoit
Alexander Bluhm(alexander.bl...@gmx.net) on 2020.01.13 18:19:31 +0100:
> On Mon, Jan 13, 2020 at 05:55:06PM +0100, Tobias Heider wrote:
> > I think we should discuss whether we can remove the flow
> > (and the -6 flag) as I constantly hear people complaining
> > that it broke their setups and I don't think anyone
> > expects some seemingly unrelated program breaking IPv6.
> 
> A missing -6 flag on the iked command line, is a very unexpected
> way to break your IPv6 setup.  So we should remove that.
> 
> OK bluhm@
> 
> If there is demand for such a feature, we could create an option
> in the example/iked.conf that shows how to disable IPv6.
> And perhaps one to disable IPv4 for the IPv6 hipser :-)

I'm ok with getting rid of it, but as kn@ suggests please with disable and
warning. Please add comment /* XXX remove during OpenBSD 6.7-current */
A current.html note is needed.



Re: iked(8): get rid of IPv6 flow and -6 flag?

2020-01-14 Thread Stuart Henderson
On 2020/01/13 18:19, Alexander Bluhm wrote:
> On Mon, Jan 13, 2020 at 05:55:06PM +0100, Tobias Heider wrote:
> > I think we should discuss whether we can remove the flow
> > (and the -6 flag) as I constantly hear people complaining
> > that it broke their setups and I don't think anyone
> > expects some seemingly unrelated program breaking IPv6.
> 
> A missing -6 flag on the iked command line, is a very unexpected
> way to break your IPv6 setup.  So we should remove that.
> 
> OK bluhm@
> 
> If there is demand for such a feature, we could create an option
> in the example/iked.conf that shows how to disable IPv6.
> And perhaps one to disable IPv4 for the IPv6 hipser :-)

It would need to be in ipsec.conf - iked.conf doesn't allow setting
manual flows.


On 2020/01/13 20:51, Klemens Nanni wrote:
> I'm in favour of removing the option and OK with your diff, but simply
> removing it is probably a bad idea given its nature.
> 
> What about printing a deprecation warning so that users can safely
> adjust their rcctl flags instead of running into "iked(failed)" on the
> next snapshot.

Yes please make -6 a noop or a warning rather than an error. Sometimes
breakage is unavoidable, but this isn't one of those cases.



Re: iked(8): get rid of IPv6 flow and -6 flag?

2020-01-13 Thread Andrew Klaus
We use the -6 option and I agree with deprecating it for one OpenBSD
release instead.

Especially now with sysupgrade(8), after upgrading our remote servers, our
site-to-site VPN wouldn't come back up after upgrade.


On Mon, Jan 13, 2020 at 12:58 PM Klemens Nanni  wrote:

> On Mon, Jan 13, 2020 at 05:55:06PM +0100, Tobias Heider wrote:
> > iked by default blocks all IPv6 traffic on a host unless any
> > of the configured policies use v6.  This was originally meant
> > as a measure to prevent VPN leakage for people who did not
> > think of IPv6 when configuring IPsec.  With the -6 flag
> > set, iked does not install this IPv6 blocking flow.
> It it still considered a leakage prevention, altough I doubt its
> usefulness.
>
> > I think we should discuss whether we can remove the flow
> > (and the -6 flag) as I constantly hear people complaining
> > that it broke their setups and I don't think anyone
> > expects some seemingly unrelated program breaking IPv6.
> iked(8) is the only tool I know going completely counter-intuitive with
> it's `-6' option;  I expect those to behave like in nc(1).
>
> I'm in favour of removing the option and OK with your diff, but simply
> removing it is probably a bad idea given its nature.
>
> What about printing a deprecation warning so that users can safely
> adjust their rcctl flags instead of running into "iked(failed)" on the
> next snapshot.
>
>


Re: iked(8): get rid of IPv6 flow and -6 flag?

