Re: [Kea-users] Advice for reconfigured reservations when implementing VLANs
> I will mention that I wish there was a Arm package for Ubuntu that ISC > offered. I would be on the latest version of Kea if that was the case... => according to my colleague building them there will be ARM Ubuntu packages for the 2.6.0 version which should be announced pretty soon. Regards Francis Dupont PS: will be on https://cloudsmith.io/~isc/repos/ -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] DHCPv4 - respond to option 108 without allocating leases
Looking the RFC 8925 to try to understand how it is supposed to work... I think you should add a pool and have the client to ignore the offered address (it is the only MUST in client and server behaviors which can make the feature to work). I leave further details to Tomek who is one of the authors... Regards Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] DHCPv4 - respond to option 108 without allocating leases
I was wrong about the DHCPNAK: it can be sent only with a DHCPREQUEST, when a DHCPDISCOVER fails to offer an address it is simply dropped and no response is sent. Regards Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] DHCPv4 - respond to option 108 without allocating leases
Lexi Winter writes:
> "interfaces-config": {
> "interfaces": [ "ix0.103", "ix0.106", "ix0.301" ]
> },
> [...]
> {
> // VLAN301 - Eden wireless (IPv6-only)
> "id": 3,
> "subnet": "10.3.1.0/24",
> "option-data": [
> {
> "name": "v6-only-preferred",
> "data": "300"
> }
> ]
> },
> --o<--
> there's nothing in the Kea log that indicates why it's not sending a
> response.
=> IMHO you need to log at the debug level to understand what happens.
> am i doing something wrong here?
=> two things:
- if you want to get information only (i.e. without an address) the right
message to send is a DHCPINFORM. If you send a DHCPDISCOVER you'll receive
nothing or a DHCPNAK depending if the server is authoritative on the subnet.
- the most current way to fail is to have the subnet selection to return
nothing so I highly recommend to add an "interface": "ix0.301" to
the subnet 3 configuration.
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Add multiple Sub-Options 193 to Option 125
At a few exceptions it is possible to add at most one option / sub-option with a given code-point. Regards Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] DHCP6 host reservation
> Of course in that case you could probably also configure the DHCPv6 > client to send the hw-address as well :-) => in fact you can't: there is no direct way to carry the hardware address in DHCPv6. BTW the opposite exists: RFC 4361 specifies a way to use a DUID in DHCPv4. Of course you can find it in DHCPv6 messages, the problem is usually there are many ways which are not guaranted to return a value or the same value. See 'MAC/Hardware Addresses in DHCPv6' section in the ARM... Regards Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] DHCP6 host reservation
> You cannot know the DUID in advance, as it's calculated by the OS > on the machine using data it creates during the first boot of the OS. => some DUID formats are predictable e.g. LL (it uses the MAC address, vs LLT which uses the MAC address *and* a timestamp). Many DHCP clients support it as it provides an easy way to get a stable DUID without storage. Regards Francis Dupont PS: 'dhclient -D LL' for the ISC DHCP client. -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Using variables in lease reservation
It is not directly supported but you can use a (pre)processot to build the config file (or a part of it). There are many tools to do this from m4 (old Unix way) to script languages supporting the JSON syntax. Regards Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] unable to start Kea with HA - 'Invalid argument'
Found the note about the accepted URL syntax: The ``url`` schema can be ``http`` or ``https``, but since Kea version 1.9.6 the ``https`` schema requires a TLS setup. The hostname part must be an IPv4 address or an IPv6 address between square brackets, e.g. ``http://[2001:db8::1]:8080/``. Names are not accepted. About the name in TLS certificates it depends on the crypto backend so either OpenSSL or Botan and for OpenSSL the version too. Here are the notes about creating the crypto material (i.e. certificates) for tests (src/lib/asiolink/testutils/ca/doc.txt): Some critical details: - recent versions of OpenSSL requires at least 2038 bit RSA - certificate version should be 3 (enforced by Botan for leaves), if openssl creates a version 1 add an extension - RSA allows a simpler format than PKCS#8 for RSA private keys but Botan and other algorithms require PKCS#8 - some tools check the alternate subject name of the server so put a correct value in it The last point should answer to your question about what name to use in certificates. There were some discussions about self-signed certificates too: usually they are not accepted for end-entity certificates. Thanks Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] unable to start Kea with HA - 'Invalid argument'
Kea does not support names in URL for many reasons explained in tickets asking for this. Note that IPv6 addresses in URL follow a specific not so trivial syntax and I can't find an example in the doc... Creating a ticket for this. Thanks Francis Dupont PS: https://gitlab.isc.org/isc-projects/kea/-/issues/2775#note_359268 for a long answer by Tomek about DNS resolution in Kea. -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Custom standard option
First Kea has a pretty loose notion of what is a string i.e. it is more a C++ string than a C one. Second if you really want to set an option value without any check (other than not empty) you have the flex-option hook. Regards Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Multiple-Storage Extension
BTW the only supported case of multiple storage is the host cache as the first host backend followed by the RADIUS fake host backend. Merry Christmas Francis Dupont PS: the host cache was designed for caching values returned by an external host backend as RADIUS (which is currently the only known one). It does not support host API methods returning a host reservation collection (vs one entry) but at the opposite it provides negative caching (i.e. it caches the fact an entry does not exist): this makes it dedicated for a specific usage... -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Reservations via hostnames
In fact I think that Kea provides a solution to your problem: I am discussing with Darren who should come back to you. The ISC DHCP config will help (and we have a tool to translate it to Kea...). Merry Christmas Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] HA with TLS problems
If the problem occurs before logging system configuration the KEA_LOGGER_DESTINATION environment variable allows to get logs: set it to stderr and of course call the DHCPv4 server it directly (anyway it will fail to start). If you want to trace the system calls the tool on Linux is named strace. Regards Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] HA with TLS problems
Can you provide more details: system, OpenSSL version and logs at the debug level? Regards Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] isc-dhcp-server end of live. Support kea dhcp server ldap backend?
Stefan Harbich writes: > i am using the isc-dhcp server with ldap backend. ISC goes end of live. > The successor is the KEA. Can I still carry out dhcp administration in > the ldap backend of the KEA DHCP server? Or do I have to look for a new > DHCP server? => as far as I know there was no demand (so no plan) to provide a LDAP backend to Kea. Regards Francis Dupont PS: LDAP for ISC DHCP seems to provide configuration and host reservations. Both are pretty different between ISC DHCP and Kea so there is no obvious migration way. -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Wg: Trouble implementing Option 158
Markus Maurer writes: > Anybody an idea please? Anfang der weitergeleiteten E-Mail: Von: Markus Ma= > urer Betreff: Trouble implementing Option 158 Datum: 21. No= > v. 2023 um 16:02 An: kea-users@lists.isc.org Hi! I'd like to announce a Po= > rt Control Protocol Server with Option 158 (Port Control Protocol Server) = > with Kea: RFC 7291 - DHCP Options for the Port Control Protocol (PCP) =E6=97= > =A5=E6=9C=AC=E8=AA=9E=E8=A8=B3 (tex2e.github.io) Anyways I don't really ge= > t it. Could anyone provide me an example configuration with this option pl= > ease? Thanks in advance! Best regards => option 158 DHO_V4_PCP_SERVER is not supported by Kea (it is commented in src/lib/dhcp/dhcp4.h) so it is considered as a binary option. Regards Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Kea-muti threading
Kraishak Mahtha writes: > > Thanks for the reply but I wanted to clarify whether the status-get > > command takes the configuration files into account when providing > > information. If so, my question pertains to verifying the running Kea DHCP > > instance with regard to the number of threads it is utilizing. > > Specifically, if I initially configured it with 4 threads and later > > modified the configuration to use 8 threads, how can I confirm this change? > > Is there a way to observe the presence of these 8 threads in the logs or > > through a process list? => as config-get returns the runtime status it should be exactly what you are looking for. The number of threads is in the thread-pool-size entry. IMHO easier than parsing debug logs to get the last loaded config. Thanks Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Kea-muti threading
Use the REST API "status-get" which should give MT setup details. Regards Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] able to DROP both Windows 8.x and Windows 7 clients?
