Project

General

Profile

Bug #598

Wrong source IPv6 address selection for virtual address and split-tunnel

Added by Ruslan Marchenko almost 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Category:
libhydra
Target version:
Start date:
22.05.2014
Due date:
Estimated time:
Affected version:
5.1.3
Resolution:
Fixed

Description

Hi,
When rw receives address to install, that address is appended to the interface with global scope and indefinite lifetime.
This causes the address to be used by non-ipsec traffic - which definitely fails.
To mitigate this an address should be marked as invalid for rfc sort. For ipsec traffic source is assigned explicitly by rule so address validity is irrelevant.
Proposed patch sets preferred lifetime for an address to 0 which immediately deprecates the address. This exempts the address from normal src selection by IPv6 stack implementation.
Regards,
Ruslan


Related issues

Related to Issue #694: IPv6 address assigned via CPREQ(ADDR6) is set to "deprecated", preferred_lft 0secClosed

Associated revisions

Revision 90854d28 (diff)
Added by Tobias Brunner almost 6 years ago

kernel-netlink: Install virtual IPv6 addresses as deprecated

This should prevent the kernel's IPv6 source address selection algorithm
from using this address unless it is forced to by our source route.
This is helpful if split tunneling is used.

Fixes #598.

History

#1 Updated by Tobias Brunner almost 6 years ago

  • Tracker changed from Issue to Bug
  • Category set to libhydra
  • Status changed from New to Closed
  • Assignee set to Tobias Brunner
  • Target version set to 5.2.0
  • Resolution set to Fixed

Thanks for the report. I pushed a modified version of your patch to our repository (see associated commit).

As a workaround you could try to set charon.install_virtual_ip_on in strongswan.conf to e.g. lo (by default virtual IPs are installed on the outbound interface), which should also prevent the kernel from choosing these addresses.

#2 Updated by Tobias Brunner almost 2 years ago

  • Related to Issue #694: IPv6 address assigned via CPREQ(ADDR6) is set to "deprecated", preferred_lft 0sec added

Also available in: Atom PDF