IPv6 NDP proxying with ocserv

[Nikos Mavrogiannopoulos]

On Tue, Jun 14, 2016 at 9:51 PM, Kevin Cernekee <cernekee at gmail.com> wrote:
> A $5/mo DigitalOcean VPS only seems to come with 16 static globally
> routable IPv6 addresses, e.g. 2001:db8::4000 through 2001:db8::400f.
> AFAICT they will not issue a /48 or a /56 (unlike Linode).
>
> The virtual ethernet interface on the system (eth0) is configured to
> respond to 2001:db8::4001/64.  Traffic destined for other IPv6
> addresses outside of the 4000-400f range cannot be seen by the VPS;
> therefore it does not behave like a typical /64 where hosts are free
> to generate EUI-64 or temporary addresses at will.  SLAAC is not
> supported.
> Because of this limitation I would like ocserv to statically assign
> IPv6 addresses in the range 2001:db8::4002 - 2001:db8::400f to a few
> specific VPN clients, and assign no IPv6 address to clients that lack
> an explicit-ipv6 address.  I ran into a few issues trying to set this
> up:

That's indeed a quite interesting scenario. So in practice you get a /124
subnet with the server occupying the second address.

> 1) If I don't set ipv6-network in ocserv.conf, the explicit-ipv6
> address in the user configuration file is ignored.  I could set a
> bogus ipv6-network address for non-IPv6 users, but their clients may
> erroneously try to send traffic through that stack.  I could also
> experiment with NAT, but it's probably cleaner just to shut down IPv6
> entirely for the clients that do not have static globally routable
> addresses.

If you set a private IPv6 subnet, and then you override the IPv6 sent
to client, does the client obtain any information about the private subnet?

Another approach would be to use NAT (many to many) for everyone
and map to the set of addresses you have.

> 2) I did not see a way to tell the VPN server to answer neighbor
> solicitation requests for the VPN clients' IP addresses.  I was able
> to enable this manually by doing:
>
>     echo 1  > /proc/sys/net/ipv6/conf/all/proxy_ndp
>     ip -6 neigh add proxy 2001:db8::4002 dev eth0
>
> ocserv mentions supporting proxy ARP (for IPv4) in the docs, so I am
> wondering whether it makes sense to add this logic directly to ocserv
> or if it is better to just use the connect-script and
> disconnect-script to add/remove the entries?

I think that's the most simple setup in your scenario. I've not used
it before, but as I see from your example above, it seems like you can
run it one-time for the addresses you are interested and that's all.
It doesn't seem to require to run it on each connecting client, right?

Then you can assign your whole subnet (or even a /125) to ocserv, and
rely on ping-leases to discover already used IPs (though we may want
to use ndp for that).

Would you like to document this approach in the pseudo bridge recipe?
That would be a good first step.
https://github.com/openconnect/recipes/blob/master/ocserv-pseudo-bridge.md

regards,
Nikos