Re: [Kea-users] 1.4 - limit subnet to static reservations/leases
My immediate idea is to simply not define a pool for such subnets? Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Set boot-file-name option based on DHCP client mac-address
> How can I achieve something similar using KEA? => not yet (this feature is on the TODO list) or only with a hook. Regards Francis Dupont PS: the missing feature is to compute an option value from an expression. ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Subnet/pool selection
In a shared network the subnet selection in fact select the shared network. When a host is looked up all the subnets of the shared network are scanned starting from the selected one if there are less subnets than allowed identifier types. Pools are a bit different: they are scanned starting by the last used so the selected subnet matters only once. There is the code a comment explaining this mechanism: // Need to check if the subnet belongs to a shared network. If so, // we might be able to find a better subnet for lease allocation, // for which it is more likely that there are some leases available. // If we stick to the selected subnet, we may end up walking over // the entire subnet (or more subnets) to discover that the pools // have been exhausted. Using a subnet from which a lease was // assigned most recently is an optimization which increases // the likelyhood of starting from the subnet which pools are not // exhausted. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Multiple classes match
> It's possible to match multiple classes for same subnet? => No. The initial design proposed black/white lists (as in ISC DHCP) but it was never implemented and the unique class guard is far simpler. You can build the class guard using the member'' token in a boolean expression: it does the same without possible ambiguity. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] reservations and classes
Francis Dupont > First I tried to add the class to the host: > > "client-classes": [ > { > "name": "cl-test", > "test": "member('cl-test')" => note this does not make sense. If you need a test which is always true you can use the 'ALL' class but the simplest is to set the class. > "reservations": [ > { > "hw-address": "fc:3f:db:36:09:ad", > "hostname": "test", > "client-classes": [ "cl-test" ] => this sets the class but after resource allocation so far too late. > } > ], > > I got: ALLOC_ENGINE_V4_ALLOC_FAIL => unfortunately the expected result. > Then I tried only with KNOWN: > > "client-classes": [ > { > "name": "cl-test", > "test": "member('KNOWN')" > } > ], > "reservations": [ > { > "hw-address": "fc:3f:db:36:09:ad", > "hostname": "test" > } > ], > > I still got: ALLOC_ENGINE_V4_ALLOC_FAIL => this has a chance to work but it requires the right subnet is selected. If it is not the host reservation won't be look up (can be fixed by using the global reservation mode) nor the pool. If you have shared networks it only replaces subnet selection by shared network selection so you have more choices but perhaps still not enough. > But "KNOWN" wouldn't be what I want anyway. I want to allow > hosts with classA only in subnetA, and hosts with classB only in > subnetB. => the problem is that the subnet/shared-network selection is the main part of the localization phase and for many reasons including a strong security one it has to be made very soon. Note ISC DHCP has the same constraint and does not offer a hook which allows to overwrite the subnet selection. Regards Francis Dupont PS: tomorrow we have an internal discussion about ways to make the client classification easier to use and more powerful. Perhaps we'll find a solution for your problem as it is already in the list of things we want to support... ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] reservations and classes
