of the
authors...
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
I was wrong about the DHCPNAK: it can be sent only with a DHCPREQUEST,
when a DHCPDISCOVER fails to offer an address it is simply dropped and
no response is sent.
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https
server is authoritative on the subnet.
- the most current way to fail is to have the subnet selection to return
nothing so I highly recommend to add an "interface": "ix0.301" to
the subnet 3 configuration.
Regards
Francis Dupont
--
ISC funds the development of this software with pai
At a few exceptions it is possible to add at most one option / sub-option
with a given code-point.
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https
can find it in DHCPv6 messages, the problem
is usually there are many ways which are not guaranted to return a value
or the same value.
See 'MAC/Hardware Addresses in DHCPv6' section in the ARM...
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subs
s
support it as it provides an easy way to get a stable DUID without storage.
Regards
Francis Dupont
PS: 'dhclient -D LL' for the ISC DHCP client.
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To un
It is not directly supported but you can use a (pre)processot to build
the config file (or a part of it). There are many tools to do this from
m4 (old Unix way) to script languages supporting the JSON syntax.
Regards
Francis Dupont
--
ISC funds the development of this software with paid
.
Thanks
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https
Kea does not support names in URL for many reasons explained in tickets
asking for this. Note that IPv6 addresses in URL follow a specific not
so trivial syntax and I can't find an example in the doc... Creating
a ticket for this.
Thanks
Francis Dupont
PS: https://gitlab.isc.org/isc-projects
First Kea has a pretty loose notion of what is a string i.e. it is more
a C++ string than a C one. Second if you really want to set an option value
without any check (other than not empty) you have the flex-option hook.
Regards
Francis Dupont
--
ISC funds the development of this software
BTW the only supported case of multiple storage is the host cache as the
first host backend followed by the RADIUS fake host backend.
Merry Christmas
Francis Dupont
PS: the host cache was designed for caching values returned by an external
host backend as RADIUS (which is currently the only
In fact I think that Kea provides a solution to your problem: I am
discussing with Darren who should come back to you. The ISC DHCP config
will help (and we have a tool to translate it to Kea...).
Merry Christmas
Francis Dupont
--
ISC funds the development of this software with paid support
.
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https
Can you provide more details: system, OpenSSL version and logs at the debug
level?
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org
s far as I know there was no demand (so no plan) to provide a LDAP
backend to Kea.
Regards
Francis Dupont
PS: LDAP for ISC DHCP seems to provide configuration and host reservations.
Both are pretty different between ISC DHCP and Kea so there is no obvious
migration way.
--
ISC funds the development of this sof
in advance! Best regards
=> option 158 DHO_V4_PCP_SERVER is not supported by Kea (it is commented
in src/lib/dhcp/dhcp4.h) so it is considered as a binary option.
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://ww
hrough a process list?
=> as config-get returns the runtime status it should be exactly what you
are looking for. The number of threads is in the thread-pool-size entry.
IMHO easier than parsing debug logs to get the last loaded config.
Thanks
Francis Dupont
--
ISC funds the development of this
Use the REST API "status-get" which should give MT setup details.
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailma
You can't define a client class more than once. If you want to combine
classes I recommend the member clause...
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information
In your particular case I recommend to use the flex-option hook which
works on all options including options managed internally by Kea.
Thanks
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more
lative paths start from it.
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea
You can't specify the option 51 dhcp-lease-time because it is directly
managed by Kea. BTW if you were allowed to change it (which still can be
done by the flex-option hook) it would not change the valid lifetime in
the lease database so would be very far from what you wanted...
Regards
Francis
eter was not set leases should have remained.
Thanks
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Ke
L (vs LLT) DUID i.e. to encapsulate the mac address into the DUID
without (again vs LLT) adding a timestamp.
I know that the ISC DHCP client can do this as I added this command line
option many years ago in it...
Thanks
Francis Dupont
--
ISC funds the development of this software with pai
is to replace on the wire the DUID by a fixed value...
