We use the -6 option and I agree with deprecating it for one OpenBSD release instead.
Especially now with sysupgrade(8), after upgrading our remote servers, our site-to-site VPN wouldn't come back up after upgrade. On Mon, Jan 13, 2020 at 12:58 PM Klemens Nanni <k...@openbsd.org> wrote: > On Mon, Jan 13, 2020 at 05:55:06PM +0100, Tobias Heider wrote: > > iked by default blocks all IPv6 traffic on a host unless any > > of the configured policies use v6. This was originally meant > > as a measure to prevent VPN leakage for people who did not > > think of IPv6 when configuring IPsec. With the -6 flag > > set, iked does not install this IPv6 blocking flow. > It it still considered a leakage prevention, altough I doubt its > usefulness. > > > I think we should discuss whether we can remove the flow > > (and the -6 flag) as I constantly hear people complaining > > that it broke their setups and I don't think anyone > > expects some seemingly unrelated program breaking IPv6. > iked(8) is the only tool I know going completely counter-intuitive with > it's `-6' option; I expect those to behave like in nc(1). > > I'm in favour of removing the option and OK with your diff, but simply > removing it is probably a bad idea given its nature. > > What about printing a deprecation warning so that users can safely > adjust their rcctl flags instead of running into "iked(failed)" on the > next snapshot. > >
