[RADIATOR] BindAddress question

Alexander Hartmaier alexander.hartmaier at t-systems.at
Tue Jun 14 08:38:13 CDT 2011


Awesome reply Heikki, thanks!
I recommend you add an IPv6 section to the pdf documentation including this!

Am 2011-06-14 15:21, schrieb Heikki Vatiainen:
> On 06/14/2011 11:45 AM, Alexander Hartmaier wrote:
>> Does this mean that we can't bind to IPv4 and IPv6 separately on Linux
>> to not get v6 mapped v4 addresses?
> I think the mapped addresses are only seen when a wildcard IPv6 bind is
> done. If you bind to a non-wildcard IPv4 or IPv6 address, you should
> only see traffic that arrived over IPv4 or IPv6, respectively.
>
> To control the mapped addresses, there is IPV6_V6ONLY socket option, see
> http://tools.ietf.org/html/rfc3493#section-5.3 for more
>
> Linux also has this special file to control the system wide behaviour:
>
> /proc/sys/net/ipv6/bindv6only
>
> By default this seems to be 0. When it is 0, this will not work:
>
> BindAddress ipv6:::, 0.0.0.0
>
> The result in logs is this:
>
> Tue Jun 14 16:15:07 2011: DEBUG: Creating authentication port ipv6::::1645
> Tue Jun 14 16:15:07 2011: DEBUG: Creating accounting port ipv6::::1646
> Tue Jun 14 16:15:07 2011: DEBUG: Creating authentication port 0.0.0.0:1645
> Tue Jun 14 16:15:07 2011: ERR: Could not bind authentication socket:
> Address already in use
> Tue Jun 14 16:15:07 2011: DEBUG: Creating accounting port 0.0.0.0:1646
> Tue Jun 14 16:15:07 2011: ERR: Could not bind accounting socket: Address
> already in use
>
> If I do this to enable the option:
> echo 1 |sudo tee /proc/sys/net/ipv6/bindv6only
>
> the same configuration works:
>
> BindAddress ipv6:::, 0.0.0.0
>
> Tue Jun 14 16:16:20 2011: DEBUG: Creating authentication port ipv6::::1645
> Tue Jun 14 16:16:20 2011: DEBUG: Creating accounting port ipv6::::1646
> Tue Jun 14 16:16:20 2011: DEBUG: Creating authentication port 0.0.0.0:1645
> Tue Jun 14 16:16:20 2011: DEBUG: Creating accounting port 0.0.0.0:1646
>
> When I used radpwtst to send requests to ipv6:::1 or 127.0.0.1 these
> Client clauses were matched, respectively:
>
> <Client ipv6:::1>
>          Identifier ipv6-loopback
>          Secret  mysecret
>          DupInterval 0
> </Client>
> <Client 127.0.0.1>
>          Identifier ipv4-loopback
>          Secret  mysecret
>          DupInterval 0
> </Client>
>
> # Use this to check which Client clause matched
> <Handler>
>          <AuthBy FILE>
>                  Filename        %D/users-%{Client:Identifier}
>          </AuthBy>
> </Handler>
>
> This may be useful for controlling IPv6 behaviour.
>
> Thanks!
> Heikki
>
>
>> Am 2011-06-09 19:50, schrieb Heikki Vatiainen:
>>> On 06/09/2011 05:37 PM, Dyonisius Visser wrote:
>>>> Well, I installed a second instance on a dual stack host, and I tested
>>>> various combinations:
>>> Thanks for the summary.
>>>
>>>> BindAddress 192.87.30.31,ipv6:2001:610:148:dead::31
>>>>       I.e. hardcoded addresses - this works, both IPv4 and IPv6 clients work
>>>>
>>>> BindAddress ipv6:::
>>>>      IPv4 blocked (NOTICE: Request from unknown client 192.87.30.32: ignored)
>>> This should work if you specify your client like this:
>>>
>>> <Client ipv6:::ffff:192.87.30.32>
>>>
>>> Since the request arrived over IPv4 but was delivered to the application
>>> by IPv6 wildcard socket, the IPv4 address is presented as an IPv6
>>> address. See
>>>
>>> http://tools.ietf.org/html/rfc4291#section-2.5.5
