CVSROOT: /cvs
Module name: src
Changes by: r...@cvs.openbsd.org 2012/11/29 08:08:08
Modified files:
sbin/iked : iked.8 iked.c iked.h pfkey.c types.h
Log message:
Prevent VPN traffic leakages in dual-stack hosts/networks.
See http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
We forcibly block IPv6 traffic by loading a "flow esp out from ::/0 to
::/0 type deny" unless the protocol is used in any of the flows. Note
that this will block any IPv6 traffic, superseding routes and pf, on
the host by default when iked is running with IPv4 flows only. This
auto-blocking feature can be disabled by specifying the "-6" command
line flag to iked.
Thanks to Fernando Gont.
ok mikeb@
