[RADIATOR] BindAddress question

Heikki Vatiainen hvn at open.com.au
Tue Jun 14 08:21:17 CDT 2011


On 06/14/2011 11:45 AM, Alexander Hartmaier wrote:
> Does this mean that we can't bind to IPv4 and IPv6 separately on Linux
> to not get v6 mapped v4 addresses?

I think the mapped addresses are only seen when a wildcard IPv6 bind is
done. If you bind to a non-wildcard IPv4 or IPv6 address, you should
only see traffic that arrived over IPv4 or IPv6, respectively.

To control the mapped addresses, there is IPV6_V6ONLY socket option, see
http://tools.ietf.org/html/rfc3493#section-5.3 for more

Linux also has this special file to control the system wide behaviour:

/proc/sys/net/ipv6/bindv6only

By default this seems to be 0. When it is 0, this will not work:

BindAddress ipv6:::, 0.0.0.0

The result in logs is this:

Tue Jun 14 16:15:07 2011: DEBUG: Creating authentication port ipv6::::1645
Tue Jun 14 16:15:07 2011: DEBUG: Creating accounting port ipv6::::1646
Tue Jun 14 16:15:07 2011: DEBUG: Creating authentication port 0.0.0.0:1645
Tue Jun 14 16:15:07 2011: ERR: Could not bind authentication socket:
Address already in use
Tue Jun 14 16:15:07 2011: DEBUG: Creating accounting port 0.0.0.0:1646
Tue Jun 14 16:15:07 2011: ERR: Could not bind accounting socket: Address
already in use

If I do this to enable the option:
echo 1 |sudo tee /proc/sys/net/ipv6/bindv6only

the same configuration works:

BindAddress ipv6:::, 0.0.0.0

Tue Jun 14 16:16:20 2011: DEBUG: Creating authentication port ipv6::::1645
Tue Jun 14 16:16:20 2011: DEBUG: Creating accounting port ipv6::::1646
Tue Jun 14 16:16:20 2011: DEBUG: Creating authentication port 0.0.0.0:1645
Tue Jun 14 16:16:20 2011: DEBUG: Creating accounting port 0.0.0.0:1646

When I used radpwtst to send requests to ipv6:::1 or 127.0.0.1 these
Client clauses were matched, respectively:

<Client ipv6:::1>
        Identifier ipv6-loopback
        Secret  mysecret
        DupInterval 0
</Client>
<Client 127.0.0.1>
        Identifier ipv4-loopback
        Secret  mysecret
        DupInterval 0
</Client>

# Use this to check which Client clause matched
<Handler>
        <AuthBy FILE>
                Filename        %D/users-%{Client:Identifier}
        </AuthBy>
</Handler>

This may be useful for controlling IPv6 behaviour.

Thanks!
Heikki


> Am 2011-06-09 19:50, schrieb Heikki Vatiainen:
>> On 06/09/2011 05:37 PM, Dyonisius Visser wrote:
>>> Well, I installed a second instance on a dual stack host, and I tested
>>> various combinations:
>> Thanks for the summary.
>>
>>> BindAddress 192.87.30.31,ipv6:2001:610:148:dead::31
>>>      I.e. hardcoded addresses - this works, both IPv4 and IPv6 clients work
>>>
>>> BindAddress ipv6:::
>>>     IPv4 blocked (NOTICE: Request from unknown client 192.87.30.32: ignored)
>> This should work if you specify your client like this:
>>
>> <Client ipv6:::ffff:192.87.30.32>
>>
>> Since the request arrived over IPv4 but was delivered to the application
>> by IPv6 wildcard socket, the IPv4 address is presented as an IPv6
>> address. See
>>
>> http://tools.ietf.org/html/rfc4291#section-2.5.5
>>
>> section "2.5.5.2. IPv4-Mapped IPv6 Address". The purpose of this mapping
>> is to let the application to know was the message received over IPv6 or
>> IPv4 since the socket can handle both protocols.
>>
>>
>>> BindAddress 0.0.0.0
>>>    This is the default. IPv4 clients work. IPv6 clients DO NOT work,
>>> and worse, nothing is logged by radiator, no "request from unknown
>>> client 2001:610:blah:blah"
>>>
>>> BindAddress ipv6:::,0.0.0.0
>>>    Startup gives some errors, and only IPv6 works:
>>> Thu Jun  9 16:25:54 2011: DEBUG: Finished reading configuration file
>>> '/etc/radiator/radius.cfg'
>>> Thu Jun  9 16:25:54 2011: DEBUG: Reading dictionary file
>>> '/etc/radiator/db/dictionary'
>>> Thu Jun  9 16:25:54 2011: DEBUG: Creating authentication port ipv6::::1812
>>> Thu Jun  9 16:25:54 2011: DEBUG: Creating accounting port ipv6::::1813
>>> Thu Jun  9 16:25:54 2011: DEBUG: Creating authentication port 0.0.0.0:1812
>>> Thu Jun  9 16:25:54 2011: ERR: Could not bind authentication socket:
>>> Address already in use
>>> Thu Jun  9 16:25:54 2011: DEBUG: Creating accounting port 0.0.0.0:1813
>>> Thu Jun  9 16:25:54 2011: ERR: Could not bind accounting socket:
>>> Address already in use
>>> Thu Jun  9 16:25:54 2011: NOTICE: Server started: Radiator 4.8 on radius
>>> Thu Jun  9 16:25:55 2011: NOTICE: Request from unknown client
>>> 145.100.98.42: ignored
>>>
>>> BindAddress 0.0.0.0,ipv6:::
>>>    Also some errors, only IPv4 works, and also nothing logged when an
>>> IPv6 client connects:
>>> Thu Jun  9 16:27:42 2011: DEBUG: Finished reading configuration file
>>> '/etc/radiator/radius.cfg'
>>> Thu Jun  9 16:27:42 2011: DEBUG: Reading dictionary file
>>> '/etc/radiator/db/dictionary'
>>> Thu Jun  9 16:27:42 2011: DEBUG: Creating authentication port 0.0.0.0:1812
>>> Thu Jun  9 16:27:42 2011: DEBUG: Creating accounting port 0.0.0.0:1813
>>> Thu Jun  9 16:27:42 2011: DEBUG: Creating authentication port ipv6::::1812
>>> Thu Jun  9 16:27:42 2011: ERR: Could not bind authentication socket:
>>> Address already in use
>>> Thu Jun  9 16:27:42 2011: DEBUG: Creating accounting port ipv6::::1813
>>> Thu Jun  9 16:27:42 2011: ERR: Could not bind accounting socket:
>>> Address already in use
>>> Thu Jun  9 16:27:42 2011: NOTICE: Server started: Radiator 4.8 on radius
>>>
>>>
>>> So the only way I can radiator to accept requests from both protocols,
>>> is to hardcode the interface addresses.
>>>
>>> Would it be possible to have radiator listen to 4+6 without hard coding?
>>>
>>> I think that option (whatever it looks like) should be the default.
>>>
>>> If possible, can the behavior of the current default ('BindAddress
>>> 0.0.0.0') be changed so that it actually logs ignored incoming
>>> requests?
>>> I've spend quite some time figuring out what is going on, and only
>>> tcpdump revealed that requests are actually reaching my box.
>>>
>>> Thanks :-)
>>>
>>
> 
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> Notice: This e-mail contains information that is confidential and may be privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list