Hi,
after some discussions, we found a better approach and a way to improve this.
Please hold on for a few days.
Reyk
> Am 03.07.2018 um 21:42 schrieb David Dahlberg :
>
> Am Tuesday, den 03.07.2018, 19:01 +0200 schrieb Reyk Floeter:
>> A dual-homed host should not have IPsec on v4 and "open"
Am Tuesday, den 03.07.2018, 19:01 +0200 schrieb Reyk Floeter:
> A dual-homed host should not have IPsec on v4 and "open" v6 at the
> same time; the leakage is a real risk. I did add it intentionally;
> we've discussed it in depth when the problem was reported by Gont.
I guess with "dual-homed" yo
On Tue, Jul 03, 2018 at 03:06:34PM +0100, Stuart Henderson wrote:
> > If that is the case, what is going on here is unacceptable.
> >
>
> That is exactly what was intended with the 2012/11/29 commit.
> This is the scenario it tries to avoid:
>
> - user has a vpn for 0.0.0.0/0 on a host with the
On 2018/07/03 07:35, Theo de Raadt wrote:
> Stefan Sperling wrote:
>
> > On Tue, Jul 03, 2018 at 12:54:36PM +0100, Stuart Henderson wrote:
> > > On 2018/07/03 13:42, Stefan Sperling wrote:
> > > > On Tue, Jul 03, 2018 at 01:34:09PM +0200, David Dahlberg wrote:
> > > > > Am Tuesday, den 03.07.2018
On Tue, Jul 03, 2018 at 02:57:40PM +0200, Stefan Sperling wrote:
> Apart from the above points, this change looks like an improvement to me.
> Could you send a fixed version?
A new patch was provided off-list by David and I have just committed it.
Thanks!
Stefan Sperling wrote:
> On Tue, Jul 03, 2018 at 12:54:36PM +0100, Stuart Henderson wrote:
> > On 2018/07/03 13:42, Stefan Sperling wrote:
> > > On Tue, Jul 03, 2018 at 01:34:09PM +0200, David Dahlberg wrote:
> > > > Am Tuesday, den 03.07.2018, 13:29 +0200 schrieb Stefan Sperling:
> > > > > Not a
David Dahlberg(david+bsd@dahlberg.cologne) on 2018.07.03 14:39:10 +0200:
> Am Tuesday, den 03.07.2018, 13:42 +0200 schrieb Stefan Sperling:
> > Would you be able to send a patch for the iked man page which
> > explicitly mentions VPN traffic leakage and RFC 7359 (in the
> > STANDARDS section, perha
On Tue, Jul 03, 2018 at 02:39:10PM +0200, David Dahlberg wrote:
> Am Tuesday, den 03.07.2018, 13:42 +0200 schrieb Stefan Sperling:
> > Would you be able to send a patch for the iked man page which
> > explicitly mentions VPN traffic leakage and RFC 7359 (in the
> > STANDARDS section, perhaps)?
>
>
Am Tuesday, den 03.07.2018, 14:20 +0200 schrieb Stefan Sperling:
> "RFC 7359" should be mentioned since
> it provides a wealth of context the man page cannot provide [..]
> It might also make sense to add a brief sentence in DESCRIPTION which
> already
> lists other related RFCs.
It as it is not t
Am Tuesday, den 03.07.2018, 13:42 +0200 schrieb Stefan Sperling:
> Would you be able to send a patch for the iked man page which
> explicitly mentions VPN traffic leakage and RFC 7359 (in the
> STANDARDS section, perhaps)?
No problem; VPN leakage is already mentioned. As you mentioned, it is
sligh
On Tue, Jul 03, 2018 at 12:54:36PM +0100, Stuart Henderson wrote:
> On 2018/07/03 13:42, Stefan Sperling wrote:
> > On Tue, Jul 03, 2018 at 01:34:09PM +0200, David Dahlberg wrote:
> > > Am Tuesday, den 03.07.2018, 13:29 +0200 schrieb Stefan Sperling:
> > > > Not a bug. This behaviour is intentiona
On 2018/07/03 13:42, Stefan Sperling wrote:
> On Tue, Jul 03, 2018 at 01:34:09PM +0200, David Dahlberg wrote:
> > Am Tuesday, den 03.07.2018, 13:29 +0200 schrieb Stefan Sperling:
> > > Not a bug. This behaviour is intentional and avoids VPN traffic
> > > leakage.
> > > See RFC 7359 and the iked(8)
On Tue, Jul 03, 2018 at 01:34:09PM +0200, David Dahlberg wrote:
> Am Tuesday, den 03.07.2018, 13:29 +0200 schrieb Stefan Sperling:
> > Not a bug. This behaviour is intentional and avoids VPN traffic
> > leakage.
> > See RFC 7359 and the iked(8) man page. Use the -6 option (risks
> > leakage),
>
>
Am Tuesday, den 03.07.2018, 13:29 +0200 schrieb Stefan Sperling:
> Not a bug. This behaviour is intentional and avoids VPN traffic
> leakage.
> See RFC 7359 and the iked(8) man page. Use the -6 option (risks
> leakage),
Then sorry for the noise. I extensively seached for documentation of
this beh
On Tue, Jul 03, 2018 at 12:47:20PM +0200, david+bsd@dahlberg.cologne wrote:
> >Synopsis: iked installs ipsec flow which prevents inet6 communication
> >Category: system
> >Environment:
> System : OpenBSD 6.3
> Details : OpenBSD 6.3-current (GENERIC.MP) #80: Sun Ju
>Synopsis: iked installs ipsec flow which prevents inet6 communication
>Category: system
>Environment:
System : OpenBSD 6.3
Details : OpenBSD 6.3-current (GENERIC.MP) #80: Sun Jul 1 12:22:16
MDT 2018
dera...@amd64.openbsd.org:/usr/src/s
16 matches
Mail list logo