You can't define a client class more than once. If you want to combine classes I recommend the member clause... Regards Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Never send option 12 (host name) as a response even if the client sends it
In your particular case I recommend to use the flex-option hook which works on all options including options managed internally by Kea. Thanks Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Use of include statement doesn't seem to work (OPEN)
Weisteen Per writes: > Changing the include statement to use absolute path solved the problem. => the system call trace tool (strace on Linux) should display the used path in the case you want to understand the source of the problem. BTW Kea does not change the current directory so relative paths start from it. Regards Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] got unexpected keyword "valid-lifetime" in reservations map.
You can't specify the option 51 dhcp-lease-time because it is directly managed by Kea. BTW if you were allowed to change it (which still can be done by the flex-option hook) it would not change the valid lifetime in the lease database so would be very far from what you wanted... Regards Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] lease4-get-all is giving stale data
> If the lease is still active (ie: the expire time is in the future), > regardless of if the subnet is configured, I think it will still appear > in the list. => in most but not all cases. > I don't believe that LFC checks your configuration or anything. => yes, LFC does not know the configuration. > It is just meant to keep your leases file from growing uncontrollably. => fine summary of what LFC does. It is not very clear from the initial message but I think that the lease backend is memfile. > I don't think that Kea itself, in general, discards leases that are still valid even if you remove the subnet. => true at one exception: when Kea is reloaded it filters leases which belongs to a removed subnet. Look at for 8.2.15 Sanity Checks in DHCPv4 in the ARM (or 9.2.15 Sanity Checks in DHCPv6). BTW the default is 'warn' so if the lease-cheks parameter was not set leases should have remained. Thanks Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] IPV6 client gets the wrong IP for sometime after a reboot
Veronique Lefebure writes: > And Francis, you confirm that this is a behaviour which is different between >KEA (without flex-id) and ISC DHCP ? => the DUID as the unique identifier for a DHCPv6 client is in the standard so Kea without flex-id just follows it. The flex-id allows to rewrite the option the time to assign and store the lease. ISC DHCP has a similar feature so it should be possible to get the wanted behaviour with it... BTW the problem is in clients which MUST according to the standard use a stable DUID. When stable storage is not available the solution is to use a LL (vs LLT) DUID i.e. to encapsulate the mac address into the DUID without (again vs LLT) adding a timestamp. I know that the ISC DHCP client can do this as I added this command line option many years ago in it... Thanks Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] IPV6 client gets the wrong IP for sometime after a reboot
The problem here is the client is changing its DUID so Kea believes the lease was assigned to a different client using the same mac address. To override this behavior the simplest is to use the mac address as the client identifier with flex-id and replace-client-id set to yes. Another way is to replace on the wire the DUID by a fixed value... Thanks Francis Dupont PS: DHCPv4 clients have two identifiers: the client-id option and the mac address. If the client-id option has the precedence this can be disabled at the subnet level or higher. There is a RFC too explaining how to deal with this issue when using both DHCPv4 and DHCPv6... -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Load-Balancing Network issue between Relay and Kea
I leave details to our HA expert but it seems your setup requires an active load-balancer: - the path between clients and the first server is broken so this server does not receive queries or clients do not receive responses - the path between the two servers work so for the second server the first server is ok - the path between clients and the second server works so the second server believes queries from first server clients are served by the first server so it does not serve them - the second server has no way to detect the problem as it does not follow responses I suggest to use an active load-balancer i.e. a box between clients and servers which splits and monitors exchanges: not only it should solve the problem but it will avoid extra traffic. With other words you are outside what the Kea load-balancing can support... Thanks Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] subclass handling in kea-dhcp
The official (*) answer about ISC DHCP subclass mechanism is to use flex_id and host reservations if you want to keep the chain of compare vs table lookup speedup. Regards Francis Dupont PS (*): this means that to port this ISC DHCP feature to Kea is not planned. -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Hook Development - Rust
Eric Graham writes: > I am looking into the possibility of writing a Rust hook. I understand that= > using C++ is likely the simplest alternative, but Rust is attractive for i= > ts memory safety and speed. I have not had luck finding any Kea hook in Rus= > t to use as a starting point. The C FFI is a complicating factor. In fact, = > I have not had luck getting a very basic PoC to register with Kea, just imp= > lementing version(). Does anyone know of a hook even partially implemented = > in Rust, or have interest in doing so? => I created a long time ago a fdxhook branch (which should be on github) to experiment hooks written in various script languages (python, ocaml, lua and v8). In fact as soon as you have interface from and to C or C++ it seems to be feasible. Of course you need to understand well the external language memory management, in particular when you have a real garbage collector. And you have to know how to embed programs written in this external language into Kea, again it is something supported by script languages and well documented... Note there are some other examples of Kea hooks written in python (this is attractive because python programs are easy to write). I do not know for a "plain" language as rust or go: I am afraid you lost all benefits from using them, i.e. C++ seems to be the only real candidate. Thanks Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Manually Setting Option Code 1
Ritterhoff, Florian writes: > Setting the code 1 to 255.255.255.255 using the option data does not > seem to work? => yes, as explained in the ARM the netmask is one of the options directly managed by Kea so it can't be configured. quoting it from the sources: > :ref:`dhcp4-std-options-list` comprises the list of the > standard DHCPv4 options whose values can be configured using the > configuration structures described in this section. This table excludes > the options which require special processing and thus cannot be > configured with fixed values. > Is there maybe any advice what options should be changed or modified? => if it can't be configured it still can be overwritten using the flex_option hook (I wonder if it is not the most changed option in DHCPv4? :-) so the response will have the value you want instead the value deduced from the config. Thanks Francis Dupont PS: please share the flex_option config so the next person who will have a similar problem can save time (the question is not whether but when :-). -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] yet another question about multiple subnets %)
Francis Dupont > sorry, guys, but i'm going to ask the most popular question again, to which t > here is still no working answer: how to set multiple subnets on a same interf > ace so that a client receives an address from each network? => if I understand well you have a physical network directly attached to the server with multiple IPv6 prefixes. As it is a common case in IPv6 of course it is supported by Kea but not so easy. The first thing (which is not strictly necessary) is to use a shared network to represent the physical network. This mainly allows to share common properties of the different subnets e.g. the interface. The second thing is more technical and is system dependent: the server must have an address on the interface for each prefix and instead of leaving it to use the first not link-local address of the interface you should bind to each address of the interface so replace if the interface is eth0: "eth0" by "eth0/2001::...", etc. See the ARM "9.2.4. Interface Configuration" for the details. Thanks Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] How to get kea to reassign same IP after an explicit release (client reboot) if it has not been reused
Just wait for the #2548 resolution (not long: it is in the current milestone and someone works on it so very likely in the next development release at the end of the month) which should update the code to expire released leases instead of to remove them: if you enable lease affinity (on by default) a client releasing a lease and shortly after try to get one again should get the the same IP address. Thanks Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Unset dhcp option from global scope in subnet
