IPv6 NDP proxying with ocserv

Kevin Cernekee cernekee at gmail.com
Wed Jun 15 11:24:23 PDT 2016 

On Wed, Jun 15, 2016 at 12:48 AM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
>> 1) If I don't set ipv6-network in ocserv.conf, the explicit-ipv6
>> address in the user configuration file is ignored.  I could set a
>> bogus ipv6-network address for non-IPv6 users, but their clients may
>> erroneously try to send traffic through that stack.  I could also
>> experiment with NAT, but it's probably cleaner just to shut down IPv6
>> entirely for the clients that do not have static globally routable
>> addresses.

FWIW, the workaround I found for this was to specify all three IPv6
parameters in the per-user conf, and leave them blank globally.

> If you set a private IPv6 subnet, and then you override the IPv6 sent
> to client, does the client obtain any information about the private subnet?

I put this in the user conf file:

ipv6-network = fc00::/10
ipv6-subnet-prefix = 128
explicit-ipv6 = 2001:db8::f

The X-CSTP-Address-IP6 header is "2001:db8::f/10".  The IPv6 address
assigned to the vpns0 interface on the ocserv box is fc00::1/128 (no
idea if that matters).

I think we really want to be sending /128 to the client in this case,
to keep the client from thinking it is free to generate more addresses
in that range?

Also, this comment seems to be out of date:

                /* if an explicit IP is given for that client, then
                 * do implicit IP accounting. Require the address
                 * to be odd, so we use the next even address as PtP. */

> Another approach would be to use NAT (many to many) for everyone
> and map to the set of addresses you have.

Long term I'm probably just going to move this project over to Linode
and request a /56...

> I think that's the most simple setup in your scenario. I've not used
> it before, but as I see from your example above, it seems like you can
> run it one-time for the addresses you are interested and that's all.
> It doesn't seem to require to run it on each connecting client, right?

Correct.  So if there are only a few clients I could just move it into
the init script.

If I was assigning random addresses from a larger range like /116, it
would probably be better to add the entries dynamically.

> Would you like to document this approach in the pseudo bridge recipe?
> That would be a good first step.
> https://github.com/openconnect/recipes/blob/master/ocserv-pseudo-bridge.md

Sure.

More information about the openconnect-devel mailing list