Hello and thank you very much for your help.
I have looked into the source code dhcp6_srv.cc and the issue is most probably
cased by the way how Dhcpv6Srv::setHostIdentifiers() iterates over
cfg->getIdentifierTypes() collection - there is a switch statement with breaks
inside the loop.
I supposed that host-reservation-identifiers config needs to be set properly
for this particular scenario. The default value of
host-reservation-identifiers, which probably is "host-reservation-identifiers":
[ "hw-address", "duid", "circuit-id", "client-id" ] did not work because „duid“
option is probably matched before hw-address and, of course, I was missing
host-reservation-identifiers in my config.
So this is a working config for anyone who is interested in a strict server
setup with clients identifed by MAC address which is provided via a relay.
{
"Dhcp6": {
"client-classes": [
{
"name": "DROP",
"test": "not member('KNOWN')"
}
],
...
"host-reservation-identifiers": [ "hw-address" ],
...
"mac-sources": [ "client-link-addr-option" ],
...
"subnet6": [
{
"reservations": [
{
"hw-address": "xx:xx:xx:xx:xx:xx",
"ip-addresses": [ "xxxx:xxx:xxxx:xxxx:xxxx:xxxx" ]
}
], }
}
Sincerely,
Jan Rovner
S pozdravem,
Jan Rovner
Ing. Jan Rovner, Ph.D., jednatel společnosti
[cid:image001.jpg@01DBAC7B.05F663F0]
e-mail: inter...@diadema.cz<mailto:inter...@diadema.cz>
www: http://internet.diadema.cz<http://internet.diadema.cz/>
telefon: +420 377 421 863, +420 603 484 742
Diadema Internet s.r.o.
zapsaná v obchodním rejstříku vedeném u Krajského soudu v Plzni, oddíl C,
vložka 24294
se sídlem Morseova 1126/5, 301 00 Plzeň
IČO: 29093961, DIČ CZ29093961
Korespondenční a dodací adresa
Diadema Internet s.r.o.
Provozovna Plzeň-Lochotín
Alej Svobody 56, 323 00 Plzeň
From: Darren Ankney <darren.ank...@gmail.com>
Sent: Sunday, April 13, 2025 1:07 PM
To: Kea user's list <kea-users@lists.isc.org>
Cc: Jan Rovner <jan.rov...@diadema.cz>
Subject: Re: [Kea-users] kea-dhcp6 : KNOWN class setting vs mac-sources and
DUIDs types
Hi Jan,
You may want to investigate your assumption that option 79 is included. From
what you've shown here, it seems likely that it was not included. You can do
this with `tcpdump -i <interface> -w dhcp6.pcap port 547` The resulting
dhcp6.pcap can be opened in Wireshark for inspection. I think you might find
that option 79 is not included.
Thank you,
Darren Ankney
On Tue, Apr 8, 2025 at 12:06 PM Jan Rovner via Kea-users
<kea-users@lists.isc.org<mailto:kea-users@lists.isc.org>> wrote:
Hello,
I am running dhcp6 server with strict policy that KEA talks only to clients
with known MACs (Reservations) and provides only a static config for them. All
clients are operating via DHCPv6 relay and the relay should pass client's MAC
option 79 RFC 6939 for KEA to be used via client-link-addr-option.
This is a working except from my kea-dhcp6.conf. All it works fine, if client
uses DUID-LLT or DUID-LL, where MAC address can be determined from DUID.
...
"client-classes": [
{
"name": "DROP",
"test": "not member('KNOWN')"
}
...
"host-reservation-identifiers": [ "hw-address", "duid" ],
"mac-sources": [ "client-link-addr-option", "remote-id", "subscriber-id",
"ipv6-link-local", "duid" ],
...
"subnet6": [
{
"reservations": [
{
"hw-address": "xx:xx:xx:xx:xx:xx",
"ip-addresses": [ "xxxx:xxxx:xxxx:1::2" ],
etc.
...
However, if client uses another DUID type, this happens - "Expression DROP is
evaluated to true" and the request is dropped.
INFO DHCP6_QUERY_LABEL received query:
duid=[00:02:00:00:d2:6d:8e:83:64:d4:6c:e7:26:8e], [no hwaddr info], tid=0x2621c
INFO EVAL_RESULT duid=[00:02:00:00:d2:6d:8e:83:64:d4:6c:e7:26:8e], [no hwaddr
info], tid=0x2621c: Expression DROP evaluated to true
DEBUG DHCP6_PACKET_DROP_DROP_CLASS2 dropped as member of the special class
'DROP' after host reservation lookup:
duid=[00:02:00:00:d2:6d:8e:83:64:d4:6c:e7:26:8e], [no hwaddr info]
local_address=[xxxx:xxxx:xxxx:x::x]:0,
remote_address=[xxxx:xxxx:xxxx:xxxx::1]:547, msg_type=SOLICIT (1),
It looks like that host reservation lookup was probably not performed with
correct MAC (that was told to the KEA via option 79).
Any ideas to fix it?
Thank you very much.
Sincerely,
Jan Rovner
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org<mailto:Kea-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/kea-users
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
