summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortobhe <tobhe@cvs.openbsd.org>2020-01-14 22:28:30 +0000
committertobhe <tobhe@cvs.openbsd.org>2020-01-14 22:28:30 +0000
commitcd3dfe8f7a93ae564b41cc555ebfc7ba66b1164c (patch)
treed4ed9d9cd478c2e32d3736322582ff0f50d76d88
parent4ccef1205d0d73910dcc167eb8d58bf359d1de26 (diff)
Remove IPsec flow blocking unencrypted IPv6 traffic which was
meant to prevent VPN leakage but repeatedly broke people's setups. The -6 flag which used to disable the blocking flow is now ignored and prints a deprecation warning. ok kn@ bluhm@ phessler@
-rw-r--r--sbin/iked/iked.814
-rw-r--r--sbin/iked/iked.c7
-rw-r--r--sbin/iked/iked.h3
-rw-r--r--sbin/iked/pfkey.c54
-rw-r--r--sbin/iked/types.h3
5 files changed, 10 insertions, 71 deletions
diff --git a/sbin/iked/iked.8 b/sbin/iked/iked.8
index f715db47afd..5e1d62d11cf 100644
--- a/sbin/iked/iked.8
+++ b/sbin/iked/iked.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: iked.8,v 1.22 2019/02/27 06:33:56 sthen Exp $
+.\" $OpenBSD: iked.8,v 1.23 2020/01/14 22:28:29 tobhe Exp $
.\"
.\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org>
.\"
@@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: February 27 2019 $
+.Dd $Mdocdate: January 14 2020 $
.Dt IKED 8
.Os
.Sh NAME
@@ -22,7 +22,7 @@
.Nd Internet Key Exchange version 2 (IKEv2) daemon
.Sh SYNOPSIS
.Nm iked
-.Op Fl 6dnSTtv
+.Op Fl dnSTtv
.Op Fl D Ar macro Ns = Ns Ar value
.Op Fl f Ar file
.Sh DESCRIPTION
@@ -55,14 +55,6 @@ infrastructure.
.Pp
The options are as follows:
.Bl -tag -width Ds
-.It Fl 6
-Disable automatic blocking of IPv6 traffic.
-By default,
-.Nm
-blocks any IPv6 traffic unless a flow for this address family has been
-negotiated.
-This option disables VPN traffic leakage prevention on dual stack hosts
-(RFC 7359).
.It Fl D Ar macro Ns = Ns Ar value
Define
.Ar macro
diff --git a/sbin/iked/iked.c b/sbin/iked/iked.c
index 6714e0b2088..33c2adf5a4f 100644
--- a/sbin/iked/iked.c
+++ b/sbin/iked/iked.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: iked.c,v 1.38 2019/11/30 16:07:12 tobhe Exp $ */
+/* $OpenBSD: iked.c,v 1.39 2020/01/14 22:28:29 tobhe Exp $ */
/*
* Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -56,7 +56,7 @@ usage(void)
{
extern char *__progname;
- fprintf(stderr, "usage: %s [-6dnSTtv] [-D macro=value] "
+ fprintf(stderr, "usage: %s [-dnSTtv] [-D macro=value] "
"[-f file]\n", __progname);
exit(1);
}
@@ -76,7 +76,8 @@ main(int argc, char *argv[])
while ((c = getopt(argc, argv, "6dD:nf:vSTt")) != -1) {
switch (c) {
case '6':
- opts |= IKED_OPT_NOIPV6BLOCKING;
+ log_warnx("the -6 option is deprecated and will be "
+ "removed in the future.");
break;
case 'd':
debug++;
diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h
index 897669ac625..c3d17a8cf0d 100644
--- a/sbin/iked/iked.h
+++ b/sbin/iked/iked.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: iked.h,v 1.130 2020/01/07 15:08:28 tobhe Exp $ */
+/* $OpenBSD: iked.h,v 1.131 2020/01/14 22:28:29 tobhe Exp $ */
/*
* Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -950,7 +950,6 @@ int eap_parse(struct iked *, struct iked_sa *, void *, int);
int pfkey_couple(int, struct iked_sas *, int);
int pfkey_flow_add(int fd, struct iked_flow *);
