On Wed, Jun 15, 2016 at 8:24 PM, Kevin Cernekee <cernekee at gmail.com> wrote: >> If you set a private IPv6 subnet, and then you override the IPv6 sent >> to client, does the client obtain any information about the private subnet? > > I put this in the user conf file: > > ipv6-network = fc00::/10 > ipv6-subnet-prefix = 128 > explicit-ipv6 = 2001:db8::f > > The X-CSTP-Address-IP6 header is "2001:db8::f/10". The IPv6 address > assigned to the vpns0 interface on the ocserv box is fc00::1/128 (no > idea if that matters). > I think we really want to be sending /128 to the client in this case, > to keep the client from thinking it is free to generate more addresses > in that range? I agree with you. I don't remember why the subnet prefix is not sent in that case. If you try this (untested) patch does everything work for you? I remember I had some issues by using a /128 for ptp links, and had to use a /127 instead. > Long term I'm probably just going to move this project over to Linode > and request a /56... :) that's a lot. Interestingly with that many addresses you'll be able to perform a quite good DoS against ocserv. https://gitlab.com/ocserv/ocserv/issues/7 regards, Nikos -------------- next part -------------- diff --git a/src/worker-vpn.c b/src/worker-vpn.c index bc104b7..7268747 100644 --- a/src/worker-vpn.c +++ b/src/worker-vpn.c @@ -1518,12 +1518,12 @@ static int connect_handler(worker_st * ws) } if (ws->vinfo.ipv6 && req->no_ipv6 == 0 && ws->user_config->ipv6_prefix != 0) { - oclog(ws, LOG_INFO, "sending IPv6 %s/%u", ws->vinfo.ipv6, ws->user_config->ipv6_prefix); - if (ws->full_ipv6 && ws->user_config->ipv6_prefix) { + oclog(ws, LOG_INFO, "sending IPv6 %s/%u", ws->vinfo.ipv6, ws->user_config->ipv6_subnet_prefix); + if (ws->full_ipv6 && ws->user_config->ipv6_subnet_prefix) { ret = cstp_printf(ws, "X-CSTP-Address-IP6: %s/%u\r\n", - ws->vinfo.ipv6, ws->user_config->ipv6_prefix); + ws->vinfo.ipv6, ws->user_config->ipv6_subnet_prefix); SEND_ERR(ret); } else { const char *net; @@ -1539,7 +1539,7 @@ static int connect_handler(worker_st * ws) ret = cstp_printf(ws, "X-CSTP-Netmask: %s/%u\r\n", - net, ws->user_config->ipv6_prefix); + net, ws->user_config->ipv6_subnet_prefix); SEND_ERR(ret); } }
