Re: [RADIATOR] IPv6 enhancements in current patches: IPV6_V6ONLY and IPv6 CIDR clients
On 02/05/2014 08:07 PM, Hartmaier Alexander wrote: In a recent p5p mailing list discussion Paul Evans confirmed that Socket6 isn't needed these days as the core Socket has all functions required: https://rt.perl.org/Public/Bug/Display.html?id=75740#txn-1278801 I agree. The latest Perls do not require Socket6.pm to be used anymore if IPv6 is needed. Please rework Radiator's code to use a new-enough Socket.pm instead of the deprecated Socket6.pm, thanks! The current patches already default to Socket.pm. Socket6.pm is only used if Socket.pm is not current enough. If everything goes well IO::Socket::IP will be in core Perl 5 Version 20, which will be released in March, as a replacement for IO::Socket::INET to provide IPv4 and IPv6 support. So if you're using ::INET today please replace it with ::IP and test it. You can also use Acme::Override::INET to override all ::INET with ::IP calls. IO::Socket::INET, or IO::Socket::INET6 are not used much by Radiator. Whatever the dependencies for those are, thet are likely to come from the modules Radiator uses. That already sounds like it's using Socket instead of Socket6. I recommend to remove Socket6 at all and require a newer Socket.pm instead. Socket6 is not required with 4.12.1+patches anymore. Only if Socket does not have enough functionality, then Socket6 is needed. And even if Socket6 is missing, any IPv6 typed attributes can still be proxied, and processed as binary values. Binding to IPv6 addresses does not work, though if Socket is not recent enough and Socket6 is not installed. I do not think we will start to require recent enough Socket.pm always. What is happening is that we do not require Socket6.pm. If Socket.pm is not recent enough, then the user can install Socket6 or newer Socket. I'd say that is easier because Socket6.pm is already packaged by many OS vendors, such as RedHat for RHEL6. The very first sentence doesn't mention TACACS+, does it support IPv6 too or not? ServerTACACSPLUS should work with IPv6. Looks like goodies/tacacsplustest does not support IPv6 for testing yet, but the server side should work. Good to know, thanks! goodies/tacacsplustest also supports IPv6 now. However, it is one of the IO::Socket::I* users and requires IO::Socket::INET6 if IPv6 connections are needed :) An option might be to make it try IO::Socket::IP first before defaulting back to IO::Socket::INET6 or ::INET. If you plan to test the latest patches, please let us know how it goes without Socket6.pm Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] IPv6 enhancements in current patches: IPV6_V6ONLY and IPv6 CIDR clients
On 2013-11-30 22:40, Heikki Vatiainen wrote: On 11/29/2013 04:04 PM, Hartmaier Alexander wrote: I've just read the IPv6 section in the 4.12.1 reference manual after installing 4.12.1 on a new RHEL6 box which has IPv6 support disabled via 'alias ipv6 off' and 'options ipv6 disable=1' in /etc/modprobe.d/local.conf. On startup Radiator logs: 'INFO: This system is IPv6 capable. IPv6 capability provided by: core' although the Socket6 module isn't installed because its tests fail because IPv6 support is disabled in the Linux kernel. That's interesting. Does Socket6 compilation really check if IPv6 is disabled in the system? The Radiator log message is about the IPv6 capability of the Perl that was used to invoke radiusd. Now that you mentioned, it might be better to say that the system has IPv6 capable Perl and the Perl IPv6 capability required by Radiator is provided by Perl core (or Socket6 or none). In your case, even if you can not use BindAddress ::, radiusd can still process attributes with IPv6 addresses and prefixes without problems since the Perl core libraries have support for e.g., getaddrinfo(). But the manual says 'Note: Currently IPv6 support requires Socket6.pm Perl module.'. Which one is correct, the manual or the log message? The manual is correct for Radiator 4.12.1 as it was released. Binding to IPv6 addresses, address packing and other functions and decoding and encoding of IPv6 addresses and prefix in attributes requires Socket6.pm with 4.12.1. In a recent p5p mailing list discussion Paul Evans confirmed that Socket6 isn't needed these days as the core Socket has all functions required: https://rt.perl.org/Public/Bug/Display.html?id=75740#txn-1278801 Please rework Radiator's code to use a new-enough Socket.pm instead of the deprecated Socket6.pm, thanks! If everything goes well IO::Socket::IP will be in core Perl 5 Version 20, which will be released in March, as a replacement for IO::Socket::INET to provide IPv4 and IPv6 support. So if you're using ::INET today please replace it with ::IP and test it. You can also use Acme::Override::INET to override all ::INET with ::IP calls. The patches in 4.12.1 check Perl's IPv6 capability and try to prefer the built in core modules. If the core does not support all the required functionality, then presence of Socket6.pm is checked. If there is no Socket6.pm either then IPv6 addresses and prefixes can not be encoded and decoded in human readable format and are processed as binary data which works for proxying. That already sounds like it's using Socket instead of Socket6. I recommend to remove Socket6 at all and require a newer Socket.pm instead. The Perl version is 5.16.3 compiled on the box using perlbrew. Perl 5.16.3 is recent enough, I think 5.14.0 has everything required, so radiusd finds the core modules in 5.16.3 can be used. Also, since you get the log message about IPv6 capability, it means you have Radiator 4.12.1 + patches. The very first sentence doesn't mention TACACS+, does it support IPv6 too or not? ServerTACACSPLUS should work with IPv6. Looks like goodies/tacacsplustest does not support IPv6 for testing yet, but the server side should work. Good to know, thanks! Please add this info. The documentation regarding Socket6.pm not required for recent enough Perls will be in the next release's documentation. We can also mention TACACS+ too. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] IPv6 enhancements in current patches: IPV6_V6ONLY and IPv6 CIDR clients