=?utf-8?B?QsOWU0NIIENocmlzdGlhbg==?= writes: > I want to allow only hosts with reservations and specific client class > in some different subnets. > With isc-dhcp I used allow members of ?? > > I tried the following below in kea, but that doesn't seem to work. > Does anyone have an idea? > > "Dhcp4": { > ... > "client-classes": [ > { > "name": "cl-test", > // "test": "member('KNOWN')", > "test": "member('cl-test')", > "only-if-required": true => the problem is here: only-if-required (and what should replace it) makes the evaluation of the class too late. The KNOWN idea is good but it works only for pools which BTW is enough for most uses. > } > ], > "reservations": [ > { > "hw-address": "fc:3f:db:36:09:aa", > "hostname": "test", > "client-classes": [ "cl-test" ] => same issue: client-classes is applied very late. > } > ], > ... > "subnet4": [ > { > "id": 151, > "reservation-mode": "global", > "pools": [ { "pool": "172.21.151.10 - 172.21.151.250" } ], > "subnet": "172.21.151.0/24", > "require-client-classes": [ "cl-test" ] => require-client-classes makes listed classes to be added when the subnet was selected. Obviously it is not what you want. IMHO you need a guard ("client-class" clause) but as the localization (aka subnet / shared-network selection) is done first you need to apply the guard to the pool. > }, Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] ddns questions
> 1. How can I specify a ddns-domainname per subnet => you can't (I am sure because it is in the top list of features we want to add to Kea). Thanks Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Address reservation with IP address given by DNS
oyama writes: > I would like to assign IP address given by other domain name system (bind9) > in the address reservation mechanism, instead of writing IP address itself. => this feature is not supported by Kea and IMHO it will never be as there are too many ways to get it wrong. Regards Francis Dupont PS: I suggest to use a text processor as m4 to expand values in config files from the same database. ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Client Class from MySQL
Nitzan Tzelniker writes: > The radius hook will do this ? => yes but it is a hook, > I saw *reselect-subnet-pool* in the radius hook and it looks like it will > do this => not only it adds a class to select the "right" pool but it can overwrite the selected subnet... Note it uses a host cache to not do the host reservation lookup twice at some cost: shared subnets are not supported. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Client Class from MySQL
A priori it is not possible because the host reservation lookup is done after the subnet selection. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] DHCP Classes Kea Configuration
Jordan Tinsley writes: > Can you translate the shared networks example from ISC to Kea? => I attached the ISC DHCP config and the result of the Migration Assistant applied to it. Note the max-lease-time feature should be implemented in the Kea next release (1.6 just after the 1.5 which is planned for a fea days) so the number of not translated items should go closer to 0. The references are for gitlab Kea issues so you can look at them (they are locked so if you have comments please send them to us, e.g. using this list). Regards Francis Dupont PS: if you'd like I can add the config into the Migration Assistant tests (I already have a lot of samples, the first one from the ISC network admin). class "APPLE" { match if ( substring (hardware,1,3) = b0:19:c6 ) or ( substring (hardware,1,3) = d8:a2:5e ) or ( substring (hardware,1,3) = b8:c7:5d ) or ( substring (hardware,1,3) = 6c:70:9f ) or ( substring (hardware,1,3) = 88:1f:a1 ); } class "BELKIN" { match if ( substring (hardware,1,3) = 60:38:e0 ) or ( substring (hardware,1,3) = 58:ef:58 ) or ( substring (hardware,1,3) = 58:ef:68 ); } ## Pool 1 shared-network "pool 1" { subnet 192.168.1.0 netmask 255.255.255.0 { option domain-name-servers 8.8.8.8, 8.8.4.4; option routers 192.168.1.1; option broadcast-address 192.168.1.255; default-lease-time 259200; max-lease-time 259200; pool { range 192.168.1.2 192.168.1.254; allow members of "APPLE"; allow members of "BELKIN"; } } } ## Pool 2 shared-network "pool 2" { subnet 192.168.2.0 netmask 255.255.255.0 { option domain-name-servers 8.8.8.8, 8.8.4.4; option routers 192.168.2.1; option broadcast-address 192.168.2.255; default-lease-time 259200; max-lease-time 259200; pool { range 192.168.2.2 192.168.2.254; allow members of "APPLE"; allow members of "BELKIN"; } } } { /// This configuration declares some subnets but has no interfaces-config /// Reference Kea #245 "Dhcp4": { "client-classes": [ { "name": "APPLE", /// from: match if ((substring(hardware, 1, 3)) = 0xb019c6) or ((substring(hardware, 1, 3)) = 0xd8a25e) or ((substring(hardware, 1, 3)) = 0xb8c75d) or ((substring(hardware, 1, 3)) = 0x6c709f) or ((substring(hardware, 1, 3)) = 0x881fa1) "test": "substring(pkt4.mac,0,3) == 0xb019c6) or (substring(pkt4.mac,0,3) == 0xd8a25e)) or (substring(pkt4.mac,0,3) == 0xb8c75d)) or (substring(pkt4.mac,0,3) == 0x6c709f)) or (substring(pkt4.mac,0,3) == 0x881fa1)" }, { "name": "BELKIN", /// from: match if ((substring(hardware, 