Awesome reply Heikki, thanks! I recommend you add an IPv6 section to the pdf documentation including this!
Am 2011-06-14 15:21, schrieb Heikki Vatiainen: > On 06/14/2011 11:45 AM, Alexander Hartmaier wrote: >> Does this mean that we can't bind to IPv4 and IPv6 separately on Linux >> to not get v6 mapped v4 addresses? > I think the mapped addresses are only seen when a wildcard IPv6 bind is > done. If you bind to a non-wildcard IPv4 or IPv6 address, you should > only see traffic that arrived over IPv4 or IPv6, respectively. > > To control the mapped addresses, there is IPV6_V6ONLY socket option, see > http://tools.ietf.org/html/rfc3493#section-5.3 for more > > Linux also has this special file to control the system wide behaviour: > > /proc/sys/net/ipv6/bindv6only > > By default this seems to be 0. When it is 0, this will not work: > > BindAddress ipv6:::, 0.0.0.0 > > The result in logs is this: > > Tue Jun 14 16:15:07 2011: DEBUG: Creating authentication port ipv6::::1645 > Tue Jun 14 16:15:07 2011: DEBUG: Creating accounting port ipv6::::1646 > Tue Jun 14 16:15:07 2011: DEBUG: Creating authentication port 0.0.0.0:1645 > Tue Jun 14 16:15:07 2011: ERR: Could not bind authentication socket: > Address already in use > Tue Jun 14 16:15:07 2011: DEBUG: Creating accounting port 0.0.0.0:1646 > Tue Jun 14 16:15:07 2011: ERR: Could not bind accounting socket: Address > already in use > > If I do this to enable the option: > echo 1 |sudo tee /proc/sys/net/ipv6/bindv6only > > the same configuration works: > > BindAddress ipv6:::, 0.0.0.0 > > Tue Jun 14 16:16:20 2011: DEBUG: Creating authentication port ipv6::::1645 > Tue Jun 14 16:16:20 2011: DEBUG: Creating accounting port ipv6::::1646 > Tue Jun 14 16:16:20 2011: DEBUG: Creating authentication port 0.0.0.0:1645 > Tue Jun 14 16:16:20 2011: DEBUG: Creating accounting port 0.0.0.0:1646 > > When I used radpwtst to send requests to ipv6:::1 or 127.0.0.1 these > Client clauses were matched, respectively: > > <Client ipv6:::1> > Identifier ipv6-loopback > Secret mysecret > DupInterval 0 > </Client> > <Client 127.0.0.1> > Identifier ipv4-loopback > Secret mysecret > DupInterval 0 > </Client> > > # Use this to check which Client clause matched > <Handler> > <AuthBy FILE> > Filename %D/users-%{Client:Identifier} > </AuthBy> > </Handler> > > This may be useful for controlling IPv6 behaviour. > > Thanks! > Heikki > > >> Am 2011-06-09 19:50, schrieb Heikki Vatiainen: >>> On 06/09/2011 05:37 PM, Dyonisius Visser wrote: >>>> Well, I installed a second instance on a dual stack host, and I tested >>>> various combinations: >>> Thanks for the summary. >>> >>>> BindAddress 192.87.30.31,ipv6:2001:610:148:dead::31 >>>> I.e. hardcoded addresses - this works, both IPv4 and IPv6 clients >>>> work >>>> >>>> BindAddress ipv6::: >>>> IPv4 blocked (NOTICE: Request from unknown client 192.87.30.32: >>>> ignored) >>> This should work if you specify your client like this: >>> >>> <Client ipv6:::ffff:192.87.30.32> >>> >>> Since the request arrived over IPv4 but was delivered to the application >>> by IPv6 wildcard socket, the IPv4 address is presented as an IPv6 >>> address. See >>> >>> http://tools.ietf.org/html/rfc4291#section-2.5.5 >>> >>> section "2.5.5.2. IPv4-Mapped IPv6 Address". The purpose of this mapping >>> is to let the application to know was the message received over IPv6 or >>> IPv4 since the