Date: Tue, 27 Nov 2012 11:52:21 -0300 From: Fernando Gont <fernando@gont.com.ar> To: Seth Mos <seth.mos@dds.nl> Cc: freebsd-net@freebsd.org Subject: Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts Message-ID: <50B4D3A5.9090107@gont.com.ar> In-Reply-To: <50B4CE50.4060508@dds.nl> References: <50B4C714.6080206@gont.com.ar> <50B4CE50.4060508@dds.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/27/2012 11:29 AM, Seth Mos wrote: >> >> For a project such as OpenVPN, a (portable) fix might be non-trivial. >> However, I guess FreeBSD might hook some PF rules when establishing the >> VPN tunnel, such that e.g. all v6 traffic is filtered (yes, this is >> certainly not the most desirable fix, but still probably better than >> having your supposedly-secured traffic being sent in the clear). > > No need for filtering. Just forward the traffic over the tunnel. How do you implement that magic? Or, put another way, how does the client behave if you, e.g., get an ICMPv6 Redirect, a more-specific route by means of the Route Information Option or Prefix Information Option in an RA, etc. I discussed this issue with one of the OpenVPN developers, and he noted that they were still vulnerable to this kind of thing. > Our OpenVPN server for road warriors sends a IPv6 prefix to be used on > OpenVPN as well as a IPv4 address. It works well. The questions is: what happens when under attack? (please see above) Cheers, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50B4D3A5.9090107>