faze writes: > Hi, > > I have a some options set in the global dhcp4 scope which I would like > to *not send* for a specific subnet (in this case, our guest wifi). > > Is there any way to achieve this? => use the flex-option hook which can remove an option from the response according to the evaluation of an expression. BTW as it seems to be something that some wants we are considering on a more direct way i.e. to add a never-send as a mirror of the always-send flag. Thanks Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] role-based access control for the KEA Control Agent
Veronique Lefebure writes: > I wanted to ask if anyone would have an example of such an external library, > for adding role-based access control o the Control Agent ? => it was added in 2.1.6 as a premium library. Thanks Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] KEA allocates an IP while it should not
Veronique Lefebure writes: > I would like to understand why KEA allocates an IP which should not be alloc > ated. > > > I have, on purpose (for testing KEA behaviour), declared the following globa > l host reservation: => the answer is here: you use a global host reservation with a reserved address so as it is documented this breaks localization aka subnet selection so you can get exactly the kind of results you got... > My question is: > ISC DHCP would not do that. in ISC DHCP there is no global reservations for an address even it is not obvious from the syntax: the reservation is attached to the subnet the address belongs to. > Is it expected that KEA does not behave the same way ? => yes, host reservation model is very different in KEA. > Is there any tuning that can be used so that KEA behaves the same way as ISC > DHCP used to behave ? => put reservations with an address in a subnet the address belongs to. Note you can still use global reservations for other things as KNOWN / UNKNOWN classification, option setting, etc. With last versions of KEA you have also optional early global reservation lookup too. Regards Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Wildcard Includes in Kea configuration
Carsten Strotmann writes: > is it possible to include multiple files into the Kea configuration using wil > dcards in the include statement? => no, the file name in the include statement is used as it. But you can include files from an include so you can write a script which produces an intermediate include file which includes these multiple files. Thanks Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] updates to existing leases
S a i f e r via Kea-users writes: > Hello! We have strict host reservation by circuit-id: "hostname:port" =3D> = > "ip" and protection from manual ip by switch capabilities (dhcp snooping + = > ip source guard). Users get ip - all is well. But when replacing a device (= > change mac-address), we have to wait for the end of the lease time, which i= > s very inconvenient. Having studied the issue, I came to the conclusion tha= > t in our configuration we don=E2=80=99t need the lease-database - is it pos= > sible to disable it completely? Or as an option, match the lease not by cli= > ent-id/chaddr, but by circuit-id. These settings would bring us a lot of co= > nvenience and productivity. Are there any solutions I haven't come up with = > on my own? Thank you. => the replace-client-id parameter of the flex-id hook does what you want: when it is set to true (which is not the default) the client identifier in the query message is replaced by the flex-id value so the lease and the host reservation are identified by the same value. The initial client identifier is put in the response so this is not visible by the client. Regards Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] create Custom DHCPv4 Option for option 121 classless routes
Jim Perkins writes: > I am a home labber and recently installed kea-dhcp4. I would like some > guidance on creating a custom dhcpv4 option to simulate dhcp option 121 > classless routes. > > This is what I had for a config in isc-dhcp server. > > option classless-routes code 121 = array of unsigned integer 8; > option classless-routes 0, 192,168,0,1, 24, 192,168,1, 192,168,0,1; > > How would I create this using kea custom dhcpv4 options. ? => option-def to define the option 121 has an array of uint8, option-data with a cut and paste of what you use for ISC DHCP. Note you can use keama to automatize this... Regards Francis Dupont PS: it is a bit more hairy when you use records: as in Kea the array flag is for the option there is an ambiguity between an array of records and a record where the last field is an array so not all ISC DHCP option definitions can be translated to Kea. -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] naming inconsistency
Sandro writes: > When using keactrl to manage the daemons, the servers are specified with > an underscore (dhcp_ddns, ctrl_agent), wheres the corresponding daemons > use dashes. Is there a reason for that inconsistency? Daemon filenames are the only case where the dash (character '-') has no meaning at all. In all programming languages including the shell (so a command line) it can get a meaning so be misinterpreted. Regards Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] shared-network "interface" and "relay" parameters
Veronique Lefebure writes: > Ok, this is clear. > It is well described on https://kea.readthedocs.io/en/latest/umls.html#dhcpv4 > -subnet-selection > Can you confirm that "interface" and "relay" parameters, which, in KEA, can b > e configured either at the level of the shared-network, or at the level of th > e subnet, > 1) are both optional parameters and are not really needed in "standard" topol > ogies, and => what I said is they are rarely together: either the network is directly attached to the server and the interface used by the server is configured, or the network is not directly attached so there is one (or more) relay and the relay address is configured. > 2) that these 2 parameters don't exist in ISC DHCP. They are new with KEA, > right ? => yes, in ISC DHCP you have to specify them in each subnet member of the shared network or use a group to factor them. In general the ISC DHCP configuration is far less structured than the Kea one... Regards Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] shared-network "interface" and "relay" parameters
Veronique Lefebure writes: > I have read > * https://kea.readthedocs.io/en/latest/arm/dhcp4-srv.html?highlight=subnet4#l > ocal-and-relayed-traffic-in-shared-networks > * and https://kea.readthedocs.io/en/latest/arm/dhcp4-srv.html?highlight=subne > t4#using-a-specific-relay-agent-for-a-subnet > But the following is not clear to me. Can someone help clarifying ? > > - In ISC DHCP there is no subnet selectors (interface or relay address) , i.e > no "interface" nor "relay" parameter in Shared-Network. Why is it needed in > KEA and not in DHCPD ? What is DHCPD using in order to select the subnet, si > nce there is no "interface" nor "relay" parameter in the configuration file ? > Why does KEA not use the same mechanism ? => these parameters when they are set at the shared network level are inherited by subnet members. It is just for user convenience as usually all subnets of the same shared network share the interface the shared network is attached to and/or relays connected to the shared network. > - are "interface" and "relay" exclusive or can we have both ? => they are not exclusive but topologies with both are uncommon. Please note the localization process is the same for ISC DHCP and Kea: it follows the standard so selectors are used in the same order, and in both when shared networks are used the "selected subnet" is in fact the selected shared network: next steps will iterate through members, in Kea starting by the selected subnet. Regards Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Fixed Address definition with multiple MAC addresses
raspinw...@willows7.myzen.co.uk writes: > I have multiple USB Ethernet adapters which I can use depending on > location. > I want to be able to define a Fixed Address with multiple MAC addresses > for a single IP Address > > "hw-address": "11:22:33:44:55:66, 22:33:44:55:66:77, 33:44:55:66:77:88:99", > "ip-address": "10.160.260.121" > > Is this possible? => not directly: you have to enter multiple host reservations and if they are in the same subnet (which is likely the case) set the global ip-reservations-unique parameter to false. See the example in the 9.3.11 "Multiple Reservations for the Same IP" section in the ARM. Thanks Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] JSON hiding user and password to dB...
Kevin P. Fleming writes: > > I am curious if there is a method to hide the uid and pwd of the user > > accessing the database as noted within the kea-dhcp4.conf file? I am > > concerning that this remain protected on our network. => there is a ticket putting database passwords in files as it was done for the basic HTTP authentication. IMHO (but I am not neutral) this is good trade-off between security (which can't be done at 100%) and usability (e.g. people understand well file access rights). Regards Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] [kea-dev] Vendor Specific Options (Code 17)
sathish k writes:
> Can you provide Sample config file that supports multiple vendors scena=
> rio below . Thanks
=> I can't because it is not currently supported.
