On 2020/01/14 21:48, Stuart Henderson wrote: > On 2020/01/14 21:03, Tobias Heider wrote: > > On Tue, Jan 14, 2020 at 09:17:11AM -0700, Theo de Raadt wrote: > > > Stuart Henderson <s...@spacehopper.org> wrote: > > > > > > > On 2020/01/13 20:51, Klemens Nanni wrote: > > > > > I'm in favour of removing the option and OK with your diff, but simply > > > > > removing it is probably a bad idea given its nature. > > > > > > > > > > What about printing a deprecation warning so that users can safely > > > > > adjust their rcctl flags instead of running into "iked(failed)" on the > > > > > next snapshot. > > > > > > > > Yes please make -6 a noop or a warning rather than an error. Sometimes > > > > breakage is unavoidable, but this isn't one of those cases. > > > > > > I agree. > > > > > > > Makes sense. I added a warning and a notice in current.html. > > > > ok? > > > > Index: www/faq/current.html > > =================================================================== > > RCS file: /cvs/www/faq/current.html,v > > retrieving revision 1.1017 > > diff -u -p -r1.1017 current.html > > --- www/faq/current.html 31 Dec 2019 02:18:01 -0000 1.1017 > > +++ www/faq/current.html 14 Jan 2020 19:32:25 -0000 > > @@ -135,6 +135,12 @@ or they can be rebuilt from ports. > > </b><!-- > > --></pre> > > > > +<h3 id="r20200114">2020/1/14 - iked(8) automatic IPv6 blocking removed > > </h3> > > + > > +<a href="https://man.openbsd.org/iked.8";>iked(8)</a> no longer > > automatically adds > > +an IPv6 blocking IPsec flow. > > +The <code>-6</code> option is deprecated and should be removed from > > +<a > > href="https://man.openbsd.org/rc.conf.local.8";><code>/etc/rc.conf.local</code></a>. > > How about this? > > > Index: current.html > =================================================================== > RCS file: /cvs/www/faq/current.html,v > retrieving revision 1.1017 > diff -u -p -r1.1017 current.html > --- current.html 31 Dec 2019 02:18:01 -0000 1.1017 > +++ current.html 14 Jan 2020 21:47:35 -0000 > @@ -136,6 +136,33 @@ or they can be rebuilt from ports. > --></pre> > > > +<h3 id="r20200114">2020/1/14 - iked(8) automatic IPv6 blocking removed </h3> > + > +<a href="https://man.openbsd.org/iked.8";>iked(8)</a> no longer automatically > +blocks unencrypted outbound IPv6 packets. > +This feature was intended to avoid accidental leakage, but in practice was > +found to mostly be a cause of misconfiguration. > +The <code>-6</code> flag was used to disable this feature but is now no > longer > +needed and should be removed from <code><a > +href="https://man.openbsd.org/rc.conf.local.8";>/etc/rc.conf.local</a></code> > +if used.<p> > + > +Instead, if you would like to explicitly block these packets, add the > following
Actually, on reading it back now I've posted it, "instead" is bad here, with the previous sentence it makes it seem like this is something to do if you *did* use -6, when actually it's something to do if you *didn't* use -6 and want to keep the feature. ... So here's some reordering that works better: Index: current.html =================================================================== RCS file: /cvs/www/faq/current.html,v retrieving revision 1.1017 diff -u -p -r1.1017 current.html --- current.html 31 Dec 2019 02:18:01 -0000 1.1017 +++ current.html 14 Jan 2020 21:53:31 -0000 @@ -136,6 +136,34 @@ or they can be rebuilt from ports. --></pre> +<h3 id="r20200114">2020/1/14 - iked(8) automatic IPv6 blocking removed </h3> + +<a href="https://man.openbsd.org/iked.8";>iked(8)</a> no longer automatically +blocks unencrypted outbound IPv6 packets. +This feature was intended to avoid accidental leakage, but in practice was +found to mostly be a cause of misconfiguration. +Instead, if you would like to explicitly block these packets, add the following +line to <code><a href="https://man.openbsd.org/ipsec.conf.5";>/etc/ipsec.conf</a></code> +(<b>not</b> iked.conf): + +<pre class="cmdbox"> +<b>flow esp out from ::/0 to ::/0 type deny</b> +</pre> + +and enable loading it with + +<pre class="cmdbox"> +# <b>rcctl enable ipsec</b> # to load at boot +# <b>ipsecctl -f /etc/ipsec.conf</b> # to load immediately +</pre> + +If you previously used <a href="https://man.openbsd.org/iked.8";>iked(8)</a>'s +<code>-6</code> flag to disable this feature, it is no longer needed and should +be removed from <code><a +href="https://man.openbsd.org/rc.conf.local.8";>/etc/rc.conf.local</a></code> +if used.<p> + + <!-- Two blank lines before new sections. New sentences start on new lines.
