William Tang <galaxyking0419@gmail.com> writes:
I can’t realize a use-case for that… but, if you don’t mind please share with us what you have in mind…
I have a server running both strongswan VPN server and freeradius for authentication and accounting. Unix domain sockets would be more efficient for communication between processes on the same machine.
I dont' believe so. And my numbers are as good as yours. But for arguments sake, let's assume you're correct. How much time does your server spend on authenticating a session? How much of that is the actual IP transport delay? And to relate that to something: How much time does it take in total to set up a new VPN session? I any case: Why do you use RADIUS? Would it be more "efficient" to drop the external auth and just make strongswan authenticate without any commucation delays at all?
Btw, you could do some _hack_ using _socat_ as described in https://stackoverflow.com/questions/2149564/redirecting-tcp-traffic-to-a-uni... to see if the _unix-socket_ is useful in your case. Thanks for the suggestion, but redirecting the traffic will introduce even more overhead than plain tcp. So, freeradius does not support unix domain socket for authentication and accounting, right?
Are there any RFC documenting RADIUS over unix domain sockets? Are there any clients supporting this? Does your strongswan server support it? Do you think that there are so few real issues related to RADIUS and FreeRADIUS that you have to invent some? Maybe so. But personally I don't belive in bloating protocols or software just because you can. Every new feature should be needed and solve a real problem for someone. Otherwise it's a step back. Bjørn