ocserv + ipv6

[Nikos Mavrogiannopoulos]

On Thu, Aug 6, 2015 at 10:08 AM, David Woodhouse <dwmw2 at infradead.org> wrote:
>>  With this mail I bring up a discussion made on the irc channel here.
>> As it is now ocserv, for IPv6 provides an IP address from the
>> configured pool using a dummy prefix length, the same way as we do for
>> IPv4. However, since in IPv6 the number of addresses are pretty much
>> unlimited it makes sense to provide a real subnet to the client. That
>> will not have much impact on the clients which handle the provided
>> address as a point-to-point one, but will allow future clients to use
>> multiple addresses from the VPN. Do you see any issues with that
>> approach, or have an idea to improve it?
> No recollection of this. Did I respond? I'm trawling my list archive
> because I *know* someone sent me a patch to fix the Juniper multiple
> DNS search domain issue.
> I'd take a look at IPv6 Prefix Delegation as handled in PPP and DHCPv6.
> It hands out subnets to the client and the client can then run RA on
> its *other* interfaces (and hand them out further, perhaps).
> I think it's normally done as a *separate* configuration item to the
> main IPv6 address. Yes, there are plenty but there's no reason to be
> entirely profligate with them. You can have a /127 for the point-to
> -point link, and multiple /64s for the subnets you want to route to.

I'm currently giving a 127 mask to the clients. That's the safest bet
now, and can be easily extended if we decide for openconnect to make
use of larger blocks. However, I am wondering whether the mask
received by anyconnect servers has any meaning at all, i.e., whether
it is a real mask with addresses the client can use, or is some mask
that has meaning for the server only. In IPv4 the latter is the case.

regards,
Nikos