1, 3)) = 0x6038e0) or ((substring(hardware, 1, 3)) = 0x58ef58) or ((substring(hardware, 1, 3)) = 0x58ef68) "test": "((substring(pkt4.mac,0,3) == 0x6038e0) or (substring(pkt4.mac,0,3) == 0x58ef58)) or (substring(pkt4.mac,0,3) == 0x58ef68)" }, { "name": "gen#APPLE#BELKIN#", "test": "member('APPLE') or member('BELKIN')" } ], "subnet4": [ { "id": 1, "subnet": "192.168.1.0/24", "option-data": [ { "space": "dhcp4", "name": "domain-name-servers", "code": 6, "data": "8.8.8.8, 8.8.4.4" }, { "space": "dhcp4", "name": "routers", "code": 3, "data": "192.168.1.1" }, { "space": "dhcp4", "name": "broadcast-address", "code": 28, "data": "192.168.1.255" } ], "valid-lifetime": 259200, // "config": [ ///// max-lease-time is not supported ///// use default-lease-time instead ///// Reference Kea #221 //{ // "name": "max-lease-time", // "code": 2, // "value": 259200 //} // ], "pools": [ { "pool": "192.168.1.2 - 192.168.1.254", /// From: /// allow APPLE /// allow BELKIN "client-class": "gen#APPLE#BELKIN#" } ] }, { "id": 2, "subnet&qu
Re: [Kea-users] DHCP Classes Kea Configuration
> pool { > allow members of "APPLE"; > allow members of "BELKIN"; > } => create a class with for instance name "APPLE-or-BELKIN" and with "test": "member('APPLE') or member('BELKIN')" Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] DHCP Classes Kea Configuration
"Jordan Tinsley" writes: > Yes, this is DHCPv4. Sorry I forgot to include that. How do I include > multiple client-classes in a subnet? Would I just separate each > client-class with a comma? => in Kea subnet and pool guards are a single class (vs allow / deny lists in ISC DHCP). If you want a complex expression we have to use the "member('foo')" expression which evals to true when the packet belongs to the client class 'foo'. With this you can combine classes into a boolean expression and use the result class as the guard. The only constraint is in the order of classes: you can check class membership only in a class which is known i.e. in the general case is defined before. Regards Francis Dupont PS: note this can't be backported to ISC DHCP because it has a hard limit to 5 classes for a packet and of course if the Kea feature is IMHO easier / clearer it can add a great number of classes to a packet. About performance I don't believe there is a big difference one way or the other. ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] DHCP Classes Kea Configuration
"Jordan Tinsley" writes: > class "APPLE" { > > > > match if ( substring (hardware,1,3) = b0:19:c6 ) or > > ( substring (hardware,1,3) = d8:a2:5e ) or > > ( substring (hardware,1,3) = b8:c7:5d ) or > > ( substring (hardware,1,3) = 6c:70:9f ) or > > ( substring (hardware,1,3) = 88:1f:a1 ); I assume it is a configuration for DHCPv4. Either you use the admin/user manual to find corresponding expressions: - class => "client-classes" list at global scope - match if => "test" entry - or => or (binary operator but the parser knows it is associative) - = => == - substring => substring - hardware => pkt4.mac but Kea does not include the hardware type - aa:bb:cc => 0xaabbcc or you add a '}' to close the class definition and give this to the ISC DHCP to Kea Migration Assistant, with some edits to wrap long lines and make this message more readable than the raw cut & paste. { "Dhcp4": { "client-classes": [ { "name": "APPLE", "test": "substring(pkt4.mac,0,3) == 0xb019c6) or (substring(pkt4.mac,0,3) == 0xd8a25e)) or (substring(pkt4.mac,0,3) == 0xb8c75d)) or (substring(pkt4.mac,0,3) == 0x6c709f)) or (substring(pkt4.mac,0,3) == 0x881fa1)" } ] } } Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] KEA 1.4.0 with Anterius CA Error: unable to forward command to dhcp4
toni Friessner writes: > Hello Kea Admins, > > I've installed KEA 1.4.0 on my Centos 7.5 Machine. > - KEA DHCP4 is running > - KEA CONTROL AGENT is running @ localhost:8000 > - ANTERIUS WEBSITE is also running but seems to not communicating > > when i do the NPM START i've get the following error: > > /Anterius Server> Bootup complete > CA Error: unable to forward command to the dhcp4 service: No such file or > directory. The server is likely to be offline => did you put a control-socket entry in the DHCPv4 configuration? Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Configuring two separate subnets with PD pool and address pool