> "option-data": [
>{
> "space": "dhcp6",
> "name": "vendor-opts",
> "code": 17,
> "data": "0x270f"
> },
>{
> "space": "dhcp6",
> "name": "vendor-opts",
> "code": 17,
> "data": "0x6774"
> },
=> note if it is allowed to specify more than once an option data of course
only one will be applied.
> The Relay -Reply that I got shows only one vendor (Cisco ) even though opti=
> on-data has Cisco and xyz()
=> yes and it will be the result until #1518 is fully implemented.
I am afraid you have to write some code to do this.
Regards
Francis Dupont
PS: the OptionCollection is a multimap so if you add multiple options
sharing the same code point they will be added to the packet. Now
there is no way to add more than one option 16 or 17 in the collection
without writing a hook doing this. The config can help by building
each option you want so the hook can just add the missing options.
PPS: the flex_option hook does not help here: it does not handle
multiple vendor options more than other code. Now it is planned to
add multiple vendor supports including for the flex_option in #1518
but the exact milestone is not yet scheduled...
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Suppress DDNS for reservations
Kenneth Porter writes: > I've enabled DDNS for my subnet but I don't want it used for reservations, > only for the pool. The DNS entries for reservations are manually entered in > my DNS in a higher-level domain. (The pool is entered in the "dhcp" > subdomain which allows updates.) > > My subnet is a /16 and the pool is a specific /24 of that. Other /24's are > used for specific functions, including the gateway. So I can't just put the > pool in its own subnet or it will get the wrong mask and won't be able to > reach the gateway. > > I can't use ddns-send-updates set to false in a reservation. It only works > in a subnet declaration or at global scope. > > What am I missing? => I suggest to try a shared network with two subnets covering the same range but with different textual representations (e.g. put ...1 in the second). Thanks Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] TLS for the communication between Stork Agent and Kea Control Agent
Maria Hrabosova writes: > 2022-02-03 08:05:04.134 INFO [kea-ctrl-agent.http/7518.139986295949504] > HTTP_CONNECTION_HANDSHAKE_FAILED TLS handshake with 192.168.1.42 failed > with no shared cipher The "no shared cipher" error from OpenSSL can come from many reasons but all are about incompability between OpenSSL defaults and the Stork PKI. If you do not want to simply create a simple PKI and import certificates from it in Stork and Kea, I suggest: - dump the certificates in order to understand what crypto they use - get the OpenSSL build configuration, in particular for "new" crypto if the OpenSSL library version is old - dump the handshake messages on the wire: they are in clear text Regards Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Client Class DROP
> Is there a way to add lots of MAC addresses to a DROP class config... => not yet but the next version should provide an easy and fast way to do this! Regards Francis Dupont -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] HA setup in kubernetes, hostnames in the configuration fail to resolve
Kea does not support hostnames (vs IP addresses) in configurations. Please note it is a design choice: even it seems convenient this feature is not as it raises some problems: - when to resolve hostnames? At configure time or each time it is needed? - what to do when resolution fails or more funny when the resolution returns more than one address I do not know if there is already a KB article about this (if not we should write one as you are far to be the first to ask) or if Stork provides this feature (it is interactive so these problems can be handled). Regards Francis Dupont ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Forensic logging to syslog
Munroe Sollog writes: > Is it possible to configure the forensic logging hook to output to syslog? => no, forensic/legal logs are sent to a file or a SQL database (MySQL or PostgreSQL). Regards Francis Dupont ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] HTTP_CONNECTION_HANDSHAKE_FAILED TLS handshake
The "wrong version number" error is returned by some crypto libraries
when TLS is expected but clear text HTTP is received.
Regards
Francis Dupont
PS: I say "some" because at least one has a dedicated code to detect
this very common error and emits a more user friendly error message
("http request" on recent OpenSSL versions, BTW old OpenSSL versions
have known security bugs so should not be used...).
___
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] KEA 2.1.0, dhcp6, netbooting via HTTPv6 in qemu
Erik Edwards writes:
> { "name": "vendor-class", "data": "HTTPClient" }>
=> IMHO you mean vendor-class-identifier (option 60): there is no option
named vendor-class in the DHCPv4 option space.
Regards
Francis Dupont
___
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Example for ifelse in host reservation or class
Veronique Lefebure writes:
> Is there a way to use ifelse in a host reservation ?
>
> We would like something like
>
> "reservations": [ { "hw-address": "xx:xx:xx:xx:xx:fa", "ip-address":
> "yy.yy.yy.121", "hostname": "lab-client", "client-classes": [ " ifelse (
> substring(option[vendor-class-identifier].text, 0, 9) == 'PXEClient' ,
> 'Desktop', none) " ] },
=> client-classes takes a list of class names, not an expression.
We need to create a new class e.g. Desktop using the test part as
its expression (i.e. substring(option[vendor-class-identifier].text, 0, 9)
== 'PXEClient'. The expression grammar can return a boolean or a string
so what you can do with an ifelse can be done with a class.
Regards
Francis Dupont
___
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Radius hook in Dual-Stack
Thomas Wilhelm writes: > "This library may only be loaded by the kea-dhcp4 or the kea-dhcp6 process." => this means it should not be loaded in the control agent or the DDNS (aka D2) server process. > Is there a way to use the radius hook in a Dual-Stack environment? => easy: configure/load it in the kea-dhcp4 and the kea-dhcp6 servers. I do not believe it will share something between the two servers at the exception of course of the RADIUS server itself. Thanks Francis Dupont PS: some hook libraries explicitely check if they are loaded in the right server in the case the linker did not complain but this piece of code was not added to the radius or the host cache code (for lack of time). BTW there will be a D2 hook library (working on it) so it is not a theorical issue as when the radius doc was written... ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Failed to secure DDNS updates with TSIG between Kea and Bind
BADKEY in general is related to a configuration error. I recommend to look at messages on the wire to understand if the error is on the bind/server side or Kea side. In the case the error is on the Kea side the BADKEY error when verifying a signed response is a key name mismatch i.e. the configured key name is not the same as the TSIG RR name (another point easy to check with the message dump). Note that key names are DNS names so you can use a FQDN e.g. a name in the server domain name (common practice) and of course they are case insensitive. If the problem is on the bind 9 side perhaps it was reported in its logs? Thanks Francis Dupont PS: a secret mismatch gives BADSIG so IMHO this is around the key itself (name, algorithm, ...). PPS: looking the bind9 code for BADKEY you have: - key name mismatch - algorithm name mismatch (both logger as "key name and algorithm do not match") - unknown key (logged as "unknown key") logs are at category dnssec module tsig level 2. ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Ignore non-reserved hosts
There are in recent Kea versions KNOWN and UNKNOWN classes and I merged in the development Kea version a change in the DROP class to allow to make it to depend on KNOWN or UNKNOWN (it adds another way to ignore non reserved hosts with guards to subnets and/or pools with a different behavior as queries are dropped vs. no resource can be assigned). Regards Francis Dupont PS: Change 1898 included in Kea 1.9.8. ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] symbol lookup error:, undefined symbol:
Can you demangle the C++ symbol? The tool doing this is c++filt and is not portable. Thanks Francis Dupont Makhdoom Naeem writes: > sudo /usr/sbin/kea-dhcp4 -t /etc/kea/kea-dhcp4.conf > /usr/sbin/kea-dhcp4: symbol lookup error: /usr/sbin/kea-dhcp4: undefined > symbol: _ZN3isc4dhcp13PgSqlLeaseMgr12getDBVersionB5cxx11Ev ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] IPv4 and IPv6 Kea-ctrl-agent bind
Jeronimo writes: > What is the correct way to bind kea-ctrl-agent to both IPv4 and IPv6 addres > of the server? => the short response is this is not possible. The long response is a bit different: - you can run more than one instance of the CA (in fact the main issue is just to use a different address or port...) - if your system allows this you may use :: to match both :: and 0.0.0.0 Usually it is controled by the IPV6_V6ONLY flag which has a system dependent default value. I suppose you use Linux where the default is in /proc/sys/net/ipv6/bindv6only Regards Francis Dupont PS: running multiple CAs does not bring a better performance. This point shall be fixed in a near future release. ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] How to define "code width" / "length width" on Vendor-Specific Information option (code 43)
You can't: Kea wires these widths to the DHCP version (one octet for v4 and two for v6). You have to use the binary format or to write a hook converting the option content. BTW if the RFC 2132 loosely specifies the option 43 there is a SHOULD about the suboption format which clearly does not allow 2x2 widths. Now I saw enough options 43 with not compliant contents I am not surprised... Regards Francis Dupont ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Configured but gateway is not being delivered by dhcp
THe Kea parsers were changed to raise syntax errors on duplicated entries. I do not remember the exact version and I can't find it in the ChangeLog. Note it applies only to parsing using flex/bison i.e. if you submit JSON by another way you still can get unexpected (e.g. no error, usually only the last entry value is taken) results. Strangely it does not seem to be illegal JSON (the spec aka ECMA 404 says nothing) but of course all JSON tools give either an error or only one value on duplicated entries of maps (Kea term) / objects (standard name). Thanks Francis Dupont ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] kea-dhcpv6 handing out prefix instead of IP address
IT TroubleMan writes:
> running kea-dhpcv6 version 1.9.5.
