diff options
author | tobhe <tobhe@cvs.openbsd.org> | 2020-01-14 22:28:30 +0000 |
---|---|---|
committer | tobhe <tobhe@cvs.openbsd.org> | 2020-01-14 22:28:30 +0000 |
commit | cd3dfe8f7a93ae564b41cc555ebfc7ba66b1164c (patch) | |
tree | d4ed9d9cd478c2e32d3736322582ff0f50d76d88 | |
parent | 4ccef1205d0d73910dcc167eb8d58bf359d1de26 (diff) |
Remove IPsec flow blocking unencrypted IPv6 traffic which was
meant to prevent VPN leakage but repeatedly broke people's
setups. The -6 flag which used to disable the blocking flow is
now ignored and prints a deprecation warning.
ok kn@ bluhm@ phessler@
-rw-r--r-- | sbin/iked/iked.8 | 14 | ||||
-rw-r--r-- | sbin/iked/iked.c | 7 | ||||
-rw-r--r-- | sbin/iked/iked.h | 3 | ||||
-rw-r--r-- | sbin/iked/pfkey.c | 54 | ||||
-rw-r--r-- | sbin/iked/types.h | 3 |
5 files changed, 10 insertions, 71 deletions
diff --git a/sbin/iked/iked.8 b/sbin/iked/iked.8 index f715db47afd..5e1d62d11cf 100644 --- a/sbin/iked/iked.8 +++ b/sbin/iked/iked.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: iked.8,v 1.22 2019/02/27 06:33:56 sthen Exp $ +.\" $OpenBSD: iked.8,v 1.23 2020/01/14 22:28:29 tobhe Exp $ .\" .\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: February 27 2019 $ +.Dd $Mdocdate: January 14 2020 $ .Dt IKED 8 .Os .Sh NAME @@ -22,7 +22,7 @@ .Nd Internet Key Exchange version 2 (IKEv2) daemon .Sh SYNOPSIS .Nm iked -.Op Fl 6dnSTtv +.Op Fl dnSTtv .Op Fl D Ar macro Ns = Ns Ar value .Op Fl f Ar file .Sh DESCRIPTION @@ -55,14 +55,6 @@ infrastructure. .Pp The options are as follows: .Bl -tag -width Ds -.It Fl 6 -Disable automatic blocking of IPv6 traffic. -By default, -.Nm -blocks any IPv6 traffic unless a flow for this address family has been -negotiated. -This option disables VPN traffic leakage prevention on dual stack hosts -(RFC 7359). .It Fl D Ar macro Ns = Ns Ar value Define .Ar macro diff --git a/sbin/iked/iked.c b/sbin/iked/iked.c index 6714e0b2088..33c2adf5a4f 100644 --- a/sbin/iked/iked.c +++ b/sbin/iked/iked.c @@ -1,4 +1,4 @@ -/* $OpenBSD: iked.c,v 1.38 2019/11/30 16:07:12 tobhe Exp $ */ +/* $OpenBSD: iked.c,v 1.39 2020/01/14 22:28:29 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> @@ -56,7 +56,7 @@ usage(void) { extern char *__progname; - fprintf(stderr, "usage: %s [-6dnSTtv] [-D macro=value] " + fprintf(stderr, "usage: %s [-dnSTtv] [-D macro=value] " "[-f file]\n", __progname); exit(1); } @@ -76,7 +76,8 @@ main(int argc, char *argv[]) while ((c = getopt(argc, argv, "6dD:nf:vSTt")) != -1) { switch (c) { case '6': - opts |= IKED_OPT_NOIPV6BLOCKING; + log_warnx("the -6 option is deprecated and will be " + "removed in the future."); break; case 'd': debug++; diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h index 897669ac625..c3d17a8cf0d 100644 --- a/sbin/iked/iked.h +++ b/sbin/iked/iked.h @@ -1,4 +1,4 @@ -/* $OpenBSD: iked.h,v 1.130 2020/01/07 15:08:28 tobhe Exp $ */ +/* $OpenBSD: iked.h,v 1.131 2020/01/14 22:28:29 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> @@ -950,7 +950,6 @@ int eap_parse(struct iked *, struct iked_sa *, void *, int); int pfkey_couple(int, struct iked_sas *, int); int pfkey_flow_add(int fd, struct iked_flow *); int pfkey_flow_delete(int