>>>
>>> section "2.5.5.2. IPv4-Mapped IPv6 Address". The purpose of this mapping
>>> is to let the application to know was the message received over IPv6 or
>>> IPv4 since the socket can handle both protocols.
>>>
>>>
>>>> BindAddress 0.0.0.0
>>>>     This is the default. IPv4 clients work. IPv6 clients DO NOT work,
>>>> and worse, nothing is logged by radiator, no "request from unknown
>>>> client 2001:610:blah:blah"
>>>>
>>>> BindAddress ipv6:::,0.0.0.0
>>>>     Startup gives some errors, and only IPv6 works:
>>>> Thu Jun  9 16:25:54 2011: DEBUG: Finished reading configuration file
>>>> '/etc/radiator/radius.cfg'
>>>> Thu Jun  9 16:25:54 2011: DEBUG: Reading dictionary file
>>>> '/etc/radiator/db/dictionary'
>>>> Thu Jun  9 16:25:54 2011: DEBUG: Creating authentication port ipv6::::1812
>>>> Thu Jun  9 16:25:54 2011: DEBUG: Creating accounting port ipv6::::1813
>>>> Thu Jun  9 16:25:54 2011: DEBUG: Creating authentication port 0.0.0.0:1812
>>>> Thu Jun  9 16:25:54 2011: ERR: Could not bind authentication socket:
>>>> Address already in use
>>>> Thu Jun  9 16:25:54 2011: DEBUG: Creating accounting port 0.0.0.0:1813
>>>> Thu Jun  9 16:25:54 2011: ERR: Could not bind accounting socket:
>>>> Address already in use
>>>> Thu Jun  9 16:25:54 2011: NOTICE: Server started: Radiator 4.8 on radius
>>>> Thu Jun  9 16:25:55 2011: NOTICE: Request from unknown client
>>>> 145.100.98.42: ignored
>>>>
>>>> BindAddress 0.0.0.0,ipv6:::
>>>>     Also some errors, only IPv4 works, and also nothing logged when an
>>>> IPv6 client connects:
>>>> Thu Jun  9 16:27:42 2011: DEBUG: Finished reading configuration file
>>>> '/etc/radiator/radius.cfg'
>>>> Thu Jun  9 16:27:42 2011: DEBUG: Reading dictionary file
>>>> '/etc/radiator/db/dictionary'
>>>> Thu Jun  9 16:27:42 2011: DEBUG: Creating authentication port 0.0.0.0:1812
>>>> Thu Jun  9 16:27:42 2011: DEBUG: Creating accounting port 0.0.0.0:1813
>>>> Thu Jun  9 16:27:42 2011: DEBUG: Creating authentication port ipv6::::1812
>>>> Thu Jun  9 16:27:42 2011: ERR: Could not bind authentication socket:
>>>> Address already in use
>>>> Thu Jun  9 16:27:42 2011: DEBUG: Creating accounting port ipv6::::1813
>>>> Thu Jun  9 16:27:42 2011: ERR: Could not bind accounting socket:
>>>> Address already in use
>>>> Thu Jun  9 16:27:42 2011: NOTICE: Server started: Radiator 4.8 on radius
>>>>
>>>>
>>>> So the only way I can radiator to accept requests from both protocols,
>>>> is to hardcode the interface addresses.
>>>>
>>>> Would it be possible to have radiator listen to 4+6 without hard coding?
>>>>
>>>> I think that option (whatever it looks like) should be the default.
>>>>
>>>> If possible, can the behavior of the current default ('BindAddress
>>>> 0.0.0.0') be changed so that it actually logs ignored incoming
>>>> requests?
>>>> I've spend quite some time figuring out what is going on, and only
>>>> tcpdump revealed that requests are actually reaching my box.
>>>>
>>>> Thanks :-)
>>>>
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
>> Handelsgericht Wien, FN 79340b
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> Notice: This e-mail contains information that is confidential and may be privileged.
>> If you are not the intended recipient, please notify the sender and then
>> delete this e-mail immediately.
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>


More information about the radiator mailing list