>
> Excerpt from my config:
>
> "subnet6": [ { "subnet": ":::::/64", "pools": [ { "pool":
> ":::::/80" } }]
>
> Problem is that a client (Windows 7) gets ::::: as its IP
> address.
=> it is the first address of the pool so it is not an error. Note
the easiest way to remove an address from a pool is to reserve it to
a nonexistent host.
Thanks
Francis Dupont
___
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Kea 1.6 DHCP6 configuration on Raspberry Pi 3b running Ubuntu 20.04
As explained by other persons who answered Kea only provides an address: the associated prefix is not in its scope but is handled by the DHCP client. Note that in ISC DHCP some shell scripts are distribited with the client. During years there was a debate about what prefix length to use: /64 or /128: /64 is convenient but /128 is the real legal value... In conclusion this thread is about how to use Kea but not about Kea itself. Regards Francis Dupont PS: as DHCP does not provide the local prefix length the right protocol is the Neighbor Discovery or simply static config. ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Support for multiple flex options parameters?
S?ren Andersen writes:
> Also for the same dhcp-option like this?
>
> options:
> - code: 67
> add: "ifelse(member('cm'),concat('/docsis/', hexstring(pkt4.mac, '')),'' =
> )"
> - code: 67
> add: "ifelse(member('voip'),concat('/', concat(hexstring(pkt4.mac, ''), '=
> .bin')),'')"
=> I do not think this will work because the hook implementation uses
a per code std::map for the configuration so the second entry will
overwrite the first one.
Thanks
Francis Dupont
PS: it will silently overwrite the std::map entry. If you think it should
warn please open ticket (gitlab issue). BTW I think that in all cases
it is possible to merge entries for the same code but I agree it can
quickly become hard to do...
___
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Support for multiple flex options parameters?
Yes multiple actions are supported by the flex option hook. Thanks Francis Dupont ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Possibility for group declaration?
S?ren Andersen writes: > I'm looking for group declaration feature in KEA-DHCP like the dhcpd had, > but it looks like it doesn't exists? => I confirm it does not exist. > I've a lots of shared subnet, and many of them share the same option-data. > - Should i declare the option-data for every shared subnet I have? => you should but it is one of the uses of client classes (possible but a but hairy to do with current Kea: it is one of the things I plan to make cleaner and easier). Thanks Francis Dupont ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] reading user-context from lease4_select hook
> itay cohen writes:
> Im trying to read user-context with a hook
>
> lease4_select(CalloutHandle& handle) {
> Subnet4Ptr subnet4_ptr;
> handle.getArgument("subnet4", subnet4_ptr); // <-- getting selected
> subnet
> ConstElementPtr subnet_ctx;
> subnet_ctx = subnet4_ptr->getContext(); // <-- this is working !
>
> Pool4Ptr pool_ptr;
> handle.getArgument("pool", pool_ptr); // <-- getting selected pool ??
=> There is no pool passed to the lease4_select callout (arguments
are the query4, subnet4, fake_allocation and lease4).
The documentation is in the developer guide at
https://jenkins.isc.org/job/Kea_doc/doxygen/de/df3/dhcpv4Hooks.html
> ConstElementPtr pool4_ctx;
> pool4_ctx = pool4_ptr->getContext(); // <-- this NOT working
>
> }
=> either you check pool4_ptr before and it returns null or you
do not check and it crashes.
> can some one advise how to read user-context at the pool level ?
=> you need to get the address from the lease and use the getPool method
on the subnet to find what pool the address is from (note that getPool
interface was designed for allocation so the type is Lease::TYPE_V4 and
the anypool to false (critical as it defaults to true).
Thanks
Francis Dupont
PS: the main reason pools are not saved in leases nor get their own
statistics is a pool is a bit hard to identify. If you have an idea
for a code and user friendly way to identify a pool please submit it.
___
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Duplicated option 17 on DHCP6
Norberto Nu?ez writes: > Dears. > I am testing KEA 1.9.1 for DHCP6 and I found the Vendor-Specific Info has > duplicated info. => this is an already reported bug which should be fixed in 1.9.3 release (https://gitlab.isc.org/isc-projects/kea/-/issues/1449). 1.9.2 should be released today so 1.9.3 is scheduled in four weeks but if you can't wait the fix is already available... Thanks Francis Dupont PS: the bug can give multiple options too but currently it was reported only the DHCPv6 option 17... ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] DHCPv4 lease reservation based on host name (option 12)
Chaigneau, Nicolas writes: > Reading Kea documentation, I see that the < reservations > entries can have= > a < hostname > field. > However (if I understand correctly) this is not used as a matching criteria= > on the request, but rather as information to be provided in the response. > Can you confirm ? => yes, it is not an index for the allocation engine. > If so, I think the < flex-id > commercial hook would be the solution to my = > requirement. => it is what the flex-id is for. > This IP address 10.0.0.7 would never be assigned to any other client. > Can you confirm this is correct ? => yes reserved addresses are reserved. Thanks Francis Dupont ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Debian Buster / armhf
There is a new section is the developer guide about how to cross compile Kea with an extended example for Debian Buster. Regards Francis Dupont ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] KEA DHCP multiple code options per subnet.