Brandon Cazander writes: > "Dhcp6": { > "subnet6": [ > { > "subnet": "2001:db8:1::/64", > "pools": [ > { "pool": "2001:db8:1::1-2001:db8:1::" }, > { "pool": "2001:db8:1:05::/80" } > ], > ... > } > ] > } => pools must be in the subnet. Here I believe there is a typo: the second pool is not in the subnet, perhaps it should be: "pool": "2001:db8:1:0:5::/80" Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Kea 1.4 crash from time to time
According to man 2 bind you can get: - EACCES: for Kea it means you forget to run it as root - EADDRINUSE: there is another DHCP agent running (not the same Kea server because in this case you get an error about the PID first) - EADDRNOTAVAIL: an address in the Kea configuration was not configured on the machine - EAFNOSUPPORT: only with DHCPv6: the kernel was not configured with IPv6 The last two are unlikely but possible. BTW for EADDRINUSE the problem is reported by the kernel. There are extra possible errors with local (aka UNIX) domain, in Kea it is used for the control socket: - EEXIST: the file already exists (remove it: usually Kea removes it at exit but not when it crashes) - EISDIR: the path is a directory (fix the config) - ELOOP: the path has a link loop (remove the looping link, usually a link pointing to itself) - ENAMETOOLONG: the path is too long (max length is system dependent but more than 100 characters) - ENOENT: something does not exist in the path (create it) - ENOTDIR: something in the middle of the path is not a directory - EROFS: the path is in a read-only file system IMHO you should only get the first one which is easy to fix. When you use a tool to launch Kea you should configure the tool to remove local domain socket files. About #262 it is a trivial typo in the example which will be fixed as soon as the Kea master branch code will be unfrozen. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Kea 1.4 crash from time to time
First the term crash is not the right one as it failed to start (exactly to load the configuration), it does not exit on segmentation fault & co. Second if there is another application using the port it cannot serve it. It is not specific to Kea servers but to any server application. I recommend in the case the port is supposed to be free to find which process is bound to it with for instance lsof. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Multiple dns-server in kea-dhcp-ddns server
Tim Weippert writes: > Hi list, > > i configured two dns-servers within a forward-ddns domain in kea-dhcp-ddns: > > "forward-ddns" : { > "ddns-domains": [ > { > "name": ".", > "key-name": "DHCP-Update-Key", > "dns-servers": [ > { "ip-address": "172.18.20.1" }, > { "ip-address": "127.0.0.1" } > > ] > } > ] > }, > > as i understand the documentation, kea-dhcp-ddns should send the updates to b > oth dns-servers, => not sure: dynamic updates are propagated between servers so it is enough to send to the first working one. > but it seem to use only the first one. => this is what I expect from the DNS point of view. > I would like to change my master DNS Server to another system/product an > d keep both in sync for some time. => it is a DNS problem: if you don't try a multi-master setup with a server software which does not explitely support it there should be no issue: as I said dynamic updates are propagated between servers (or they fail) so things with a sane setup can't go out of sync. > Is this a misunderstanding from my side or is there something wrong with the > configuration? => misunderstanding. Simply look at the DNS server documentation about dynamic updates. Regards francis.dup...@fdupont.fr ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Updated plan for Kea 1.5 | EOL for Kea 1.3 in December 2018
In the old Kea trac (still available as oldkea?) there is a migration milestone with a lot of tickets about ISC DHCP to Kea migration. This should be in it. These tickets are classified into things needed in Kea, things Kea should do, good ideas for Kea, and finally things which won't be ported to Kea. The last kind is for references in the ISC DHCP to Kea Migration Assistant (not publicly available as it is based on ISC DHCP). Regards Francis Dupont > On 10/25/18 12:10 PM, Victoria Risk wrote: > > Kea-users, > > > > We decided last week to reorganize the contents of the upcoming Kea > > 1.5 release. We will have the following key features in Kea 1.5: > > > I was wondering when or if ever equivalent support for isc's > "ddns-rev-domainname" option would become available in kea, in order to > support classless reverse delegation of in-addr.arpa. That's the main > feature I need that is stopping me from implementing kea in my environment. > > > Thanks. > > > Mike- > > ___ > Kea-users mailing list > Kea-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/kea-users > ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] kea SubClass equivalent
