[PATCH -ocserv 4/5] Use distinct remote and local IPs when explicit_ipv[46] is specified
Nikos Mavrogiannopoulos
nmav at gnutls.org
Wed Feb 11 02:50:45 PST 2015
On Wed, Feb 11, 2015 at 11:09 AM, David Woodhouse <dwmw2 at infradead.org> wrote:
>> That's what I'm proposing. To take the first address from the
>> configured network and assign it as our address for tun purposes.
>> Indeed there could be someone somewhere using it, but in the end we
>> need an address to use.
> Well, the difference is that you said 'take' and I said 'assign'. I
> meant that you'd actually get one *given* to you by the RADIUS server.
> If you just *steal* an IP address which is assigned to another host on
> the network, then your clients cannot communicate with the *real* owner
> of that IP address.
After some irc discussion, the approach is to take the first address
from the configured
network in ocserv. If radius or per-user configuration is used to set
explicit IP addresses,
then these should be unrelated to the network configured in ocserv.
That is the network
configured in ocserv should be non-empty even if all IPs are assigned
explicitly by radius
or per-user configuration.
btw. The case where one would like to have ocserv assigning all the
addresses in that network
except one which is explicitly set via per-user configuration, would
also work. That is because
the explicitly assigned addresses are also tracked internally and
there will not be double booking,
although there will be denial of service if someone took that explicit
IP before.
regards,
Nikos
More information about the openconnect-devel
mailing list