Pizu writes: > Is it possible to configure multiple option codes per subnet? => yes using option-data in the subnet scope as it is done in the examples/kea4/multiple-options.json file you should find in the doc. > In my case I am trying to use options 150, 51, 15, 67 on a specific subnet. => option 51 (dhcp-lease-time) is set by the server code so you should not configure it. Option 150 is not a standard option so you have to define it (option-def at the global scope) before using it. Thanks Francis Dupont PS: if you go to https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml the option code 150 has 3 different definitions: this is why Kea does not consider it as a standard option... Note at a few exceptions an option must be requested by the client. There is a flag "always-send" to force the server to send an option even when the client does not request it. ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Lease storage memfile disable
Marcin Romanowski writes: > In my small environment I have all hosts in reserved table. If there is no > host it wouldn't get address. > Hosts from reservation get lease fo 24h an this lesae is stored in memfile > for this time. Is it possible to turn off storing leases in kea? => essentially the DHCP protocol is about assigning leases to clients so Kea is just doing its job. If the lease file is really useless I suggest to set the persist flag of the lease-database configuration to false: this will make the lease database only in memory. Reference 8.2.2.1 Memfile - Basic Storage for Leases in the ARM (or 9.2.2.1 if you use DHCPv6, the ARM is the Kea Administrator Reference Manual at https://kea.readthedocs.io/en/latest/ and the persist flag is the first documented parameter). Regards Francis Dupont ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] IP reservation for multiple MAC addresses
Robin Daermann writes: > I wonder if it is possible when using a MySQL database for host > reservations. Will try some things tomorrow... => key_dhcp4_ipv4_address_subnet_id is created by UNIQUE INDEX so as the comment says: # Create index to search for reservations using IP address and subnet id. # This unique index guarantees that there is only one occurrence of the # particular IPv4 address for a given subnet. Regards Francis Dupont ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] kea-dhcp-ddns.conf log output format and %m
Rick Dicaire writes:
> Hi, new to list and kea, using 1.6 from ISC's cloudsmith.io deb repo on
> Ubuntu 18.04 LTS.
> I have a working dhcp4 and ddns configuration.
> I'm now trying to customize logging to output json for easy ingestion by
> ELK stack. I'm working with dhcp-ddns first.
> I'm using this pattern:
=> the pattern is given to log4cplus with as reference:
https://log4cplus.sourceforge.io/docs/html/classlog4cplus_1_1PatternLayout.html
> "pattern":
> "{\"date\":\"%D{%Y-%m-%dT%H:%M:%S.%q%z}\",\"kea.ddns.log.level\":
> \"%p\",\"kea.ddns.log.component\":\"%c\",\"kea.ddns.log.pid\":\"%i\",\"kea.dd
> ns.log.data\":
> \"%m\"}\n"
=> hum, you assume here that anything in between two (escaped) quotes makes
a valid JSON string. Of course this is not true (reference here is ECMA 404)
and the multi-line issue is only one of the possible problems.
> As I understand json, multiline is not valid so I'm trying to figure out if
> the format of %m can be modified to output as single line?
=> log4cplus offers some formating but only a subset of printf so
nothing powerful enough. I am afraid you have to do the to JSON translation
on the other side i.e. in log files or (new)syslog.
BTW there are already a lot of log filters so if you find a suitable one
please share here. I know for instance that Jenkins has a log file to XML
filter tool...
I am looking for direct solution in log4j (log4cplus was designed from this).
There are some ideas using %m but we know it is not enough. Some suggest
to write a JSON Appender, can be done with not trivial coding...
(reference https://github.com/michaeltandy/log4j-json, I found more but
for log4j2).
I can see 3 problems to do this in Kea:
- there is no hook in Kea for logging i.e. no easy place to insert code
- the JSON code is in another and later library (backward dependency)
- it requires significant manpower to develop.
Regards
Francis Dupont
___
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] ddns and many zones
I think you need this: 1669. [func] tmark Rather than within the 'dhcp-ddns' section, DDNS behavioral parameters may now be specified at global, shared-network, and subnet scopes. Implemented for both kea-dhcp4 and kea-dhcp6. Not yet supported by Config Backend or Netconf. (Gitlab #35,!517, git 49ce6286f5d00f99c1c890f12cbc0fd633c9dbf6) which was added in 1.7.1 Regards Francis Dupont ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] CHECKING LIBRARIES
Jos? Lu?s writes: > Is there any way to check wich libraries was KEA configured with? I mean, > when I configured I just run "./configure --with-mysql" and I don't know if > openSSL or log4cplus or boost was included automatically or if not why I > can check it. => at the end of configure a report is displayed, saved in config.report and compiled into servers and agents so can be recovered using the -W command line argument. There is a command too named build-report. Regards Francis Dupont PS: if you want the runtime library infos (can be different) use -V aka extended version or the version-get command. ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Subnet name or description
> In Kea 1.6.2 how do I set a name or description to a subnet? => use a comment or user-context comment entry. At the opposite of #, // and /**/ comments, user contexts and comments (which are syntactic sugar for comment entries in user contexts) are saved in subject objects. This is true for a lot of other objects. Thanks Francis Dupont ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] ignoring DHCP-Requests which have set the BROADCAST flag
Stefan Berger writes: > is it possible to drop or ignore DHCP-Requests from clients which have set th > e BROADCAST-Flag? (0x8000) => I can see at least two easy ways: use a firewall (the flag is at a fixed offset so trivial to find) or write a hook for Kea (install it at the pkt4_receive callout point and return DROP when the query4->getFlags() has FLAG_BROADCAST_MASK set). As the broadcast flag has a function in the protocol perhaps it is possible to tweak the configuration so they failed to be served (e.g. responses do not reach them) but a direct way is more reliable. Regards Francis Dupont ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Debian Buster / armhf
The Kea gitlab URL is in the ARM but as you ask I put it here again: https://gitlab.isc.org/isc-projects/kea If you do not know gitlab the # is for an issue and the ! for a merge request. Regards Francis Dupont PS: just received my Raspberry Pi 4 "starter kit" so now we are several at ISC with test hardware. Anyway I think it is more reasonable to cross-compile Kea packages... ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] PostgreSQL Logging
Asghar Hussain writes: > For KEA server version 1.6.2, can you please advise if its possible to have > log entries sent to a PostgreSQL server. => in Kea there are two things named logging so I'll answer for both: - for forensic/legal logging: yes PostgreSQL is supported - for the system logging: they are sent to standard output or error, to a file or to syslog. According to its documentation rsyslogd is able to send logs to a database including a PostgreSQL one (I never used this but perhaps someone in the list did/does?) Thanks Francis Dupont ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Debian Buster / armhf
Dirk Laurenz writes: > is there any repository out there, where i can get armhf packages? > The ISC only provides amd64/x86_64 packages. I ask because i use > two raspberry pi's. We already have a ticket about providing Kea binary packages for raspbian and advanced work about this... Regards Francis Dupont PS: tickets are on Kea gitlab with numbers: - #1194 (initial request) - #1221 (cross compiling: it is mine and I am very interested to complete it) - #1223 (closed, i.e. included in 1.7.8 last release) ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] kea server not send custom dhcp options
The server sends an option only when it was required by the client (code in the PRL option of the discover) or when it has the always-send flag set to true in the option data. Regards Francis Dupont ___ ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Preium hooks build
