On 11/23/2012 11:12 AM, Reyk Floeter wrote: > In the section "Mitigations to VPN traffic-leakage vulnerabilities" of > Fernando's paper it is suggested that a VPN client disables IPv6 > globally if it is not going to send all IPv6 traffic over the tunnel > as well.
The problem is that even if you tried to send all IPv6 traffic over the VPN, the mechanism to achieve that might be non-trivial. e.g., some VPN implementations install "more specific routes" that override (i.e "longest matching prefix" thing) the existing default route. -- but there are a plethora of vectors that might be leveraged to install even more specific routes than those (Route Information Options, ICMPv6 Redirects, etc.). That is, "getting all the v6 traffic on the VPN tunnel" might be tricky. > a) Just don't care about it and expect that admins configured pf and > the interfaces correctly. This one doesn't seem to obey the principle of "least surprise". Many people are not aware about the implications of v6 on their "v4-only" networks. > d) Implement an automatic IPv6 kill switch in iked that follows the > suggestion to disable all IPv6 traffic if we have an IPv4-only tunnel. > iked(8) could use a pf anchor to load a block rule, disable > net.inet6.ip6.forwarding, or we could add a knob net.inet6.enable=0 > that doesn't alter the configured routes and addresses and simply > returns somewhere in the network stack (ugh). This seems a sensible thing to do. Cheers, -- Fernando Gont e-mail: [email protected] || [email protected] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
