On 06/14/2011 11:45 AM, Alexander Hartmaier wrote: > Does this mean that we can't bind to IPv4 and IPv6 separately on Linux > to not get v6 mapped v4 addresses?
I think the mapped addresses are only seen when a wildcard IPv6 bind is done. If you bind to a non-wildcard IPv4 or IPv6 address, you should only see traffic that arrived over IPv4 or IPv6, respectively. To control the mapped addresses, there is IPV6_V6ONLY socket option, see http://tools.ietf.org/html/rfc3493#section-5.3 for more Linux also has this special file to control the system wide behaviour: /proc/sys/net/ipv6/bindv6only By default this seems to be 0. When it is 0, this will not work: BindAddress ipv6:::, 0.0.0.0 The result in logs is this: Tue Jun 14 16:15:07 2011: DEBUG: Creating authentication port ipv6::::1645 Tue Jun 14 16:15:07 2011: DEBUG: Creating accounting port ipv6::::1646 Tue Jun 14 16:15:07 2011: DEBUG: Creating authentication port 0.0.0.0:1645 Tue Jun 14 16:15:07 2011: ERR: Could not bind authentication socket: Address already in use Tue Jun 14 16:15:07 2011: DEBUG: Creating accounting port 0.0.0.0:1646 Tue Jun 14 16:15:07 2011: ERR: Could not bind accounting socket: Address already in use If I do this to enable the option: echo 1 |sudo tee /proc/sys/net/ipv6/bindv6only the same configuration works: BindAddress ipv6:::, 0.0.0.0 Tue Jun 14 16:16:20 2011: DEBUG: Creating authentication port ipv6::::1645 Tue Jun 14 16:16:20 2011: DEBUG: Creating accounting port ipv6::::1646 Tue Jun 14 16:16:20 2011: DEBUG: Creating authentication port 0.0.0.0:1645 Tue Jun 14 16:16:20 2011: DEBUG: Creating accounting port 0.0.0.0:1646 When I used radpwtst to send requests to ipv6:::1 or 127.0.0.1 these Client clauses were matched, respectively: <Client ipv6:::1> Identifier ipv6-loopback Secret mysecret DupInterval 0 </Client> <Client 127.0.0.1> Identifier ipv4-loopback Secret mysecret DupInterval 0 </Client> # Use this to check which Client clause matched <Handler> <AuthBy FILE> Filename %D/users-%{Client:Identifier} </AuthBy> </Handler> This may be useful for controlling IPv6 behaviour. Thanks! Heikki > Am 2011-06-09 19:50, schrieb Heikki Vatiainen: >> On 06/09/2011 05:37 PM, Dyonisius Visser wrote: >>> Well, I installed a second instance on a dual stack host, and I tested >>> various combinations: >> Thanks for the summary. >> >>> BindAddress 192.87.30.31,ipv6:2001:610:148:dead::31 >>> I.e. hardcoded addresses - this works, both IPv4 and IPv6 clients work >>> >>> BindAddress ipv6::: >>> IPv4 blocked (NOTICE: Request from unknown client 192.87.30.32: ignored) >> This should work if you specify your client like this: >> >> <Client ipv6:::ffff:192.87.30.32> >> >> Since the request arrived over IPv4 but was delivered to the application >> by IPv6 wildcard socket, the IPv4 address is presented as an IPv6 >> address. See >> >> http://tools.ietf.org/html/rfc4291#section-2.5.5 >> >> section "2.5.5.2. IPv4-Mapped IPv6 Address". The purpose of this mapping >> is to let the application to know was the message received over IPv6 or >> IPv4 since the socket can handle both protocols. >> >> >>> BindAddress 0.0.0.0 >>> This is the default. IPv4 clients work. IPv6 clients DO NOT work, >>> and worse, nothing is logged by radiator, no "request from unknown >>> client 2001:610:blah:blah" >>> >>> BindAddress ipv6:::,0.0.0.0 >>> Startup gives some errors, and only IPv6 works: >>> Thu Jun 9 16:25:54 2011: DEBUG: Finished reading configuration file >>> '/etc/radiator/radius.cfg' >>> Thu Jun 9 16:25:54 2011: DEBUG: Reading dictionary file >>> '/etc/radiator/db/dictionary' >>> Thu Jun 9 16:25:54 2011: DEBUG: Creating authentication port ipv6::::1812 >>> Thu Jun 9 16:25:54 2011: DEBUG: Creating accounting port ipv6::::1813 >>> Thu Jun 9 16:25:54 2011: DEBUG: Creating authentication port 0.0.0.0:1812 >>> Thu Jun 9 16:25:54 2011: ERR: Could not bind authentication socket: >>> Address already in use >>> Thu Jun 9 16:25:54 2011: DEBUG: Creating accounting port 0.0.0.0:1813 >>> Thu Jun 9 16:25:54 2011: ERR: Could not bind accounting socket: >>> Address already in use >>> Thu Jun 9 16:25:54 2011: NOTICE: Server started: Radiator 4.8 on radius >>> Thu Jun 9 16:25:55 2011: NOTICE: Request from unknown client >>> 145.100.98.42: ignored >>> >>> BindAddress 0.0.0.0,ipv6::: >>> Also some errors, only IPv4 works, and also nothing logged when an >>> IPv6 client connects: >>> Thu Jun 9 16:27:42 2011: DEBUG: Finished reading configuration file >>> '/etc/radiator/radius.cfg' >>> Thu Jun 9 16:27:42 2011: DEBUG: Reading dictionary file >>> '/etc/radiator/db/dictionary' >>> Thu Jun 9 16:27:42 2011: DEBUG: Creating authentication port 0.0.0.0:1812 >>> Thu Jun 9 16:27:42 2011: DEBUG: Creating accounting port 0.0.0.0:1813 >>> Thu Jun 9 16:27:42 2011: DEBUG: Creating authentication port ipv6::::1812 >>> Thu Jun 9 16:27:42 2011: ERR: Could not bind authentication socket: >>> Address already in use >>> Thu Jun 9 16:27:42 2011: DEBUG: Creating accounting port ipv6::::1813 >>> Thu Jun 9 16:27:42 2011: ERR: Could not bind accounting socket: >>> Address already in use >>> Thu Jun 9 16:27:42 2011: NOTICE: Server started: Radiator 4.8 on radius >>> >>> >>> So the only way I can radiator to accept requests from both protocols, >>> is to hardcode the interface addresses. >>> >>> Would it be possible to have radiator listen to 4+6 without hard coding? >>> >>> I think that option (whatever it looks like) should be the default. >>> >>> If possible, can the behavior of the current default ('BindAddress >>> 0.0.0.0') be changed so that it actually logs ignored incoming >>> requests? >>> I've spend quite some time figuring out what is going on, and only >>> tcpdump revealed that requests are actually reaching my box. >>> >>> Thanks :-) >>> >> > > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien > Handelsgericht Wien, FN 79340b > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > Notice: This e-mail contains information that is confidential and may be > privileged. > If you are not the intended recipient, please notify the sender and then > delete this e-mail immediately. > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > _______________________________________________ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