Thanks
Francis Dupont
PS: DHCPv4 clients have two identifiers: the client-id option and
the mac address. If the client-id option has the precedence this can
be disabled at the subnet level or higher. There is a RFC too explaining
how to deal
suggest to use an active load-balancer i.e. a box between clients and
servers which splits and monitors exchanges: not only it should solve the
problem but it will avoid extra traffic. With other words you are outside
what the Kea load-balancing can support...
Thanks
Francis Dupont
--
ISC funds
The official (*) answer about ISC DHCP subclass mechanism is to use flex_id
and host reservations if you want to keep the chain of compare vs table
lookup speedup.
Regards
Francis Dupont
PS (*): this means that to port this ISC DHCP feature to Kea is not planned.
--
ISC funds the development
python programs are easy to write). I do not know
for a "plain" language as rust or go: I am afraid you lost all benefits
from using them, i.e. C++ seems to be the only real candidate.
Thanks
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
there maybe any advice what options should be changed or modified?
=> if it can't be configured it still can be overwritten using the
flex_option hook (I wonder if it is not the most changed option in
DHCPv4? :-) so the response will have the value you want instead
the value deduced from the config
Francis Dupont
> sorry, guys, but i'm going to ask the most popular question again, to which t
> here is still no working answer: how to set multiple subnets on a same interf
> ace so that a client receives an address from each network?
=> if I understand well you have a phys
) a client releasing a lease and
shortly after try to get one again should get the the same IP address.
Thanks
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit
he
response according to the evaluation of an expression. BTW as it seems
to be something that some wants we are considering on a more direct
way i.e. to add a never-send as a mirror of the always-send flag.
Thanks
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Veronique Lefebure writes:
> I wanted to ask if anyone would have an example of such an external library,
> for adding role-based access control o the Control Agent ?
=> it was added in 2.1.6 as a premium library.
Thanks
Francis Dupont
--
ISC funds the development of this software
used to behave ?
=> put reservations with an address in a subnet the address belongs to.
Note you can still use global reservations for other things as KNOWN /
UNKNOWN classification, option setting, etc. With last versions of KEA
you have also optional early global reservation lookup to
produces
an intermediate include file which includes these multiple files.
Thanks
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/
u want:
when it is set to true (which is not the default) the client identifier
in the query message is replaced by the flex-id value so the lease and
the host reservation are identified by the same value. The initial client
identifier is put in the response so this is not visible by the client.
ISC DHCP.
Note you can use keama to automatize this...
Regards
Francis Dupont
PS: it is a bit more hairy when you use records: as in Kea the array flag
is for the option there is an ambiguity between an array of records and
a record where the last field is an array so not all ISC DHCP option
def
'-')
has no meaning at all. In all programming languages including the shell
(so a command line) it can get a meaning so be misinterpreted.
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more in
er of the
shared network or use a group to factor them. In general the ISC DHCP
configuration is far less structured than the Kea one...
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for mor
re not exclusive but topologies with both are uncommon.
Please note the localization process is the same for ISC DHCP and Kea:
it follows the standard so selectors are used in the same order,
and in both when shared networks are used the "selected subnet" is
in fact the selected shared
rameter to false. See the example in the
9.3.11 "Multiple Reservations for the Same IP" section in the ARM.
Thanks
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe
se passwords in files as it was done
for the basic HTTP authentication. IMHO (but I am not neutral) this is
good trade-off between security (which can't be done at 100%) and
usability (e.g. people understand well file access rights).
Regards
Francis Dupont
--
ISC funds the development of this softw
"data": "0x6774"
> },
=> note if it is allowed to specify more than once an option data of course
only one will be applied.
> The Relay -Reply that I got shows only one vendor (Cisco ) even though opti=
> on-data has Cisco and xyz()
=> yes and it
I can't use ddns-send-updates set to false in a reservation. It only works
> in a subnet declaration or at global scope.
>
> What am I missing?
=> I suggest to try a shared network with two subnets covering the same
range but with different textual representations (e.g. put ...1
ar for "new" crypto
if the OpenSSL library version is old
- dump the handshake messages on the wire: they are in clear text
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more infor
> Is there a way to add lots of MAC addresses to a DROP class config...
=> not yet but the next version should provide an easy and fast way
to do this!
