[RADIATOR] IPv6 enhancements in current patches: IPV6_V6ONLY and IPv6 CIDR clients

Heikki Vatiainen hvn at open.com.au
Sat Nov 30 15:40:12 CST 2013 

On 11/29/2013 04:04 PM, Hartmaier Alexander wrote:

> I've just read the IPv6 section in the 4.12.1 reference manual after
> installing 4.12.1 on a new RHEL6 box which has IPv6 support disabled via
> 'alias ipv6 off' and 'options ipv6 disable=1' in /etc/modprobe.d/local.conf.
> 
> On startup Radiator logs: 'INFO: This system is IPv6 capable. IPv6
> capability provided by: core' although the Socket6 module isn't
> installed because its tests fail because IPv6 support is disabled in the
> Linux kernel.

That's interesting. Does Socket6 compilation really check if IPv6 is
disabled in the system?

The Radiator log message is about the IPv6 capability of the Perl that
was used to invoke radiusd. Now that you mentioned, it might be better
to say that the system has IPv6 capable Perl and the Perl IPv6
capability required by Radiator is provided by Perl core (or Socket6 or
none).

In your case, even if you can not use BindAddress ::, radiusd can still
process attributes with IPv6 addresses and prefixes without problems
since the Perl core libraries have support for e.g., getaddrinfo().

> But the manual says 'Note: Currently IPv6 support requires Socket6.pm
> Perl module.'. Which one is correct, the manual or the log message?

The manual is correct for Radiator 4.12.1 as it was released. Binding to
IPv6 addresses, address packing and other functions and decoding and
encoding of IPv6 addresses and prefix in attributes requires Socket6.pm
with 4.12.1.

The patches in 4.12.1 check Perl's IPv6 capability and try to prefer the
built in core modules. If the core does not support all the required
functionality, then presence of Socket6.pm is checked. If there is no
Socket6.pm either then IPv6 addresses and prefixes can not be encoded
and decoded in human readable format and are processed as binary data
which works for proxying.

> The Perl version is 5.16.3 compiled on the box using perlbrew.

Perl 5.16.3 is recent enough, I think 5.14.0 has everything required, so
radiusd finds the core modules in 5.16.3 can be used. Also, since you
get the log message about IPv6 capability, it means you have Radiator
4.12.1 + patches.

> The very first sentence doesn't mention TACACS+, does it support IPv6
> too or not?

ServerTACACSPLUS should work with IPv6. Looks like
goodies/tacacsplustest does not support IPv6 for testing yet, but the
server side should work.

> Please add this info.

The documentation regarding Socket6.pm not required for recent enough
Perls will be in the next release's documentation. We can also mention
TACACS+ too.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list