socket can handle both protocols. >>> >>> >>>> BindAddress 0.0.0.0 >>>> This is the default. IPv4 clients work. IPv6 clients DO NOT work, >>>> and worse, nothing is logged by radiator, no "request from unknown >>>> client 2001:610:blah:blah" >>>> >>>> BindAddress ipv6:::,0.0.0.0 >>>> Startup gives some errors, and only IPv6 works: >>>> Thu Jun 9 16:25:54 2011: DEBUG: Finished reading configuration file >>>> '/etc/radiator/radius.cfg' >>>> Thu Jun 9 16:25:54 2011: DEBUG: Reading dictionary file >>>> '/etc/radiator/db/dictionary' >>>> Thu Jun 9 16:25:54 2011: DEBUG: Creating authentication port ipv6::::1812 >>>> Thu Jun 9 16:25:54 2011: DEBUG: Creating accounting port ipv6::::1813 >>>> Thu Jun 9 16:25:54 2011: DEBUG: Creating authentication port 0.0.0.0:1812 >>>> Thu Jun 9 16:25:54 2011: ERR: Could not bind authentication socket: >>>> Address already in use >>>> Thu Jun 9 16:25:54 2011: DEBUG: Creating accounting port 0.0.0.0:1813 >>>> Thu Jun 9 16:25:54 2011: ERR: Could not bind accounting socket: >>>> Address already in use >>>> Thu Jun 9 16:25:54 2011: NOTICE: Server started: Radiator 4.8 on radius >>>> Thu Jun 9 16:25:55 2011: NOTICE: Request from unknown client >>>> 145.100.98.42: ignored >>>> >>>> BindAddress 0.0.0.0,ipv6::: >>>> Also some errors, only IPv4 works, and also nothing logged when an >>>> IPv6 client connects: >>>> Thu Jun 9 16:27:42 2011: DEBUG: Finished reading configuration file >>>> '/etc/radiator/radius.cfg' >>>> Thu Jun 9 16:27:42 2011: DEBUG: Reading dictionary file >>>> '/etc/radiator/db/dictionary' >>>> Thu Jun 9 16:27:42 2011: DEBUG: Creating authentication port 0.0.0.0:1812 >>>> Thu Jun 9 16:27:42 2011: DEBUG: Creating accounting port 0.0.0.0:1813 >>>> Thu Jun 9 16:27:42 2011: DEBUG: Creating authentication port ipv6::::1812 >>>> Thu Jun 9 16:27:42 2011: ERR: Could not bind authentication socket: >>>> Address already in use >>>> Thu Jun 9 16:27:42 2011: DEBUG: Creating accounting port ipv6::::1813 >>>> Thu Jun 9 16:27:42 2011: ERR: Could not bind accounting socket: >>>> Address already in use >>>> Thu Jun 9 16:27:42 2011: NOTICE: Server started: Radiator 4.8 on radius >>>> >>>> >>>> So the only way I can radiator to accept requests from both protocols, >>>> is to hardcode the interface addresses. >>>> >>>> Would it be possible to have radiator listen to 4+6 without hard coding? >>>> >>>> I think that option (whatever it looks like) should be the default. >>>> >>>> If possible, can the behavior of the current default ('BindAddress >>>> 0.0.0.0') be changed so that it actually logs ignored incoming >>>> requests? >>>> I've spend quite some time figuring out what is going on, and only >>>> tcpdump revealed that requests are actually reaching my box. >>>> >>>> Thanks :-) >>>> >> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* >> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien >> Handelsgericht Wien, FN 79340b >> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* >> Notice: This e-mail contains information that is confidential and may be >> privileged. >> If you are not the intended recipient, please notify the sender and then >> delete this e-mail immediately. >> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* >> _______________________________________________ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator > _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