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.i
funny when the resolution
returns more than one address
I do not know if there is already a KB article about this (if not we
should write one as you are far to be the first to ask) or if Stork
provides this feature (it is interactive so these problems can be handled).
Regards
Francis Dupont
Munroe Sollog writes:
> Is it possible to configure the forensic logging hook to output to syslog?
=> no, forensic/legal logs are sent to a file or a SQL database (MySQL or
PostgreSQL).
Regards
Francis Dupont
___
ISC funds the devel
The "wrong version number" error is returned by some crypto libraries
when TLS is expected but clear text HTTP is received.
Regards
Francis Dupont
PS: I say "some" because at least one has a dedicated code to detect
this very common error and emits a more user friendly
Erik Edwards writes:
> { "name": "vendor-class", "data": "HTTPClient" }>
=> IMHO you mean vendor-class-identifier (option 60): there is no option
named vendor-class in the DHCPv4 option space.
Regards
Francis Dupont
sktop using the test part as
its expression (i.e. substring(option[vendor-class-identifier].text, 0, 9)
== 'PXEClient'. The expression grammar can return a boolean or a string
so what you can do with an ifelse can be done with a class.
Regards
Francis Dupont
___
I
; easy: configure/load it in the kea-dhcp4 and the kea-dhcp6 servers.
I do not believe it will share something between the two servers at
the exception of course of the RADIUS server itself.
Thanks
Francis Dupont
PS: some hook libraries explicitely check if they are loaded in the right
server in t
it was reported in its logs?
Thanks
Francis Dupont
PS: a secret mismatch gives BADSIG so IMHO this is around the key itself
(name, algorithm, ...).
PPS: looking the bind9 code for BADKEY you have:
- key name mismatch
- algorithm name mismatch (both logger as
"key name and algorit
as queries are dropped vs. no resource can be assigned).
Regards
Francis Dupont
PS: Change 1898 included in Kea 1.9.8.
___
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more
Can you demangle the C++ symbol? The tool doing this is c++filt and
is not portable.
Thanks
Francis Dupont
Makhdoom Naeem writes:
> sudo /usr/sbin/kea-dhcp4 -t /etc/kea/kea-dhcp4.conf
> /usr/sbin/kea-dhcp4: symbol lookup error: /usr/sbin/kea-dhcp4: undefined
&g
different address or port...)
- if your system allows this you may use :: to match both :: and 0.0.0.0
Usually it is controled by the IPV6_V6ONLY flag which has a system
dependent default value. I suppose you use Linux where the default
is in /proc/sys/net/ipv6/bindv6only
Regards
Francis Du
not allow 2x2 widths.
Now I saw enough options 43 with not compliant contents I am not
surprised...
Regards
Francis Dupont
___
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more
the last entry value is taken) results.
Strangely it does not seem to be illegal JSON (the spec aka ECMA 404 says
nothing) but of course all JSON tools give either an error or only one
value on duplicated entries of maps (Kea term) / objects (standard name).
Thanks
Francis Dupont
Problem is that a client (Windows 7) gets ::::: as its IP
> address.
=> it is the first address of the pool so it is not an error. Note
the easiest way to remove an address from a pool is to reserve it to
a nonexistent host.
Thanks
Francis Dupont
or
/128: /64 is convenient but /128 is the real legal value...
In conclusion this thread is about how to use Kea but not about Kea itself.
Regards
Francis Dupont
PS: as DHCP does not provide the local prefix length the right protocol is
the Neighbor Discovery or simply static config
t4.mac, ''), '=
> .bin')),'')"
=> I do not think this will work because the hook implementation uses
a per code std::map for the configuration so the second entry will
overwrite the first one.
Thanks
Francis Dupont
PS: it will silently overwrite the std::map entry. If you think it should
w
Yes multiple actions are supported by the flex option hook.
Thanks
Francis Dupont
___
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit
-data for every shared subnet I have?
=> you should but it is one of the uses of client classes (possible but
a but hairy to do with current Kea: it is one of the things I plan to make
cleaner and easier).
Thanks
Francis Dupont
___
ISC fun
interface was designed for allocation so the type is Lease::TYPE_V4 and
the anypool to false (critical as it defaults to true).
