iked(8): get rid of IPv6 flow and -6 flag?

Mon, 13 Jan 2020 08:55:52 -0800 

Hi,

iked by default blocks all IPv6 traffic on a host unless any
of the configured policies use v6.  This was originally meant
as a measure to prevent VPN leakage for people who did not
think of IPv6 when configuring IPsec.  With the -6 flag
set, iked does not install this IPv6 blocking flow.

I think we should discuss whether we can remove the flow
(and the -6 flag) as I constantly hear people complaining
that it broke their setups and I don't think anyone
expects some seemingly unrelated program breaking IPv6.

diff --git a/sbin/iked/iked.8 b/sbin/iked/iked.8
index f715db47afd..c7682500414 100644
--- a/sbin/iked/iked.8
+++ b/sbin/iked/iked.8
@@ -22,7 +22,7 @@
 .Nd Internet Key Exchange version 2 (IKEv2) daemon
 .Sh SYNOPSIS
 .Nm iked
-.Op Fl 6dnSTtv
+.Op Fl dnSTtv
 .Op Fl D Ar macro Ns = Ns Ar value
 .Op Fl f Ar file
 .Sh DESCRIPTION
@@ -55,14 +55,6 @@ infrastructure.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
-.It Fl 6
-Disable automatic blocking of IPv6 traffic.
-By default,
-.Nm
-blocks any IPv6 traffic unless a flow for this address family has been
-negotiated.
-This option disables VPN traffic leakage prevention on dual stack hosts
-(RFC 7359).
 .It Fl D Ar macro Ns = Ns Ar value
 Define
 .Ar macro
diff --git a/sbin/iked/iked.c b/sbin/iked/iked.c
index 6714e0b2088..bc0b8109651 100644
--- a/sbin/iked/iked.c
+++ b/sbin/iked/iked.c
@@ -56,7 +56,7 @@ usage(void)
 {
        extern char     *__progname;
 
-       fprintf(stderr, "usage: %s [-6dnSTtv] [-D macro=value] "
+       fprintf(stderr, "usage: %s [-dnSTtv] [-D macro=value] "
            "[-f file]\n", __progname);
        exit(1);
 }
@@ -73,11 +73,8 @@ main(int argc, char *argv[])
 
        log_init(1, LOG_DAEMON);
 
-       while ((c = getopt(argc, argv, "6dD:nf:vSTt")) != -1) {
+       while ((c = getopt(argc, argv, "dD:nf:vSTt")) != -1) {
                switch (c) {
-               case '6':
-                       opts |= IKED_OPT_NOIPV6BLOCKING;
-                       break;
                case 'd':
                        debug++;
                        break;
diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h
index 897669ac625..5a071a43f75 100644
--- a/sbin/iked/iked.h
+++ b/sbin/iked/iked.h
@@ -950,7 +950,6 @@ int  eap_parse(struct iked *, struct iked_sa *, void *, 
int);
 int     pfkey_couple(int, struct iked_sas *, int);
 int     pfkey_flow_add(int fd, struct iked_flow *);
 int     pfkey_flow_delete(int fd, struct iked_flow *);
-int     pfkey_block(int, int, unsigned int);
 int     pfkey_sa_init(int, struct iked_childsa *, uint32_t *);
 int     pfkey_sa_add(int, struct iked_childsa *, struct iked_childsa *);
 int     pfkey_sa_update_addresses(int, struct iked_childsa *);
diff --git a/sbin/iked/pfkey.c b/sbin/iked/pfkey.c
index b9f90687784..de8055c6863 100644
--- a/sbin/iked/pfkey.c
+++ b/sbin/iked/pfkey.c
@@ -50,9 +50,7 @@
 
 static uint32_t sadb_msg_seq = 0;
 static unsigned int sadb_decoupled = 0;
-static unsigned int sadb_ipv6refcnt = 0;
 
-static int pfkey_blockipv6 = 0;
 static struct event pfkey_timer_ev;
 static struct timeval pfkey_timer_tv;
 
@@ -1259,12 +1257,6 @@ pfkey_flow_add(int fd, struct iked_flow *flow)
 
        flow->flow_loaded = 1;
 
-       if (flow->flow_dst.addr_af == AF_INET6) {
-               sadb_ipv6refcnt++;
-               if (sadb_ipv6refcnt == 1)
-                       return (pfkey_block(fd, AF_INET6, SADB_X_DELFLOW));
-       }
-
        return (0);
 }
 
@@ -1284,42 +1276,6 @@ pfkey_flow_delete(int fd, struct iked_flow *flow)
 
        flow->flow_loaded = 0;
 
-       if (flow->flow_dst.addr_af == AF_INET6) {
-               sadb_ipv6refcnt--;
-               if (sadb_ipv6refcnt == 0)
-                       return (pfkey_block(fd, AF_INET6, SADB_X_ADDFLOW));
-       }
-
-       return (0);
-}
-
-int
-pfkey_block(int fd, int af, unsigned int action)
-{
-       struct iked_flow         flow;
-
-       if (!pfkey_blockipv6)
-               return (0);
-
-       /*
-        * Prevent VPN traffic leakages in dual-stack hosts/networks.
-        * https://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
-        * We forcibly block IPv6 traffic unless it is used in any of
-        * the flows by tracking a sadb_ipv6refcnt reference counter.
-        */
-       bzero(&flow, sizeof(flow));
-       flow.flow_src.addr_af = flow.flow_src.addr.ss_family = af;
-       flow.flow_src.addr_net = 1;
-       socket_af((struct sockaddr *)&flow.flow_src.addr, 0);
-       flow.flow_dst.addr_af = flow.flow_dst.addr.ss_family = af;
-       flow.flow_dst.addr_net = 1;
-       socket_af((struct sockaddr *)&flow.flow_dst.addr, 0);
-       flow.flow_type = SADB_X_FLOW_TYPE_DENY;
-       flow.flow_dir = IPSP_DIRECTION_OUT;
-
-       if (pfkey_flow(fd, 0, action, &flow) == -1)
-               return (-1);
-
        return (0);
 }
 
@@ -1550,14 +1506,6 @@ pfkey_init(struct iked *env, int fd)
 
        if (pfkey_write(fd, &smsg, &iov, 1, NULL, NULL))
                fatal("pfkey_init: failed to set up AH acquires");
-
-       if (env->sc_opts & IKED_OPT_NOIPV6BLOCKING)
-               return;
-
-       /* Block all IPv6 traffic by default */
-       pfkey_blockipv6 = 1;
-       if (pfkey_block(fd, AF_INET6, SADB_X_ADDFLOW))
-               fatal("pfkey_init: failed to block IPv6 traffic");
 }
 
 void *
diff --git a/sbin/iked/types.h b/sbin/iked/types.h
index 4af62afae10..3c9e37a95df 100644
--- a/sbin/iked/types.h
+++ b/sbin/iked/types.h
@@ -49,7 +49,6 @@
 #define IKED_OPT_NONATT                0x00000004
 #define IKED_OPT_NATT          0x00000008
 #define IKED_OPT_PASSIVE       0x00000010
-#define IKED_OPT_NOIPV6BLOCKING        0x00000020
 
 #define IKED_IKE_PORT          500
 #define IKED_NATT_PORT         4500

Reply via email to