Unix domain socket support for authentication and accounting?

[Bjørn Mork]

William Tang <galaxyking0419 at gmail.com> writes:

>> I can’t realize a use-case for that… but, if you don’t mind please share
> with us what you have in mind…

> I have a server running both strongswan VPN server and freeradius for
> authentication and accounting.  Unix domain sockets would be more efficient
> for communication between processes on the same machine.

I dont' believe so.  And my numbers are as good as yours.

But for arguments sake, let's assume you're correct. How much time does
your server spend on authenticating a session?  How much of that is the
actual IP transport delay?  And to relate that to something: How much
time does it take in total to set up a new VPN session?

I any case:  Why do you use RADIUS?  Would it be more "efficient" to
drop the external auth and just make strongswan authenticate without any
commucation delays at all?

>>  Btw, you could do some _hack_ using _socat_ as described in
> https://stackoverflow.com/questions/2149564/redirecting-tcp-traffic-to-a-unix-domain-socket-under-linux
> to
> see if the _unix-socket_ is useful in your case.
> Thanks for the suggestion, but redirecting the traffic will introduce even
> more overhead than plain tcp.  So, freeradius does not support unix domain
> socket for authentication and accounting, right?

Are there any RFC documenting RADIUS over unix domain sockets?  Are
there any clients supporting this?  Does your strongswan server support
it?

Do you think that there are so few real issues related to RADIUS and
FreeRADIUS that you have to invent some?  Maybe so.  But personally I
don't belive in bloating protocols or software just because you can.
Every new feature should be needed and solve a real problem for
someone.  Otherwise it's a step back. 


Bjørn