On 11/29/2013 04:04 PM, Hartmaier Alexander wrote: I've just read the IPv6 section in the 4.12.1 reference manual after installing 4.12.1 on a new RHEL6 box which has IPv6 support disabled via 'alias ipv6 off' and 'options ipv6 disable=1' in /etc/modprobe.d/local.conf. On startup Radiator logs: 'INFO: This system is IPv6 capable. IPv6 capability provided by: core' although the Socket6 module isn't installed because its tests fail because IPv6 support is disabled in the Linux kernel. That's interesting. Does Socket6 compilation really check if IPv6 is disabled in the system? The Radiator log message is about the IPv6 capability of the Perl that was used to invoke radiusd. Now that you mentioned, it might be better to say that the system has IPv6 capable Perl and the Perl IPv6 capability required by Radiator is provided by Perl core (or Socket6 or none). In your case, even if you can not use BindAddress ::, radiusd can still process attributes with IPv6 addresses and prefixes without problems since the Perl core libraries have support for e.g., getaddrinfo(). But the manual says 'Note: Currently IPv6 support requires Socket6.pm Perl module.'. Which one is correct, the manual or the log message? The manual is correct for Radiator 4.12.1 as it was released. Binding to IPv6 addresses, address packing and other functions and decoding and encoding of IPv6 addresses and prefix in attributes requires Socket6.pm with 4.12.1. The patches in 4.12.1 check Perl's IPv6 capability and try to prefer the built in core modules. If the core does not support all the required functionality, then presence of Socket6.pm is checked. If there is no Socket6.pm either then IPv6 addresses and prefixes can not be encoded and decoded in human readable format and are processed as binary data which works for proxying. The Perl version is 5.16.3 compiled on the box using perlbrew. Perl 5.16.3 is recent enough, I think 5.14.0 has everything required, so radiusd finds the core modules in 5.16.3 can be used. Also, since you get the log message about IPv6 capability, it means you have Radiator 4.12.1 + patches. The very first sentence doesn't mention TACACS+, does it support IPv6 too or not? ServerTACACSPLUS should work with IPv6. Looks like goodies/tacacsplustest does not support IPv6 for testing yet, but the server side should work. Please add this info. The documentation regarding Socket6.pm not required for recent enough Perls will be in the next release's documentation. We can also mention TACACS+ too. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] IPv6 enhancements in current patches: IPV6_V6ONLY and IPv6 CIDR clients
On 2013-08-23 10:35, Heikki Vatiainen wrote: On 08/22/2013 05:59 PM, Alexander Hartmaier wrote: I hope the reference manual was updated to reflect this feature as well. Yes. The plan is to also have a separate section in the reference manual that talks about IPv6 in more detail. It will have information about IPv6 support - address binding, IPv6 related attributes, IPv6 CIDR clients, required modules, RFCs, etc. - all gathered in one place. I've just read the IPv6 section in the 4.12.1 reference manual after installing 4.12.1 on a new RHEL6 box which has IPv6 support disabled via 'alias ipv6 off' and 'options ipv6 disable=1' in /etc/modprobe.d/local.conf. On startup Radiator logs: 'INFO: This system is IPv6 capable. IPv6 capability provided by: core' although the Socket6 module isn't installed because its tests fail because IPv6 support is disabled in the Linux kernel. But the manual says 'Note: Currently IPv6 support requires Socket6.pm Perl module.'. Which one is correct, the manual or the log message? The Perl version is 5.16.3 compiled on the box using perlbrew. The very first sentence doesn't mention TACACS+, does it support IPv6 too or not? Please add this info. BR Alex Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] IPv6 enhancements in current patches: IPV6_V6ONLY and IPv6 CIDR clients
On 08/22/2013 05:59 PM, Alexander Hartmaier wrote: I hope the reference manual was updated to reflect this feature as well. Yes. The plan is to also have a separate section in the reference manual that talks about IPv6 in more detail. It will have information about IPv6 support - address binding, IPv6 related attributes, IPv6 CIDR clients, required modules, RFCs, etc. - all gathered in one place. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] IPv6 enhancements in current patches: IPV6_V6ONLY and IPv6 CIDR clients
Heikki++ I hope the reference manual was updated to reflect this feature as well. On 2013-08-22 16:37, Heikki Vatiainen wrote: Hello, there was recently discussion about IPv6 wildcard address binding and support for defining IPv6 clients with CIDR notation. Patch set for Radiator 4.11 now includes support for enabling IPV6_V6ONLY for IPv6 wildcard :: listen sockets. When enabled, this allows separate binding to IPv4 and IPv6 wildcard addresses. This also means IPv4 traffic is no more seen as IPv6 traffic with addresses like :::192.168.1.2. IPV6_V6ONLY is directly supported by Perl 5.16 and later. However, if one installs recent Socket.pm separately, the option can be used with older Perl versions too. Also, CIDR notation is now supported for IPv6 clients: Client ipv6:2001:db8:1:2::/126 ... Client ipv6::::192.168.1.0/120 ... Any comments and test reports are appreciated. Thanks, Heikki *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
