AWS vpn documentation change
Summary
Expanded Client Route Enforcement documentation to include IPv6 support, updated version requirements, and added IPv6 network exceptions
Security assessment
The change enhances documentation about a security feature (Client Route Enforcement) by adding IPv6 support details. It improves clarity about security controls but does not address a specific vulnerability. The addition of IPv6 network exception lists (like link-local and multicast ranges) shows improved security boundary definitions.
Diff
diff --git a/vpn/latest/clientvpn-admin/cvpn-working-cre.md b/vpn/latest/clientvpn-admin/cvpn-working-cre.md index 2e7a1472e..a00bf2020 100644 --- a//vpn/latest/clientvpn-admin/cvpn-working-cre.md +++ b//vpn/latest/clientvpn-admin/cvpn-working-cre.md @@ -11 +11 @@ Client Route Enforcement helps enforce administrator-defined routes on devices c -Client Route Enforcement monitors the main routing table of the connected device and ensures that outbound network traffic goes to a VPN tunnel, according to network routes configured in the client VPN endpoint. This includes modifying routing tables on a device if routes conflicting with VPN tunnel are detected. +Client Route Enforcement monitors the main routing table of the connected device and ensures that outbound network traffic goes to a VPN tunnel, according to network routes configured in the client VPN endpoint. This includes modifying routing tables on a device if routes conflicting with VPN tunnel are detected. Client Route Enforcement supports both IPv4 and IPv6 address families. @@ -17 +17 @@ Client Route Enforcement only works with the following AWS provided Client VPN v - * Windows version 5.2.0 or higher + * Windows version 5.2.0 or higher (IPv4 support) @@ -19 +19 @@ Client Route Enforcement only works with the following AWS provided Client VPN v - * macOS version 5.2.0 or higher + * macOS version 5.2.0 or higher (IPv4 support) @@ -21 +21 @@ Client Route Enforcement only works with the following AWS provided Client VPN v - * Ubuntu version 5.2.0 or higher + * Ubuntu version 5.2.0 or higher (IPv4 support) @@ -22,0 +23 @@ Client Route Enforcement only works with the following AWS provided Client VPN v + * Windows version 5.3.0 or higher (IPv6 support) @@ -23,0 +25 @@ Client Route Enforcement only works with the following AWS provided Client VPN v + * macOS version 5.3.0 or higher (IPv6 support) @@ -24,0 +27,6 @@ Client Route Enforcement only works with the following AWS provided Client VPN v + * Ubuntu version 5.3.0 or higher (IPv6 support) + + + + +For dual-stack endpoints, the Client Route Enforcement setting applies to both IPv4 and IPv6 stacks simultaneously. It is not possible to enable Client Route Enforcement for only one stack. @@ -72,3 +80 @@ Routes added to a non-VPN gateway are excluded from Client Route Enforcement as - * The `route-ipv6` directive. - -This directive is not processed, as Client Route Enforcement only supports IPv4 addresses. + * Similar to IPv4 routes, IPv6 routes added to a VPN gateway are monitored by Client Route Enforcement, while routes added to a non-VPN gateway are excluded from monitoring. @@ -81 +87 @@ This directive is not processed, as Client Route Enforcement only supports IPv4 -Routes to the following networks will be ignored by Client Route Enforcement: +Routes to the following IPv4 networks will be ignored by Client Route Enforcement: @@ -93,0 +100,11 @@ Routes to the following networks will be ignored by Client Route Enforcement: +Routes to the following IPv6 networks will be ignored by Client Route Enforcement: + + * `::1/128` — Reserved for loopback + + * `fe80::/10` — Reserved for link-local addresses + + * `ff00::/8` — Reserved for multicast + + + + @@ -99,0 +117,2 @@ Routes to the following networks will be ignored by Client Route Enforcement: + * [Troubleshoot IPv6 Client Route Enforcement](./cre-ipv6-troubleshooting.html) +