From owner-freebsd-net@FreeBSD.ORG Tue Nov 27 14:53:14 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D680F21A for ; Tue, 27 Nov 2012 14:53:14 +0000 (UTC) (envelope-from fernando@gont.com.ar) Received: from web01.jbserver.net (web01.jbserver.net [93.186.182.34]) by mx1.freebsd.org (Postfix) with ESMTP id 912678FC14 for ; Tue, 27 Nov 2012 14:53:14 +0000 (UTC) Received: from 187-135-17-190.fibertel.com.ar ([190.17.135.187] helo=[192.168.1.113]) by web01.jbserver.net with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.80.1) (envelope-from ) id 1TdMWS-0003u7-4e; Tue, 27 Nov 2012 15:52:28 +0100 Message-ID: <50B4D3A5.9090107@gont.com.ar> Date: Tue, 27 Nov 2012 11:52:21 -0300 From: Fernando Gont User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: Seth Mos Subject: Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts References: <50B4C714.6080206@gont.com.ar> <50B4CE50.4060508@dds.nl> In-Reply-To: <50B4CE50.4060508@dds.nl> X-Enigmail-Version: 1.4.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2012 14:53:14 -0000 On 11/27/2012 11:29 AM, Seth Mos wrote: >> >> For a project such as OpenVPN, a (portable) fix might be non-trivial. >> However, I guess FreeBSD might hook some PF rules when establishing the >> VPN tunnel, such that e.g. all v6 traffic is filtered (yes, this is >> certainly not the most desirable fix, but still probably better than >> having your supposedly-secured traffic being sent in the clear). > > No need for filtering. Just forward the traffic over the tunnel. How do you implement that magic? Or, put another way, how does the client behave if you, e.g., get an ICMPv6 Redirect, a more-specific route by means of the Route Information Option or Prefix Information Option in an RA, etc. I discussed this issue with one of the OpenVPN developers, and he noted that they were still vulnerable to this kind of thing. > Our OpenVPN server for road warriors sends a IPv6 prefix to be used on > OpenVPN as well as a IPv4 address. It works well. The questions is: what happens when under attack? (please see above) Cheers, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1