On Wed, Feb 11, 2015 at 11:09 AM, David Woodhouse <dwmw2 at infradead.org> wrote: >> That's what I'm proposing. To take the first address from the >> configured network and assign it as our address for tun purposes. >> Indeed there could be someone somewhere using it, but in the end we >> need an address to use. > Well, the difference is that you said 'take' and I said 'assign'. I > meant that you'd actually get one *given* to you by the RADIUS server. > If you just *steal* an IP address which is assigned to another host on > the network, then your clients cannot communicate with the *real* owner > of that IP address. After some irc discussion, the approach is to take the first address from the configured network in ocserv. If radius or per-user configuration is used to set explicit IP addresses, then these should be unrelated to the network configured in ocserv. That is the network configured in ocserv should be non-empty even if all IPs are assigned explicitly by radius or per-user configuration. btw. The case where one would like to have ocserv assigning all the addresses in that network except one which is explicitly set via per-user configuration, would also work. That is because the explicitly assigned addresses are also tracked internally and there will not be double booking, although there will be denial of service if someone took that explicit IP before. regards, Nikos
