openvpn/TODO.IPv6
Gert Doering c55e9562d6 Implement IPv6 interface config with non-/64 prefix lengths.
Add "ifconfig_ipv6_netbits_parm" parameter to init_tun(), use that to
initialize tt->netbits_ipv6 (previously: always /64).  Actual interface
setup code already used tt->netbits_ipv6, so no changes needed there.

Remove restrictions on "/netbits" value for --server-ipv6 config option
(can now be /64.../112, previously had to be exactly /64).  Supporting
even smaller networks could cause problems with ipv6-pool handling and
are only allowed for explicit "ifconfig-ipv6", not for "server-ipv6".

Add /netbits to pushed "ifconfig-ipv6" values on server side (client
side always accepted this, but ignored it so far, so this does not
break compatibility).

Tested on Linux/ifconfig, Linux/iproute2 and FreeBSD 7.4

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
2012-02-04 13:16:06 +01:00

189 lines
6.6 KiB
Plaintext

TODO for IPv6 payload support
-----------------------------
1.) "--topology subnet" doesn't work together with IPv6 payload on FreeBSD
(verified for FreeBSD server, Linux/ifconfig client, problems
with ICMP6 neighbor solicitations from BSD not being answered by Linux)
2.) NetBSD IPv6 support doesn't work
("connected" route is not auto-created, "route-ipv6" adding fails)
* fixed, 3.1.10 *
3.) route deletion for IPv6 routes is not yet done
* fixed for configured routes, 3.1.10 *
* missing for manual-ifconfig-connected (NetBSD, Darwin, Win32)
4.) do "ifconfig tun0 inet6 unplumb" or "ifconfig tun0 destroy" for
Solaris, *BSD, ... at program termination time, to clean up leftovers
(unless tunnel persistance is desired).
For Solaris, only the "ipv6 tun0" is affected, for the *BSDs all tun0
stay around.
4a.) deconfigure IPv6 on tun interface on session termination, otherwise
one could end up with something like this (on NetBSD):
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.9.0.18 -> 10.9.0.17 netmask 0xffffffff
inet6 fe80::a00:20ff:fece:d299%tun0 -> prefixlen 64 scopeid 0x3
inet6 2001:608:4:eff::2000:3 -> prefixlen 64
inet6 2001:608:4:eff::1:3 -> prefixlen 64
(pool was changed, previous address still active on tun0, breakage)
* semi-fixed for NetBSD, 28.2.10, always do tun0 destroy / tun0 create
before actual ifconfig -- tunnel still lingers after OpenVPN quits
4b.) verify this - on FreeBSD, tun0 is auto-destroyed if created by
opening /dev/tun (and lingers if created by "ifconfig tun0 create")
-> use for persistant tunnels on not-linux?
5.) add new option "ifconfig-ipv6-push"
(per-client static IPv6 assignment, -> radiusplugin, etc)
* implemented, 14.1.10 *
6.) add new option "route-ipv6-gateway"
7.) add "full" gateway handling for IPv6 in route.c
(right now, the routes are just sent down the tun interface, if the
operating system in questions supports that, without care for the
gateway address - which does not work for gateways that are supposed
to point elsewhere. Also, it doesn't work for TAP interfaces.
8.) full IPv6 support for TAP interfaces
(main issue should be routes+gateway - and testing :-) )
test 2010/09/24: TAP itself works on linux/ifconfig+iproute2, but
route-via-tap doesn't work at all (route points to "tap0" which fails)
17:51:14.075412 fe:ab:6e:c5:53:71 > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: 2001:608:4:a053::1:0 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2001:608:4:a001::1, length 32
how is iroute-via-tap supposed to work??
9.) verify that iroute-ipv6 and route-ipv6 interact in the same way as
documented for iroute/route:
A's subnet, OpenVPN must push this route to all clients
EXCEPT for A, since the subnet is already owned by A.
OpenVPN accomplishes this by not
not pushing a route to a client
if it matches one of the client's iroutes.
10.) extend "ifconfig-ipv6" to handle specification of /netbits, pushing
of /netbits, and correctly ifconfig'ing this
(default, if not specified: /64)
* done * 2012-02-03
11.) do not add ipv6-routes if tun-ipv6 is not set - complain instead
* done * 12.1.10
12.) handle incoming [::] and [fe80:...] packets in tun-p2mp MULTI mode
(most likely those are DAD packets)
silently ignore DAD?
Or accept-and-forward iff (multicast && client2client)?
handle NS/NA
13.) from Martin List-Petersen:
One thing, and I guess this requires modifications in
network-manager-openvpn: It also works, BUT ignores "push
route-ipv6-gateway" and "push route-ipv6 ...." (obviously routes pushed
from the server) entirely.
14.) from ##openvpn-discussion:
new features should be #ifdef'ed
(check whether this is feasible at all)
15.) IPv6 related environment variables
- document all of them in openvpn.8
- make sure that all existing IPv4 stuff has IPv6 counterparts
16.) OpenBSD
- implement ifconfig/route for IPv6
- revert ifconfig/open_tun order to "normal" (separate commit!!!)
(openvpn-devel, Subject: OpenBSD)
- test
17.) client-option (Elwood)
- ignore-v6-push-options yes/no
- ignore-v6-route-push ("as for IPv4 routes")
18.) fail-save? "what if 'ip -6 addr add' fails" -> fail, or fallback to v4?
(-> recomment setting "ignore-v6-push-options yes")
19.) safety check: if connecting over IPv6 (v6 transport) and the pushed
route-ipv6 network encompasses the server IPv6 address, make sure
we at least log a warning (until we can fiddle with external routing
to make this work correctly).
20.) show "route add" / "route delete" commands for IPv6 in log file
(we show the "ifconfig" commands, so why not the routes?)
2010-08-07: this is a null-feature - it's already there, but with
different debug level (M_INFO vs. D_ROUTE) so user
didn't notice
21.) enable ipv6-only server operations
- decouple ipv6 pool handling from ipv4 pool
- make sure Rest of OpenVPN doesn't assume "there will always be IPv4"
22.) implement --learn-address for IPv6
23.) FreeBSD 8 seems to require explicit setting of the "ifconfig" IPv6
route, while FreeBSD 6+7 don't --> more testing, and code fix
workaround for the time being: just add
server-ipv6 2001:608:4:a051::/64
route-ipv6 2001:608:4:a051::/64
to the config
(problem + workaround applies both to tun and tap style devices)
TODO for IPv6 transport support
-------------------------------
[ Last updated: 11-Nov-2009. ]
* All platforms:
o mgmt console: as currently passes straight in_addr_t bits around
o make possible to get AF from getaddrinfo() answer, ie allow openvpn to
use ipv4/6 if DNS returns A/AAAA without specifying protocol.
Hard: requires deep changes in initialization/calling logic
o use AI_PASSIVE
o the getaddr()/getaddr6() interface is not prepared for handling socktype
"tagging", currently I abuse the sockflags bits for getting the ai_socktype
downstream.
o implement comparison for mapped addesses: server in dual stack
listening IPv6 must permit incoming streams from allowed IPv4 peer,
currently you need to pass eg: --remote ffff::1.2.3.4
o do something with multi mode learn routes, for now just ignoring
ipv6 addresses seems the most sensible thing to do, because there's
no support for intra-tunnel ipv6 stuff.
* win32:
o find out about mapped addresses, as I can't make it work
with bound at ::1 and connect to 127.0.0.1
* N/A:
o this is ipv6 *endpoint* support, so don't expect "ifconfig6"-like
support in this patch