Thanks
Francis Dupont
PS: the main reason pools are not saved in leases nor get their own
statistics is a pool is a bit hard to identify. If you have an idea
for a code and user
day so 1.9.3 is scheduled in four weeks but
if you can't wait the fix is already available...
Thanks
Francis Dupont
PS: the bug can give multiple options too but currently it was reported
only the DHCPv6 option 17...
___
ISC funds the development of t
other client.
> Can you confirm this is correct ?
=> yes reserved addresses are reserved.
Thanks
Francis Dupont
___
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/cont
There is a new section is the developer guide about how to cross compile
Kea with an extended example for Debian Buster.
Regards
Francis Dupont
___
ISC funds the development of this software with paid support subscriptions.
Contact us at https
ic subnet.
=> option 51 (dhcp-lease-time) is set by the server code so you should not
configure it. Option 150 is not a standard option so you have to define it
(option-def at the global scope) before using it.
Thanks
Francis Dupont
PS: if you go to
https://www.iana.org/assignments/bootp-dhcp-para
rage for Leases in the ARM (or 9.2.2.1 if you use
DHCPv6, the ARM is the Kea Administrator Reference Manual at
https://kea.readthedocs.io/en/latest/ and the persist flag is the first
documented parameter).
Regards
Francis Dupont
___
ISC funds
subnet id.
# This unique index guarantees that there is only one occurrence of the
# particular IPv4 address for a given subnet.
Regards
Francis Dupont
___
ISC funds the development of this software with paid support subscriptions.
Contact us
j-json, I found more but
for log4j2).
I can see 3 problems to do this in Kea:
- there is no hook in Kea for logging i.e. no easy place to insert code
- the JSON code is in another and later library (backward dependency)
- it requires significant manpower to develop.
Regards
Francis Dupont
by Config Backend or Netconf.
(Gitlab #35,!517, git 49ce6286f5d00f99c1c890f12cbc0fd633c9dbf6)
which was added in 1.7.1
Regards
Francis Dupont
___
ISC funds the development of this software with paid support subscriptions.
Contact us at https
; at the end of configure a report is displayed, saved in config.report
and compiled into servers and agents so can be recovered using the -W
command line argument. There is a command too named build-report.
Regards
Francis Dupont
PS: if you want the runtime library infos (can be different) us
s true for a lot of other objects.
Thanks
Francis Dupont
___
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listin
e callout point and return DROP when the query4->getFlags()
has FLAG_BROADCAST_MASK set). As the broadcast flag has a function
in the protocol perhaps it is possible to tweak the configuration
so they failed to be served (e.g. responses do not reach them) but
a direct way is more reliable.
Rega
The Kea gitlab URL is in the ARM but as you ask I put it here again:
https://gitlab.isc.org/isc-projects/kea
If you do not know gitlab the # is for an issue and the ! for a
merge request.
Regards
Francis Dupont
PS: just received my Raspberry Pi 4 "starter kit" so now we are seve
he system logging: they are sent to standard output or error,
to a file or to syslog. According to its documentation rsyslogd
is able to send logs to a database including a PostgreSQL one
(I never used this but perhaps someone in the list did/does?)
Thanks
Franc
Regards
Francis Dupont
PS: tickets are on Kea gitlab with numbers:
- #1194 (initial request)
- #1221 (cross compiling: it is mine and I am very interested to
complete it)
- #1223 (closed, i.e. included in 1.7.8 last release)
___
ISC funds the de
The server sends an option only when it was required by the client
(code in the PRL option of the discover) or when it has the
always-send flag set to true in the option data.
Regards
Francis Dupont
___
ISC funds the development of this software
Please retry adding -f (or --force) to autoreconf?
Thanks
Francis Dupont
Bill Schoolfield writes:
> I've tried this. No luck. I'm stuck. Any help appreciated.
>
>
> >
> >
> >
> > It goes in the top level directory, i.e. one up from src.