Please retry adding -f (or --force) to autoreconf? Thanks Francis Dupont Bill Schoolfield writes: > I've tried this. No luck. I'm stuck. Any help appreciated. > > > > > > > > > > It goes in the top level directory, i.e. one up from src. > > > > Cheers, > > > > Thomas = > > > On 3/30/2020 2:45 PM, Bill Schoolfield wrote: > > I followed the instructions I think for building the premium hooks lib = > > > but configure says: > > > > Premium hooks:=A0=A0=A0=A0 no > > > > I placed the premium dir into: /src/premium > > > > and ran > > > > autoreconf -i > > > > What am I missing? > > > > > ___ > Kea-users mailing list > Kea-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/kea-users > ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] kea error code 1292
Jeronimo writes: > The date seems to be in the future. => not very surprising for an expire date... > > Basic googling saying it could be a bug of mysql but just want to > > understand what went wrong so we can avoid this in future. We are > > running MariaDB 10.2 (galera cluster) > > > > 2020-03-07 02:04:29.625 ERROR [kea-dhcp4.alloc-engine/29796] > > ALLOC_ENGINE_V4_ALLOC_ERROR [hwtype=1 00:19:85:f0:1c:89], cid=[no > > info], tid=0xd7790768: error during attempt to allocate an IPv4 > > address: unable to execute for > = ?, client_id = ?, valid_lifetime = ?, expire = ?, subnet_id = > ?, > > fqdn_fwd = ?, fqdn_rev = ?, hostname = ?, state = ? WHERE address = > > ?>, reason: Incorrect datetime value: '2020-03-08 02:04:29' for column > > 'expire' at row 1 (error code 1292) => IMHO it looks like a MySQL bug (i.e. I can't explain how the date could be incorrect). Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Add option 43 with allocated IPs to specific host
Avoy Nanda writes: > I want to add option 43 with IP address allocated to a specific host. > Config file takes static data in the option 43. > > How can I dynamically achieve that? > If there is a hook function to write, can I get some pointer? => the last version of Kea (1.7.1) provides this feature: 1676. [func] fdupont A new hook - flex-option - has been developed. It allows setting up DHCPv4 and DHCPv6 option values dynamically, using expression. This capability is very useful when you want to generate option value procedurally. For details, see new section "Flexible Option for Option value settings" in the Kea Administrator Reference Manual. (Gitlab #219,!523, git 2bf854c029b9b07ee6161bc1fcb4dfdc9846ee42) Regards Francis Dupont PS: BTW the hook source code should be easy to back port. ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] remote-global-parameter4-set host-reservation-identifiers
step...@bahr-it.com writes: > Hello, > > I was trying to set the "host-reservation-identifiers" parameter via > hook. The documentation says it is a global parameter, so I tried > "remote-global-parameter4-set". => this works only for scalar (bool, int, real and string) parameters and host-reservation-identifiers takes a list of string. > I got the documentation that way, that it should be a list, but okay, > let's try it as a string: => and the code checks if the provided value is of the right type so this does not work. > This looks like I use the right command, it knows > 'host-reservation-identifiers' and how it wants it (as a list). But list > didn't work. Am I missing something? => nothing: the config backend does not allow to change everything, only a subset. Note to change not global host-reservation-identifiers using it should work but if you have several shared networks or subnets I understand you prefer to change the global value. Unfortunately this requires to reload or reconfig the whole server configuration. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Global host reservations - unexpected behavior
> I'm trying to translate our ISC DHCP config to kea. I had assumed > from this that I needed to put reservations within the subnet as you > discovered. To me it makes more sense to have them associated with > the subnet rather than globally as ISC DHCP did. => BTW this is an easy case because you can infer from the address in what subnet a reservation should go. But of course when you have no address i.e. when a reservation is used to set hostname and/or specific options, you can only rely on a heuristic in particular when you can't use global reservations (e.g. when you use an old Kea version which does not support them). Regards Francis Dupont PS: teh Kea Migration Assistant is available in the public repository and should be integrated into the distribution of the next ISC DHCP. You can get soem idea from it and of course if you can propose improvements you are welcome. ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Specifying lease times at reservation or pool level
I do not believe it is possible directly but it should be indirectly using
different subnets (with per subnet different lifetimes) in a shared
network. Note you can also guard a pool (but not a subnet) using the
UNKNOWN client class.
Regards
Francis Dupont
Gibbins, John (IM, Black Mountain) writes:
> --===2523206312931103576==
> Content-Language: en-US
> Content-Type: multipart/alternative;
> boundary="_000_SYAPR01MB2671C8209AFC4DC129FA2B0EF3910SYAPR01MB2671ausp_
> "
>
> --_000_SYAPR01MB2671C8209AFC4DC129FA2B0EF3910SYAPR01MB2671ausp_
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> I am trying to configure a kea server as a pilot to replace an our ISC dhcp=
> d servers.
>
> We currently specify different default lease times for reservations than we=
> do for pools, using much smaller lifetimes for pools. We specify a defaul=
> t-lease-time for the subnet (or inherit a global value) to cover the reserv=
> ations and override this for the pools within the subnets. We do not inclu=
> de reservations within pools (in kea terms: "reservation-mode": "out-of-poo=
> l").
>
> I gather from lists that this is not yet possible:
> (https://lists.isc.org/mailman/htdig/kea-users/2017-March/000898.html, http=
> ://kea-users.7364.n8.nabble.com/Kea-users-lease-time-td384.html)
>
> Are there any plans to implement this? This could be a show stopper for ou=
> r migration to kea, unless I can find a workaround.
>
> Background: We current run a dozen servers spread around the country with =
> most hosts obtaining their address via a reservation with a long lease time=
> , but visitors from a different site are given a short lease address from a=
> pool which is restricted to a list of known machines via over 20,000 subcl=
> ass definitions. We run dual-stack across the organisation so want to do t=
> his for both IPv4 and IPv6 pools.
>
> Regards
> johng
>
>
> --_000_SYAPR01MB2671C8209AFC4DC129FA2B0EF3910SYAPR01MB2671ausp_
> Content-Type: text/html; charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
> xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml; xmlns=3D"http:=
> //www.w3.org/TR/REC-html40">
>
> >
>
> <!--
> /* Font Definitions */
> @font-face
> {font-family:"Cambria Math";
> panose-1:2 4 5 3 5 4 6 3 2 4;}
> @font-face
> {font-family:Calibri;
> panose-1:2 15 5 2 2 2 4 3 2 4;}
> /* Style Definitions */
> p.MsoNormal, li.MsoNormal, div.MsoNormal
> {margin:0cm;
> margin-bottom:.0001pt;
> font-size:11.0pt;
> font-family:"Calibri",sans-serif;
> mso-fareast-language:EN-US;}
> a:link, span.MsoHyperlink
> {mso-style-priority:99;
> color:#0563C1;
> text-decoration:underline;}
> a:visited, span.MsoHyperlinkFollowed
> {mso-style-priority:99;
> color:#954F72;
> text-decoration:underline;}
> span.EmailStyle17
> {mso-style-type:personal-compose;
> font-family:"Calibri",sans-serif;
> color:windowtext;}
> .MsoChpDefault
> {mso-style-type:export-only;
> font-family:"Calibri",sans-serif;
> mso-fareast-language:EN-US;}
> @page WordSection1
> {size:612.0pt 792.0pt;
> margin:72.0pt 72.0pt 72.0pt 72.0pt;}
> div.WordSection1
> {page:WordSection1;}
> -->
>
>
>
> I am trying to configure a kea server as a pilot to =
> replace an our ISC dhcpd servers.
>
> We currently specify different default lease times f=
> or reservations than we do for pools, using much smaller lifetimes for pool=
> s. We specify a default-lease-time for the subnet (or inherit a globa=
> l value) to cover the reservations and
> override this for the pools within the subnets. We do not include re=
> servations within pools (in kea terms: reservation-mode: =
> out-of-pool).
>
> I gather from lists that this is not yet possible: :p>
> (https://lists.isc.org/mailman/htdig/kea-=
> users/2017-March/000898.html">https://lists.isc.org/mailman/htdig/kea-users=
> /2017-March/000898.html,
> http://kea-users.7364.n8.nabble.com/Kea-users-lease-time-td384.h=
> tml">http://kea-users.7364.n8.nabble.com/Kea-users-lease-time-td384.html >)
>
> Are there any plans to implement this? This co=
> uld be a show stopper for our migration to kea, unless I can find a workaro=
> und.
