Are you sure that (current) Apple devices continue to route IPv6 directly when connected to a VPN that does not forward it? (A quick Google confirms that some VPN clients do this, but since the mailing list post is about Apple devices, let's stick to that. Although I'm on OS X, I can't test this easily because I don't have any VPN services set up.) If they do, I feel like that would be very surprising behavior that should be considered a bug, or at least a reason for the OS to provide the user with an obvious button to turn it off... maybe worth filing a Radar over?
Apple continues to route IPv6 over the default route when connected to a VPN that is v4 only (at least for OpenVPN that is the case, I don't have any experience with others).
So that means if you have a v4 only VPN provider all IPv6 happily goes over the default route.
This is not surprising to me at all, traffic should follow the default route that is given. If you are privacy conscious you should already know how to disable IPv6... Honestly if it is a bug anywhere it is a bug in the VPN providers that they are not providing IPv6 services for their customers.
Thankfully with OpenVPN IPv6 setup is simple, and while it doesn't provide the privacy extensions like SLAAC (you can only get a single static IPv6 address on the other end of the tunnel), it does allow you to easily tunnel IPv6 traffic as well. I personally do this by pushing 2000::/3 across from my OpenVPN server.
On OS X 10.9 I don't have a way to disable IPv6 that I can find. In Network > Advanced > TCP/IP > Configure IPv6, there are only three choices: automatic, manual, link local. And as soon as I configure it with either manual or link local, the wifi connection changes from green to yellow and I no longer have even IPv4 Internet, although it remains identically configured as before. A while ago this popup had an Off option just like the Configure IPv4 menu does.
Doesn't work that way for me. On 10.9.5 setting the wifi connection's IPv6 setting to "Link-local only" causes me to be unable to ping6 other machines but IPv4 is unaffected.
> If they do, I feel like that would be very surprising behavior that should be considered a bug,
Not really. Since VPNs have many different purposes (privacy is only one, and arguably not even the most common one), disabling all IPv6 traffic whenever a v4-only VPN is enabled may be a bad default for other use cases. In fact, I would be rather surprised if they did this (though pleasantly surprised).
They don't do this, it follows the route tables for the appropriate protocol. If you are v4 VPN connected the VPN overwrites the route table, but v6 will be unencumbered.