> >
> > Che
client_id = ?, valid_lifetime = ?, expire = ?, subnet_id =
> ?,
> > fqdn_fwd = ?, fqdn_rev = ?, hostname = ?, state = ? WHERE address =
> > ?>, reason: Incorrect datetime value: '2020-03-08 02:04:29' for column
> > 'expire' at row 1 (error code 1292)
=> IMHO it looks like a
rally. For details, see new section "Flexible Option
for Option value settings" in the Kea Administrator Reference
Manual.
(Gitlab #219,!523, git 2bf854c029b9b07ee6161bc1fcb4dfdc9846ee42)
Regards
Francis Dupont
PS: BTW the hook source code
tifiers using it
should work but if you have several shared networks or subnets I understand
you prefer to change the global value. Unfortunately this requires to
reload or reconfig the whole server configuration.
Regards
Francis Dupont
___
Kea-users mailing
use an old Kea version which does not support
them).
Regards
Francis Dupont
PS: teh Kea Migration Assistant is available in the public repository and
should be integrated into the distribution of the next ISC DHCP.
You can get soem idea from it and of course if you can propose improvements
I do not believe it is possible directly but it should be indirectly using
different subnets (with per subnet different lifetimes) in a shared
network. Note you can also guard a pool (but not a subnet) using the
UNKNOWN client class.
Regards
Francis Dupont
Gibbins, John (IM, Black Mountain
(it is called only by 2 internal methods).
We'll revisit the definition of the callout point to see if it is a bug
and if it is we'll fix it.
Thanks
Francis Dupont
___
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea
ost reservations are read-only for servers and
the new configuration backend was designed to support sharing: this
constraint is only for leases).
Thanks
Francis Dupont
> example:
> Kea1 configured to multiple subnets and/or interfaces:
>
> Subnet 1 (with dynamic pool) + host reserva
red database (available for host reservations
for a long time, new in 1.6.0 for subnets) so edit once.
Regards
Francis Dupont
___
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
> 192.168.2.176" } ],
> "subnet": "192.168.0.1/24"
^ 2
>
> }
> ]
Regards
Francis Dupont
PS: you should get an error message saying "does not match the prefix
of a subnet"...
___
rogue client no subnet
is selected. For pools it makes only resources (i.e addresses) not
available for the rogue client (of course I suppose it has no reservations).
Regards
Francis Dupont
___
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.i
"Ambauen Daniel (ID NET)" writes:
> From my point of view the network access control is definitely not a
> task of the DHCP service.
=> I agree: it is clearly too late and DHCP is more than poor about security.
Regards
Francis Dupont
__
e to it. You can also write a hook to filter out messages
but it requires to write some code (vs a config update).
Regards
Francis Dupont
PS: I cited the hook because it is the standard way to plug an
authentication/authorization service to Kea.
_
if you have no address (nor prefix in IPv6) you need a hostname.
Note here a host reservation is perhaps not the best feature: what you
want is some kind of access list and for a negative access list a client
class is better. Host reservations and KNOWN/UN
nt) relay
- old Sun boxes interpreted the loose IEEE spec as the mac address
can be a box (vs a NIC) property so with some Sun servers you have
multiple NICs sharing the same mac address... pretty find to find
some bugs in interop testing, less in production.
Regards
Francis Dupont
PS: in Kea
white and black lists are large it will be better to use
a hook to do the same thing but with all the resources from a full
programming language, e.g. C++ sets. List updates will be far easier too.
Regards
Francis Dupont
___
Kea-users mailing list
Kea-user
My immediate idea is to simply not define a pool for such subnets?
Regards
Francis Dupont
___
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
> How can I achieve something similar using KEA?
=> not yet (this feature is on the TODO list) or only with a hook.
Regards
Francis Dupont
PS: the missing feature is to compute an option value from an expression.
___
Kea-users mailing list
Kea
of starting from the subnet which pools are not
// exhausted.
Regards
Francis Dupont
___
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
e same without possible ambiguity.
Regards
Francis Dupont
___
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
Francis Dupont
> First I tried to add the class to the host:
>
> "client-classes": [
> {
> "name": "cl-test",
> "test": "member('cl-test')"
=> note this does not make sense. If you need a
1 - 100 of 267 matches
Mail list logo
