IPv6 accounting RADIUS SQL schema?

Michael Ducharme mducharme at gmail.com
Sat Aug 18 23:11:20 CEST 2018


I would say it is even more complicated:

If assigning framed prefixes is enabled on the NAS, each customer is 
given a /64 prefix and router advertisements are sent out so that the 
CPE can get a global address via SLAAC (reported as Framed-IPv6-Prefix 
and Framed-Interface-Id).

If DHCPv6-PD is enabled on the NAS, each customer who requests a prefix 
will be assigned one, typically a /56 (reported as 
Delegated-IPv6-Prefix). If DHCPv6 address assignment is enabled, then 
the CPE can get a global IP through DHCPv6 (reported as 
Framed-IPv6-Address).

So if the customer has a router that supports everything and has 
everything enabled, it could get two addresses on its WAN port, one via 
SLAAC and one via DHCPv6, and then a prefix via DHCPv6-PD for use on the 
internal network (LAN ports, guest wifi, etc.). If only routers are 
connecting via PPP and not customer computers directly, you can look at 
the Delegated-IPv6-Prefix to see what prefix the customer's computers 
are using. If customer computers connected directly to the NAS (ex. 
through an L2TP VPN), then the computer will use either a global address 
via SLAAC (found in the Framed-IPv6-Prefix and Framed-Interface-Id 
accounting) or a global address via DHCPv6 (found in 
Framed-IPv6-Address), or both.

Because, depending on the exact situation, the end user device may be on 
an address in the Delegated-IPv6-Prefix (this is the case if they go 
through a router) or an address in the Framed-IPv6-Prefix (if they are 
on SLAAC) or an address in Framed-IPv6-Address (if they receive an 
address through DHCPv6 address assignment), all three fields must be 
stored. As an ISP, we are required to forward copyright infringement 
notices to customers, and in order to look up the address on the notice, 
we need to search all three fields (unlike in IPv4 where we only search 
one field).

Michael


On 8/18/2018 4:11 AM, Nathan Ward wrote:
> Hi,
>
>> On 18/08/2018, at 10:44 PM, Alan Buxey <alan.buxey at gmail.com> wrote:
>>
>> how does this all work in practice where the clien thas multiple concurrent
>> IPv6 addresses on the NAS?  does the NAS send multiple records (one for
>> each address), send multiple IPv6 addresses in a single
>> update RADIUS datagram ?
> IPv4+IPv6 varies between NAS models and configurations:
> Sometimes you get IPv6-only “sessions” (i.e. maybe auth, and accounting).
> Sometimes you get combined IPv4 and IPv6 sessions.
> Sometimes you get a session for PPP and IPv4, and another for IPv6.
>
> Within that, IPv6 with multiple addresses/prefixes generally results in a single session. Is is very common (the norm) to have multiple addresses - i.e. a subscriber will get a /128 for their “WAN” address, and a /56 or similar for things behind their CPE. These are represented as Framed-IPv6-Prefix and Delegated-IPv6-Prefix respectively, though Cisco (on ASR9k at least) don’t send Framed-IPv6-Prefix and instead send it as Cisco-AVPair = “addrv6=blah”. The usual nonsense, as you can imagine :-)
>
> Check out 3.6 of RFC6911.
>
> --
> Nathan Ward
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list