2020-01-13 Thread Klemens Nanni
On Mon, Jan 13, 2020 at 05:55:06PM +0100, Tobias Heider wrote:
> iked by default blocks all IPv6 traffic on a host unless any
> of the configured policies use v6.  This was originally meant
> as a measure to prevent VPN leakage for people who did not
> think of IPv6 when configuring IPsec.  With the -6 flag
> set, iked does not install this IPv6 blocking flow.
It it still considered a leakage prevention, altough I doubt its
usefulness.

> I think we should discuss whether we can remove the flow
> (and the -6 flag) as I constantly hear people complaining
> that it broke their setups and I don't think anyone
> expects some seemingly unrelated program breaking IPv6.
iked(8) is the only tool I know going completely counter-intuitive with
it's `-6' option;  I expect those to behave like in nc(1).

I'm in favour of removing the option and OK with your diff, but simply
removing it is probably a bad idea given its nature.

What about printing a deprecation warning so that users can safely
adjust their rcctl flags instead of running into "iked(failed)" on the
next snapshot.



Re: iked(8): get rid of IPv6 flow and -6 flag?

2020-01-13 Thread Alexander Bluhm
On Mon, Jan 13, 2020 at 05:55:06PM +0100, Tobias Heider wrote:
> I think we should discuss whether we can remove the flow
> (and the -6 flag) as I constantly hear people complaining
> that it broke their setups and I don't think anyone
> expects some seemingly unrelated program breaking IPv6.

A missing -6 flag on the iked command line, is a very unexpected
way to break your IPv6 setup.  So we should remove that.

OK bluhm@

If there is demand for such a feature, we could create an option
in the example/iked.conf that shows how to disable IPv6.
And perhaps one to disable IPv4 for the IPv6 hipser :-)

bluhm



iked(8): get rid of IPv6 flow and -6 flag?

2020-01-13 Thread Tobias Heider
Hi,

iked by default blocks all IPv6 traffic on a host unless any
of the configured policies use v6.  This was originally meant
as a measure to prevent VPN leakage for people who did not
think of IPv6 when configuring IPsec.  With the -6 flag
set, iked does not install this IPv6 blocking flow.

I think we should discuss whether we can remove the flow
(and the -6 flag) as I constantly hear people complaining
that it broke their setups and I don't think anyone
expects some seemingly unrelated program breaking IPv6.

diff --git a/sbin/iked/iked.8 b/sbin/iked/iked.8
index f715db47afd..c7682500414 100644
--- a/sbin/iked/iked.8
+++ b/sbin/iked/iked.8
@@ -22,7 +22,7 @@
 .Nd Internet Key Exchange version 2 (IKEv2) daemon
 .Sh SYNOPSIS
 .Nm iked
-.Op Fl 6dnSTtv
+.Op Fl dnSTtv
 .Op Fl D Ar macro Ns = Ns Ar value
 .Op Fl f Ar file
 .Sh DESCRIPTION
@@ -55,14 +55,6 @@ infrastructure.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
-.It Fl 6
-Disable automatic blocking of IPv6 traffic.
-By default,
-.Nm
-blocks any IPv6 traffic unless a flow for this address family has been
-negotiated.
-This option disables VPN traffic leakage prevention on dual stack hosts
-(RFC 7359).
 .It Fl D Ar macro Ns = Ns Ar value
 Define
 .Ar macro
diff --git a/sbin/iked/iked.c b/sbin/iked/iked.c
index 6714e0b2088..bc0b8109651 100644
--- a/sbin/iked/iked.c
+++ b/sbin/iked/iked.c
@@ -56,7 +56,7 @@ usage(void)
 {
extern char *__progname;
 
-   fprintf(stderr, "usage: %s [-6dnSTtv] [-D macro=value] "
+   fprintf(stderr, "usage: %s [-dnSTtv] [-D macro=value] "
"[-f file]\n", __progname);
exit(1);
 }
@@ -73,11 +73,8 @@ main(int argc, char *argv[])
 
log_init(1, LOG_DAEMON);
 