int pfkey_flow_delete(int fd, struct iked_flow *);
-int pfkey_block(int, int, unsigned int);
int pfkey_sa_init(int, struct iked_childsa *, uint32_t *);
int pfkey_sa_add(int, struct iked_childsa *, struct iked_childsa *);
int pfkey_sa_update_addresses(int, struct iked_childsa *);
diff --git a/sbin/iked/pfkey.c b/sbin/iked/pfkey.c
index b9f90687784..b4d2ffff537 100644
--- a/sbin/iked/pfkey.c
+++ b/sbin/iked/pfkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkey.c,v 1.62 2020/01/07 15:08:28 tobhe Exp $ */
+/* $OpenBSD: pfkey.c,v 1.63 2020/01/14 22:28:29 tobhe Exp $ */
/*
* Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -50,9 +50,7 @@
static uint32_t sadb_msg_seq = 0;
static unsigned int sadb_decoupled = 0;
-static unsigned int sadb_ipv6refcnt = 0;
-static int pfkey_blockipv6 = 0;
static struct event pfkey_timer_ev;
static struct timeval pfkey_timer_tv;
@@ -1259,12 +1257,6 @@ pfkey_flow_add(int fd, struct iked_flow *flow)
flow->flow_loaded = 1;
- if (flow->flow_dst.addr_af == AF_INET6) {
- sadb_ipv6refcnt++;
- if (sadb_ipv6refcnt == 1)
- return (pfkey_block(fd, AF_INET6, SADB_X_DELFLOW));
- }
-
return (0);
}
@@ -1284,42 +1276,6 @@ pfkey_flow_delete(int fd, struct iked_flow *flow)
flow->flow_loaded = 0;
- if (flow->flow_dst.addr_af == AF_INET6) {
- sadb_ipv6refcnt--;
- if (sadb_ipv6refcnt == 0)
- return (pfkey_block(fd, AF_INET6, SADB_X_ADDFLOW));
- }
-
- return (0);
-}
-
-int
-pfkey_block(int fd, int af, unsigned int action)
-{
- struct iked_flow flow;
-
- if (!pfkey_blockipv6)
- return (0);
-
- /*
- * Prevent VPN traffic leakages in dual-stack hosts/networks.
- * https://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
- * We forcibly block IPv6 traffic unless it is used in any of
- * the flows by tracking a sadb_ipv6refcnt reference counter.
- */
- bzero(&flow, sizeof(flow));
- flow.flow_src.addr_af = flow.flow_src.addr.ss_family = af;
- flow.flow_src.addr_net = 1;
- socket_af((struct sockaddr *)&flow.flow_src.addr, 0);
- flow.flow_dst.addr_af = flow.flow_dst.addr.ss_family = af;
- flow.flow_dst.addr_net = 1;
- socket_af((struct sockaddr *)&flow.flow_dst.addr, 0);
- flow.flow_type = SADB_X_FLOW_TYPE_DENY;
- flow.flow_dir = IPSP_DIRECTION_OUT;
-
- if (pfkey_flow(fd, 0, action, &flow) == -1)
- return (-1);
-
return (0);
}
@@ -1550,14 +1506,6 @@ pfkey_init(struct iked *env, int fd)
if (pfkey_write(fd, &smsg, &iov, 1, NULL, NULL))
fatal("pfkey_init: failed to set up AH acquires");
-
- if (env->sc_opts & IKED_OPT_NOIPV6BLOCKING)
- return;
-
- /* Block all IPv6 traffic by default */
- pfkey_blockipv6 = 1;
- if (pfkey_block(fd, AF_INET6, SADB_X_ADDFLOW))
- fatal("pfkey_init: failed to block IPv6 traffic");
}
void *
diff --git a/sbin/iked/types.h b/sbin/iked/types.h
index 4af62afae10..94ceea80a64 100644
--- a/sbin/iked/types.h
+++ b/sbin/iked/types.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: types.h,v 1.30 2019/05/11 16:30:23 patrick Exp $ */
+/* $OpenBSD: types.h,v 1.31 2020/01/14 22:28:29 tobhe Exp $ */
/*
* Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -49,7 +49,6 @@
#define IKED_OPT_NONATT 0x00000004
#define IKED_OPT_NATT 0x00000008
#define IKED_OPT_PASSIVE 0x00000010
-#define IKED_OPT_NOIPV6BLOCKING 0x00000020
#define IKED_IKE_PORT 500
#define IKED_NATT_PORT 4500