Darren Reed <darrenr%netbsd.org@localhost> writes: > Lets assume that a host where I work is dual homed and that I can > connect to it at work using IPv4 or IPv6. Your example isn't about the case that I think people care about. A company has some internal network, which is heavily firewalled. Employees have computers, and they VPN in. Once in, their traffic is subject to monitoring, etc. There's a policy that says you can be connected inside only, or outside only. (This is based on a notion that using a computer as a stepping stone is a significant issue, compared to persistent malware. But it's common thinking, basically fighting the war of the 90s, and probably helpful now even if it isn't the main threat.) A user starts up the VPN, which is v4 only. But, they're still on their local network, and possibly on the internet. Hence a policy violation. But on the other hand I agree with Darren's points. This is a policy matter, and NetBSD as an OS should be neutral, allowing users to set policy. So I'd say that VPN packages (as opposed to what's in the NetBSD base system) should handle this, offering a configuration option. I disagree with Fernando's characterization that IPv6 traffic not going in a VPN (or being blocked0 when a v4 VPN is configuration is necessarily a bug. For the totally-controlling corporate policy types, yes, but for many no. So I'd say that it's a bug for a VPN package not to make this configurable; perhaps that's what he meant.
Description: PGP signature