MIS - Ben Murphy
Fri, 10 Jan 2003 08:37:54 -0800
Hi All, I have some knowledge to contibute, as i've been playing with l2tpd for a while.... A brief bit of background... The company im involved with runs a large wholesale ISP operation. All users connect via Nortel CVX's, which in turn tunnels the sessions to a Cisco via L2TP. The cisco terminates the tunnels (acting as lns), and then performs radius authentication. Radius authentication does lots of fancy stuff, before responding to the cisco with various a/v pairs, including ip allocation. This is done via the standard attributes Framed-IP-Address & Framed-IP-Netmask. For dynamic ip allocation, it responds with the normal 255.255.255.254 which tells the cisco to assign it from a pool, we also specify the pool name with other a/v pairs. We keep adding more cisco boxes, and @ roughly ?20k each, they are somewhat costly. After a great deal of time and research, our findings were as follows.... We took stock pppd and applied radius patch, opposed to modules. We then modified the pppd to utilise the ip addresses given by the radius server, but as yourselves are finding, pppd doesnt deal with ip pools. As there is no state mechanism, we designed/half-built one using mysql. What we did was to modify the pppd to check the ip address being assigned by radius, if the ip address matched the dynamic ip pool (255.255.255.254), we made pppd exec an external script which finds the next available ip address from the ip_pool db, and assign that to the pppd session. (the script also updated the sql db to mark that ip address in the pool, was now asssigned to this instance of pppd). When pppd exits for whatever reason, the another script was run to release the ip. Now our scripts and mods to pppd are terrible in terms of coding and such like, as they were hacks made by me, and im not a c++ man, but i bodged it together till it works. The design is no way near how it should be. Our problems were with l2tpd (pty issues), and i havent had the time since to try rp-lt2pd. I've monitored the list for a while, and think i could provide some assistance with the whole ip allocation issue. My Suggestions (for what they are worth): > >> So the only way to run large, scalable networks is to have IP > >> allocation done in pppd.... > > >Ouch. Maybe it's time for a pppd plugin that does dynamic IP > >allocation. Does this sound like the right answer? I could work on > >this ... > > It sounds like the right answer to me. For scalability, use a similar design to what i've used in the past, with some rather major differences. Instead of calling php or perl scripts, link the mysql client library in to pppd, and write a couple of functions in a new ip_alloc.c file. I would think (like my old scipts), it would be a good idea to have these functions: FindAvailableIP() AssignIP() ReleaseIP() Then just above the lines in the pppd where it sets the ip addresses, call the find function. Use the returned radius a/v pair for ip_pool_name, and call the FindAvailableIP($poolname). If the function returns a valid ip address/netmask, then great, call assignip($hostname, $int_name, $ip) providing the hostname, interface name, and ip address, which updates the database entry. Then when pppd exits, modify to always call the releaseip($hostname, $int_name, $ip) function to release the ip back to the pool. The above spec is obviously just my 2cents worth, but is scalable and should be very reliable. Plus it enables you to query the db for active connections etc. If the lns box dies, you can set it to auto-run a script or proggie on boot-up which would reset all ip addresses for that box, thus auto-releasing the ip addresses. Finally, as there are different pool names, you can manage ip addresses by box, group of users, etc etc What you guys think? I hope the above can be useful to someone.... Best Regards, Ben Murphy, murphx Innovative Solutions tel: +44 (0) 870 757 1650 fax: +44 (0) 870 757 1651 e-mail: [EMAIL PROTECTED] This e-mail is confidential and may contain legally privileged information. If you are not named above as an addressee it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information contained within this e-mail. Any views or opinions presented are solely those of the author, and may not represent those of murphx Innovative Solutions.