Good Afternoon, The RadSec listen {} block is quite substantial - is there a way to keep the same tls configuration for both IPv4 and IPv6 listeners without maintaining two identical copies of the TLS block? Alternatively, does FreeRADIUS3 support v4 mapped addresses (i.e. ::ffff:x:x:x:x)? I did a quick test just now but didn't see any thing appear in the debug log. Adam Bishop Systems Development Specialist gpg: 0x6609D460 t: +44 (0)1235 822 245 xmpp: adamb@jabber.dev.ja.net Janet, the UK's research and education network. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
On 14/11/13 12:40, Adam Bishop wrote:
Good Afternoon,
The RadSec listen {} block is quite substantial - is there a way to keep the same tls configuration for both IPv4 and IPv6 listeners without maintaining two identical copies of the TLS block?
See "raddb/templates.conf" in the source tarball. Basically: templates { blah { x = 1 y = 2 } } some { block { $template blah } }
On 14 Nov 2013, at 12:40, Adam Bishop <Adam.Bishop@JA.NET> wrote:
Good Afternoon,
The RadSec listen {} block is quite substantial - is there a way to keep the same tls configuration for both IPv4 and IPv6 listeners without maintaining two identical copies of the TLS block?
Yes, you can use the standard reference syntax listen = ${path.to.other.listen.block} That's a new feature of 3.x.x. Or templates (see templates.conf)
Alternatively, does FreeRADIUS3 support v4 mapped addresses (i.e. ::ffff:x:x:x:x)? I did a quick test just now but didn't see any thing appear in the debug log.
What would you expect to happen in this case? Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
On 14/11/13 13:13, Arran Cudbard-Bell wrote:
What would you expect to happen in this case?
Same as with OpenSSH; a single TCP socket, listening on IPv6, gets both IPv4 and IPv6 connect attempts, with the v4 source appearing as a mapped address. Moderately useful approach, IMO, but FR would need code to recognise the mapped addresses, extract the v4 original and use that for client{} lookups and similar.
On 14/11/2013 13:35, Phil Mayers wrote:
On 14/11/13 13:13, Arran Cudbard-Bell wrote:
What would you expect to happen in this case?
Same as with OpenSSH; a single TCP socket, listening on IPv6, gets both IPv4 and IPv6 connect attempts, with the v4 source appearing as a mapped address.
Moderately useful approach, IMO, but FR would need code to recognise the mapped addresses, extract the v4 original and use that for client{} lookups and similar. - Also ugly, deprecated, generally evil etc, would the ability to specify multiple listen addresses per block (which may or may not be v4+v6) or listen4/listen6 be doable as it seems like a much nicer solution.
On 14 Nov 2013, at 13:35, Phil Mayers <p.mayers@IMPERIAL.AC.UK> wrote:
Same as with OpenSSH; a single TCP socket, listening on IPv6, gets both IPv4 and IPv6 connect attempts, with the v4 source appearing as a mapped address.
Yup, this is what I mean - 1.2.3.4 becomes ::ffff:1:2:3:4, controlled by the sysctl knob 'net.ipv6.bindv6only'.
Moderately useful approach, IMO, but FR would need code to recognise the mapped addresses, extract the v4 original and use that for client{} lookups and similar.
I wouldn't even go that far - unless you're using DNS names in the client block, I'd just list the client with the full ::ffff: address in my configuration (being as IPv4 is legacy anyway!). Regards, Adam Bishop gpg: 0x6609D460 Janet, the UK's research and education network. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
On 14 Nov 2013, at 13:35, Phil Mayers <p.mayers@IMPERIAL.AC.UK> wrote:
Same as with OpenSSH; a single TCP socket, listening on IPv6, gets both IPv4 and IPv6 connect attempts, with the v4 source appearing as a mapped address.
Yup, this is what I mean - 1.2.3.4 becomes ::ffff:1:2:3:4, controlled by the sysctl knob 'net.ipv6.bindv6only'.
FWIW, this approach opens a bunch of (not insurmountable) security obstacles. See draft-itojun-v6ops-v4mapped-harmful-00
Brian Julin wrote:
FWIW, this approach opens a bunch of (not insurmountable) security obstacles.
See draft-itojun-v6ops-v4mapped-harmful-00
For that reason (and others) FreeRADIUS does: setsockopt(this->fd, IPPROTO_IPV6, IPV6_V6ONLY, ... v6 sockets are *only* v6. Mixing the protocols is a bad idea. Alan DeKok.
On 14/11/13 14:39, Brian Julin wrote:
FWIW, this approach opens a bunch of (not insurmountable) security obstacles.
See draft-itojun-v6ops-v4mapped-harmful-00
Interesting. It would appear my knowledge is outdated in this area (and I see that OpenSSH no longer uses this approach either). Consider my "moderately useful" comment withdrawn!
On 14 Nov 2013, at 13:13, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
Yes, you can use the standard reference syntax
listen = ${path.to.other.listen.block}
That's a new feature of 3.x.x.
Or templates (see templates.conf)
Thanks Aaran (and Phil), exactly what I was looking for. Regards, Adam Bishop gpg: 0x6609D460 Janet, the UK's research and education network. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
Hi,
The RadSec listen {} block is quite substantial - is there a way to keep the same tls configuration for both IPv4 and IPv6 listeners without maintaining two identical copies of the TLS block?
does it really matter? just larger configs...but simple to read!..... cut and past and change the listener. use 2 virtual servers tls-ipv4 and tls-ipv6 to keep things 'clean' - or use the template variable function - which, if trying to get new people to use will cause them lots of confusion and frustration :-) alan
That's what I've done, ttls and tls_ipv6 A Sent from my iPhone
On 14 Nov 2013, at 13:38, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
The RadSec listen {} block is quite substantial - is there a way to keep the same tls configuration for both IPv4 and IPv6 listeners without maintaining two identical copies of the TLS block?
does it really matter? just larger configs...but simple to read!..... cut and past and change the listener. use 2 virtual servers tls-ipv4 and tls-ipv6 to keep things 'clean' - or use the template variable function - which, if trying to get new people to use will cause them lots of confusion and frustration :-)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (8)
-
A.L.M.Buxey@lboro.ac.uk -
Adam Bishop -
Alan DeKok -
Alex Sharaz -
Arran Cudbard-Bell -
Brian Julin -
Joe Holden -
Phil Mayers