IPv6 accounting RADIUS SQL schema?

Nathan Ward lists+freeradius at daork.net
Sun Aug 19 05:37:23 CEST 2018


> On 19/08/2018, at 9:11 AM, Michael Ducharme <mducharme at gmail.com> wrote:
> I would say it is even more complicated:
> If assigning framed prefixes is enabled on the NAS, each customer is given a /64 prefix and router advertisements are sent out so that the CPE can get a global address via SLAAC (reported as Framed-IPv6-Prefix and Framed-Interface-Id).
> If DHCPv6-PD is enabled on the NAS, each customer who requests a prefix will be assigned one, typically a /56 (reported as Delegated-IPv6-Prefix). If DHCPv6 address assignment is enabled, then the CPE can get a global IP through DHCPv6 (reported as Framed-IPv6-Address).

Yep that’s right - in my prev. message, the /128 is a CIDR, so can be any length. If one uses SLAAC for CPE WAN interfaces, the prefix for that needs to be unique per subscriber so you can identify them, as SLAAC doesn’t give the BNG any indication of the address(es) which are selected.

> So if the customer has a router that supports everything and has everything enabled, it could get two addresses on its WAN port, one via SLAAC and one via DHCPv6, and then a prefix via DHCPv6-PD for use on the internal network (LAN ports, guest wifi, etc.). If only routers are connecting via PPP and not customer computers directly, you can look at the Delegated-IPv6-Prefix to see what prefix the customer's computers are using. If customer computers connected directly to the NAS (ex. through an L2TP VPN), then the computer will use either a global address via SLAAC (found in the Framed-IPv6-Prefix and Framed-Interface-Id accounting) or a global address via DHCPv6 (found in Framed-IPv6-Address), or both.

While I agree that this is technically possible, it is unusual to have both SLAAC and DHCPv6 IA-NA at the same time on one device. DHCPv6 is triggered by flags in the RA. If you’ve got a broadband type environment where both happen, I would suggest changing that to support only SLAAC, or only DHCPv6 IA-NA.

Regardless, this is possible, so is something that should probably be permitted.

> Because, depending on the exact situation, the end user device may be on an address in the Delegated-IPv6-Prefix (this is the case if they go through a router) or an address in the Framed-IPv6-Prefix (if they are on SLAAC) or an address in Framed-IPv6-Address (if they receive an address through DHCPv6 address assignment), all three fields must be stored. As an ISP, we are required to forward copyright infringement notices to customers, and in order to look up the address on the notice, we need to search all three fields (unlike in IPv4 where we only search one field).

Additionally, it is common that WAN side addresses are not assigned at all - and only DHCPv6 IA-PD is assigned - and there may even be multiple IA-PD assigned.

I think the short story is that a RADIUS “session” can have 0+ IPv6 addresses/prefixes. This is I suppose similar to IPv4, if you use Framed-Route to give customers additional addresses - these can exist in Accounting-Request messages.

I don’t know if this is something that FreeRADIUS should attempt to solve in a generic way, or if there should perhaps be some examples and have it left up to the operator. If it is solved in a generic way, how would that be done?
- Additional tables for prefix assignments?
- ARRAY support in SQL? (Not in MySQL, but is in other SQL DBs)
- JSON or some other serialisation of an array in to text?
- ARRAY for most DBs, JSON blob for others?

Nathan Ward

More information about the Freeradius-Users mailing list