fd, struct iked_flow *); -int pfkey_block(int, int, unsigned int); int pfkey_sa_init(int, struct iked_childsa *, uint32_t *); int pfkey_sa_add(int, struct iked_childsa *, struct iked_childsa *); int pfkey_sa_update_addresses(int, struct iked_childsa *); diff --git a/sbin/iked/pfkey.c b/sbin/iked/pfkey.c index b9f90687784..b4d2ffff537 100644 --- a/sbin/iked/pfkey.c +++ b/sbin/iked/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.62 2020/01/07 15:08:28 tobhe Exp $ */ +/* $OpenBSD: pfkey.c,v 1.63 2020/01/14 22:28:29 tobhe Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -50,9 +50,7 @@ static uint32_t sadb_msg_seq = 0; static unsigned int sadb_decoupled = 0; -static unsigned int sadb_ipv6refcnt = 0; -static int pfkey_blockipv6 = 0; static struct event pfkey_timer_ev; static struct timeval pfkey_timer_tv; @@ -1259,12 +1257,6 @@ pfkey_flow_add(int fd, struct iked_flow *flow) flow->flow_loaded = 1; - if (flow->flow_dst.addr_af == AF_INET6) { - sadb_ipv6refcnt++; - if (sadb_ipv6refcnt == 1) - return (pfkey_block(fd, AF_INET6, SADB_X_DELFLOW)); - } - return (0); } @@ -1284,42 +1276,6 @@ pfkey_flow_delete(int fd, struct iked_flow *flow) flow->flow_loaded = 0; - if (flow->flow_dst.addr_af == AF_INET6) { - sadb_ipv6refcnt--; - if (sadb_ipv6refcnt == 0) - return (pfkey_block(fd, AF_INET6, SADB_X_ADDFLOW)); - } - - return (0); -} - -int -pfkey_block(int fd, int af, unsigned int action) -{ - struct iked_flow flow; - - if (!pfkey_blockipv6) - return (0); - - /* - * Prevent VPN traffic leakages in dual-stack hosts/networks. - * https://tools.ietf.org/html/draft-gont-opsec-vpn-leakages. - * We forcibly block IPv6 traffic unless it is used in any of - * the flows by tracking a sadb_ipv6refcnt reference counter. - */ - bzero(&flow, sizeof(flow)); - flow.flow_src.addr_af = flow.flow_src.addr.ss_family = af; - flow.flow_src.addr_net = 1; - socket_af((struct sockaddr *)&flow.flow_src.addr, 0); - flow.flow_dst.addr_af = flow.flow_dst.addr.ss_family = af; - flow.flow_dst.addr_net = 1; - socket_af((struct sockaddr *)&flow.flow_dst.addr, 0); - flow.flow_type = SADB_X_FLOW_TYPE_DENY; - flow.flow_dir = IPSP_DIRECTION_OUT; - - if (pfkey_flow(fd, 0, action, &flow) == -1) - return (-1); - return (0); } @@ -1550,14 +1506,6 @@ pfkey_init(struct iked *env, int fd) if (pfkey_write(fd, &smsg, &iov, 1, NULL, NULL)) fatal("pfkey_init: failed to set up AH acquires"); - - if (env->sc_opts & IKED_OPT_NOIPV6BLOCKING) - return; - - /* Block all IPv6 traffic by default */ - pfkey_blockipv6 = 1; - if (pfkey_block(fd, AF_INET6, SADB_X_ADDFLOW)) - fatal("pfkey_init: failed to block IPv6 traffic"); } void * diff --git a/sbin/iked/types.h b/sbin/iked/types.h index 4af62afae10..94ceea80a64 100644 --- a/sbin/iked/types.h +++ b/sbin/iked/types.h @@ -1,4 +1,4 @@ -/* $OpenBSD: types.h,v 1.30 2019/05/11 16:30:23 patrick Exp $ */ +/* $OpenBSD: types.h,v 1.31 2020/01/14 22:28:29 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> @@ -49,7 +49,6 @@ #define IKED_OPT_NONATT 0x00000004 #define IKED_OPT_NATT 0x00000008 #define IKED_OPT_PASSIVE 0x00000010 -#define IKED_OPT_NOIPV6BLOCKING 0x00000020 #define IKED_IKE_PORT 500 #define IKED_NATT_PORT 4500 |