>
> Background: We current run a dozen servers spr=
> ead around the country with most hosts obtaining t
Re: [Kea-users] Kea hook lease6_select callback not getting called at times
Explaination: the DHCP6_LEASE_ALLOC log message is from the server code, lease6_select callout point is in the allocation engine library. The server calls allocateLeases6 in the library, this method has at least 4 main cases so I am not very surprised that not all branches call the callout (it is called only by 2 internal methods). We'll revisit the definition of the callout point to see if it is a bug and if it is we'll fix it. Thanks Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] split back end
> is it possible to use split dhcp backends? => you can use a different backend for leases, host reservations and since 1.6.0 configuration. You can't use two different backends for leases but this does not seems to be your use case, does it? For HA it is easier but not required to share the MySQL host reservation backend. Of course if host reservations are different you get inconsistent result (so the "easier"). Note if you try to share the lease backend even with an ACID database you simply introduce unexpected races between the two servers so incorrect behavior (host reservations are read-only for servers and the new configuration backend was designed to support sharing: this constraint is only for leases). Thanks Francis Dupont > example: > Kea1 configured to multiple subnets and/or interfaces: > > Subnet 1 (with dynamic pool) + host reservation in mysql (readonly mode) > Subnet 2 (dynamic pool) using class of devices (eg Voip phones) > Subnet 3 only with matched reservations in mysql > > so basically the server to have its csv file for dynamic leases, and the > reservation to read from mysql? ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Kea 1.5 HA
l@e writes: > Is the ha (active-passive) able to replicate the changes in config files for > new subnets or new host reservations? > Or at every change should manually edit both cfg? => short response: no the HA does not replicate config changes but you can put the config is a shared database (available for host reservations for a long time, new in 1.6.0 for subnets) so edit once. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Subnet with Multi pool
It is 1) but pools must be in the subnet range too.
> 1) "subnet4": [
> {
> "pools": [ { "pool": "192.168.2.174 - 192.168.2.174" },
>{ "pool": "192.168.2.175 -
> 192.168.2.176" } ],
> "subnet": "192.168.0.1/24"
^ 2
>
> }
> ]
Regards
Francis Dupont
PS: you should get an error message saying "does not match the prefix
of a subnet"...
___
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] deny booting or ignore booting
Munroe Sollog writes: > There has to be a way to give kea a list of MAC addresses to ignore. => this is what I called a black list and in Kea it can be implemented with a client class and guards in subnets or pools (the effect is a bit different: when all subnets are guarded against a rogue client no subnet is selected. For pools it makes only resources (i.e addresses) not available for the rogue client (of course I suppose it has no reservations). Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] deny booting or ignore booting
"Ambauen Daniel (ID NET)" writes: > From my point of view the network access control is definitely not a > task of the DHCP service. => I agree: it is clearly too late and DHCP is more than poor about security. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] deny booting or ignore booting
Munroe Sollog writes: > Perhaps random wasn't a good choice of words. Given a MAC address we need > a way of ensuring it does not DHCP. I'm open to alternatives to the > ignore/deny booting function. Some sort of client classification? => the simplest (and most efficient as a rogue client can for instance flood the server with junk queries) is to use a firewall feature to drop messages on the floor. At the Kea server level the standard way is to create a client class which matches all other clients and to guard subnets or pools with this class so not resource will be available to it. You can also write a hook to filter out messages but it requires to write some code (vs a config update). Regards Francis Dupont PS: I cited the hook because it is the standard way to plug an authentication/authorization service to Kea. ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] deny booting or ignore booting
Munroe Sollog writes: > isc dhcpd supports the concept of "deny booting" or "ignore booting". Kea > does not seem to support this concept. => this feature is not supported by Kea but you have other ways to get the same effect. > >From time to time we need to ensure that a random device does not get a > valid lease and is thus prevented from accessing our network (we enforce > DHCP at the access layer). I found this: => as ISC DHCP booting keyword has a meaning only in a host reservation it is useless for a random device which by definition has no known identifier. Note if you want to ban unknown devices both ISC DHCP and Kea (since 1.5) provide a known/unknown client classification. > http://oldkea.isc.org/ticket/5229 => replaced by https://gitlab.isc.org/isc-projects/kea/issues/239 This ticket is a migration ticket: all features of ISC DHCP were analyzed: - some can be translated (*) to Kea - some are candidate to be added to Kea - some have low interest (too specific, obsolete or unused, etc) (**) (*) There is a piece of software named the Migration Assistant which helps to translate ISC DHCP configurations to Kea. It is still in development but as we are looking for config samples to test and improve it you can contact us to know more... (**) #239 enters in the last category (priority low), the MA code emits a "no concrete usage known?" message when it finds the booting keyword. > I'm not sure what to make of this, but I tried creating a host reservation > without an IP address and kea errors with: > > specified reservation for DUID: hwtype=1 00:50:56:bf:d7:a5 must include at > least one resource, i.e. hostname, IPv4 address, IPv6 address/prefix, > options => yes if you have no address (nor prefix in IPv6) you need a hostname. Note here a host reservation is perhaps not the best feature: what you want is some kind of access list and for a negative access list a client class is better. Host reservations and KNOWN/UNKNOWN are faster for a positive (and large) access list. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] how can I block clients based on hostname
Christian Kratzer writes: > I would assume that if you have multiple clients with the same mac address > you will have larger problems than dhcp issues. => if they are not on the same link it should work. Two comments: - it seems it is the case here because of the (buggy but existent) relay - old Sun boxes interpreted the loose IEEE spec as the mac address can be a box (vs a NIC) property so with some Sun servers you have multiple NICs sharing the same mac address... pretty find to find some bugs in interop testing, less in production. Regards Francis Dupont PS: in Kea if you do not use a shared network it should work: lookup are per subnets and clients using duplicated mac addresses are blacklisted. ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] how can I block clients based on hostname
ahmed writes: > I have a network where some clients clone the mac address of another > clients, they all look the same when requesting for an ip. but luckily for > me, each client has a unique host-name, so I have listed all into two > categories [white list hostnames and blacklist hostnames]. I need the kea > server to refuse offering a lease to any of the blacklist based on their > hostname only, how can I achieve this. => if a list is not large you can use classification (the hostname is in an option in the query packet) and a guard on pools or subnets. If both white and black lists are large it will be better to use a hook to do the same thing but with all the resources from a full programming language, e.g. C++ sets. List updates will be far easier too. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] 1.4 - limit subnet to static reservations/leases
My immediate idea is to simply not define a pool for such subnets? Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Set boot-file-name option based on DHCP client mac-address
> How can I achieve something similar using KEA? => not yet (this feature is on the TODO list) or only with a hook. Regards Francis Dupont PS: the missing feature is to compute an option value from an expression. ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Subnet/pool selection
In a shared network the subnet selection in fact select the shared network. When a host is looked up all the subnets of the shared network are scanned starting from the selected one if there are less subnets than allowed identifier types. Pools are a bit different: they are scanned starting by the last used so the selected subnet matters only once. There is the code a comment explaining this mechanism: // Need to check if the subnet belongs to a shared network. If so, // we might be able to find a better subnet for lease allocation, // for which it is more likely that there are some leases available. // If we stick to the selected subnet, we may end up walking over // the entire subnet (or more subnets) to discover that the pools // have been exhausted. Using a subnet from which a lease was // assigned most recently is an optimization which increases // the likelyhood of starting from the subnet which pools are not // exhausted. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Multiple classes match
> It's possible to match multiple classes for same subnet? => No. The initial design proposed black/white lists (as in ISC DHCP) but it was never implemented and the unique class guard is far simpler. You can build the class guard using the member'' token in a boolean expression: it does the same without possible ambiguity. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