-   while ((c = getopt(argc, argv, "6dD:nf:vSTt")) != -1) {
+   while ((c = getopt(argc, argv, "dD:nf:vSTt")) != -1) {
switch (c) {
-   case '6':
-   opts |= IKED_OPT_NOIPV6BLOCKING;
-   break;
case 'd':
debug++;
break;
diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h
index 897669ac625..5a071a43f75 100644
--- a/sbin/iked/iked.h
+++ b/sbin/iked/iked.h
@@ -950,7 +950,6 @@ int  eap_parse(struct iked *, struct iked_sa *, void *, 
int);
 int pfkey_couple(int, struct iked_sas *, int);
 int pfkey_flow_add(int fd, struct iked_flow *);
 int pfkey_flow_delete(int fd, struct iked_flow *);
-int pfkey_block(int, int, unsigned int);
 int pfkey_sa_init(int, struct iked_childsa *, uint32_t *);
 int pfkey_sa_add(int, struct iked_childsa *, struct iked_childsa *);
 int pfkey_sa_update_addresses(int, struct iked_childsa *);
diff --git a/sbin/iked/pfkey.c b/sbin/iked/pfkey.c
index b9f90687784..de8055c6863 100644
--- a/sbin/iked/pfkey.c
+++ b/sbin/iked/pfkey.c
@@ -50,9 +50,7 @@
 
 static uint32_t sadb_msg_seq = 0;
 static unsigned int sadb_decoupled = 0;
-static unsigned int sadb_ipv6refcnt = 0;
 
-static int pfkey_blockipv6 = 0;
 static struct event pfkey_timer_ev;
 static struct timeval pfkey_timer_tv;
 
@@ -1259,12 +1257,6 @@ pfkey_flow_add(int fd, struct iked_flow *flow)
 
flow->flow_loaded = 1;
 
-   if (flow->flow_dst.addr_af == AF_INET6) {
-   sadb_ipv6refcnt++;
-   if (sadb_ipv6refcnt == 1)
-   return (pfkey_block(fd, AF_INET6, SADB_X_DELFLOW));
-   }
-
return (0);
 }
 
@@ -1284,42 +1276,6 @@ pfkey_flow_delete(int fd, struct iked_flow *flow)
 
flow->flow_loaded = 0;
 
-   if (flow->flow_dst.addr_af == AF_INET6) {
-   sadb_ipv6refcnt--;
-   if (sadb_ipv6refcnt == 0)
-   return (pfkey_block(fd, AF_INET6, SADB_X_ADDFLOW));
-   }
-
-   return (0);
-}
-
-int
-pfkey_block(int fd, int af, unsigned int action)
-{
-   struct iked_flow flow;
-
-   if (!pfkey_blockipv6)
-   return (0);
-
-   /*
-* Prevent VPN traffic leakages in dual-stack hosts/networks.
-* https://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
-* We forcibly block IPv6 traffic unless it is used in any of
-* the flows by tracking a sadb_ipv6refcnt reference counter.
-*/
-   bzero(&flow, sizeof(flow));
-   flow.flow_src.addr_af = flow.flow_src.addr.ss_family = af;
-   flow.flow_src.addr_net = 1;
-   socket_af((struct sockaddr *)&flow.flow_src.addr, 0);
-   flow.flow_dst.addr_af = flow.flow_dst.addr.ss_family = af;
-   flow.flow_dst.addr_net = 1;
-   socket_af((struct sockaddr *)&flow.flow_dst.addr, 0);
-   flow.flow_type = SADB_X_FLOW_TYPE_DENY;
-   flow.flow_dir = IPSP_DIRECTION_OUT;
-
-   if (pfkey_flow(fd, 0, action, &flow) == -1)
-   return (-1);
-
return (0);
 }
 
@@ -1550,14 +1506,6 @@ pfkey_init(struct iked *env, int fd)
 
if (pfkey_write(fd, &smsg, &iov, 1, NULL, NULL))
fatal("pfkey_init: failed to set up AH acquires");
-