Hi Dossy, > My understanding is that we're in agreement that #2 is the way to go. > ip_choose_hook in pppd makes this doable as a plugin to pppd. The code > developed at Netservers.co.uk looks to be an excellent starting point.
Thanks =) > 2a) Use RADIUS to assign the IP address. > 2b) Use DHCP to assign the IP address. > > Chris and Ben at Netservers.co.uk, as well as I, think 2b is the way to > go. We have no objection to 2a, in fact our firewalls support this option using the pppd radius plugins which David Skoll apparently wrote (thanks David!). By the way, it's not just "Chris and Ben", we are part of NetServers and the DHCP plugin and its development are company projects, not our own. > David has voiced that he thinks 2a is the way to go. Someone else > suggested using a RDBMS to manage IP pool assignment, but I think this > is much more heavyweight than necessary for this application. I agree. > The problem that needs to be solved in both 2a and 2b scenarios is what > happens if the same user connects multiple times but they're supposed to > be assigned a static IP? Chris and Ben want the behavior to be "first > connection gets the static IP, the rest get a dynamic IP" from what I > understand. They also want to be able to possibly define a seperate > private range of IPs to allocate from for a specific username, so again, > we need to handle a one-to-many allocation from username to IPs. That's not a precise statement of our goal, which was simply to allow user IP addresses to be either statically or dynamically configured on a per-user basis. In retrospect, Ben is willing to give up the "static assignment using DHCP" option, since RADIUS and pap-secrets can both supply this capability, adn we haven't actually tested it anyway. > 1) Client sends out DHCPREQUEST using 'client identifier' using the > username. > > 2) Server sends back DHCPACK with assigned address. > > 3) Client checks to see if address is in use (using ARP or ICMP Echo). > If it is unused, it uses the assigned IP address. Otherwise, the client > DHCPDECLINE's the DHCPACK. Then, it issues a new DHCPREQUEST with a new > 'client identifier' that is pseudo-unique to get a different IP address. ISC dhcpd will test the address before handing it out, by pinging it, but I'm informed that this is not in the DHCP standard and cannot be relied upon. I'm also not sure what it would do if it discovered that its statically-assigned address was already in use, but it certainly might get in the way of this kind of magic. If we give up the option for static assignment using DHCP, then it makes sense to send "<device>@<hostname>" as the client identifier, for example "[EMAIL PROTECTED]". This ensures uniqueness and also allows for easy reuse of addresses in the case where a server crashes holding a large number of leases. > Before I commit my limited time towards working on an implementation of > a solution, I'd like to get all of our minds together to just think > things through. If folks are available, I'm on irc.freenode.net on > the #l2tp channel ... we can try to carry on a conversation in realtime, > otherwise, via this mailing list. Sorry, don't have time to do IRC from work. Timezones might be a problem too. Cheers, Chris. -- ___ __ _ / __// / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | / (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | \ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
