IPv6 NDP proxying with ocserv

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Jun 16 03:48:17 PDT 2016 

On Wed, Jun 15, 2016 at 8:24 PM, Kevin Cernekee <cernekee at gmail.com> wrote:
>> If you set a private IPv6 subnet, and then you override the IPv6 sent
>> to client, does the client obtain any information about the private subnet?
>
> I put this in the user conf file:
>
> ipv6-network = fc00::/10
> ipv6-subnet-prefix = 128
> explicit-ipv6 = 2001:db8::f
>
> The X-CSTP-Address-IP6 header is "2001:db8::f/10".  The IPv6 address
> assigned to the vpns0 interface on the ocserv box is fc00::1/128 (no
> idea if that matters).
> I think we really want to be sending /128 to the client in this case,
> to keep the client from thinking it is free to generate more addresses
> in that range?

I agree with you. I don't remember why the subnet prefix is not sent
in that case. If you try this (untested) patch does everything work
for you? I remember I had some issues by using a /128 for ptp links,
and had to use a /127 instead.

> Long term I'm probably just going to move this project over to Linode
> and request a /56...

:) that's a lot. Interestingly with that many addresses you'll be able
to perform a quite good DoS against ocserv.
https://gitlab.com/ocserv/ocserv/issues/7

regards,
Nikos
-------------- next part --------------
diff --git a/src/worker-vpn.c b/src/worker-vpn.c
index bc104b7..7268747 100644
--- a/src/worker-vpn.c
+++ b/src/worker-vpn.c
@@ -1518,12 +1518,12 @@ static int connect_handler(worker_st * ws)
 	}
 
 	if (ws->vinfo.ipv6 && req->no_ipv6 == 0 && ws->user_config->ipv6_prefix != 0) {
-		oclog(ws, LOG_INFO, "sending IPv6 %s/%u", ws->vinfo.ipv6, ws->user_config->ipv6_prefix);
-		if (ws->full_ipv6 && ws->user_config->ipv6_prefix) {
+		oclog(ws, LOG_INFO, "sending IPv6 %s/%u", ws->vinfo.ipv6, ws->user_config->ipv6_subnet_prefix);
+		if (ws->full_ipv6 && ws->user_config->ipv6_subnet_prefix) {
 			ret =
 			    cstp_printf(ws,
 				       "X-CSTP-Address-IP6: %s/%u\r\n",
-				       ws->vinfo.ipv6, ws->user_config->ipv6_prefix);
+				       ws->vinfo.ipv6, ws->user_config->ipv6_subnet_prefix);
 			SEND_ERR(ret);
 		} else {
 			const char *net;
@@ -1539,7 +1539,7 @@ static int connect_handler(worker_st * ws)
 
 			ret =
 			    cstp_printf(ws, "X-CSTP-Netmask: %s/%u\r\n",
-				        net, ws->user_config->ipv6_prefix);
+				        net, ws->user_config->ipv6_subnet_prefix);
 			SEND_ERR(ret);
 		}
 	}

More information about the openconnect-devel mailing list