sven.roeh...@web.de writes: > thanks for responding. I would like to use the built-in class KNOWN > but I don't have a host-reservation for the CPE, only for the > CableModem the CPE is connected to. > > I would need a lookup like this using the MAC in relay4[2] to find a > host-reservation for the corresponding CableModem. > > Since this is an essential feature for us it would be very very nice if > you could assist finding a working code for this. => I am afraid you need to write a hook as each time the expression feature is not enough to classify a received message. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Problem with KEA crash
You defer a null shared pointer. The only way to understand what happens is to use a debugger (if you run from build directory add "libtool --mode=execute " before so Kea libraries can be found). Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Kea does not send option 161, 162, 184 and 185 information
Does the client request them? If it does not and you want Kea to send them anyway please set the always-send flag to true in option data. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Set independend DDNS TTL
Dominik Korittki writes: > currently we are searching for a possibility to set a custom TTL value > for DDNS entries in kea-dhcp-ddns-server. The default seems to be the > same value as the valid lease length. The admin guide doesn't seem to > cover this topic but we found the following reports, which are related > to this: > > https://kea.isc.org/ticket/5235 => this one is a ISC DHCP migration low priority ticket, i.e. ISC DHCP has a feature which can be a good thing for Kea too. Mainly these tickets are a list of ideas for future releases (if it was useful for ISC DHCP users it should be useful for Kea users too...). > https://kea.isc.org/ticket/3356 => it is a bug report because the current code is not RFC compliant. It is in outstanding task so it is registered but no action is scheduled. > https://kea.isc.org/ticket/3299 => closed (the bug described in it was fixed) > As these reports are quite a bit old, is there anything new to know? If > not, is there any other way to set a TTL? Maybe through a hook? => the DHCP DDNS server does not support hooks and I am afraid it is more than hairy to do at the DHCP server (DDNS client). Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Cant "make" the master version with radius hook
Please contact support to get a version of the premium distrib which includes last changes (database code has been moved since 1.5 release and premium code updated but privately). Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] subnet full - reselect
Radius hooks do not support shared networks. But it supports subnet re-select even it is a bit late when the allocation returns a pool full error. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] subnet full - reselect
Are your two subnets in a shared network? (if there are not pools are not shared) Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Host reservation with pool dhcpv4
Joe Botha writes: > I have a need to create host resvervations based on MAC > address, but I don't want to give a fixed IP or hostname. > I just want to tag them with something so I can figure out > which pool they should get IPs from. How would I do this > best? => if you want to control which pool(s) a client can get an address from you need a client-class matching its MAC. Note even when you can assign a class from a host reservation it is performed after address allocation so it can't be used to select a pool. Of course this can be overruled using a hook and some programming. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Suggestions requested
To add a host reservation is not a silly idea: it is the way the RADIUS hook works: it adds a host cache entry at the select subnet hook point so when the host reservation is looked for the required information can be returned. Of course this requires to code a bit... Regards Francis Dupont PS: even if it is not yet available at this hook point Kea >= 1.4 has a "park" feature which allows to process next packets waiting for the hook to return. And it is safe because allocation is done later, i.e. it is equivalent to a network reordering UDP packets. Tom Gillman writes: > --===7402642548948267019== > Content-Language: en-US > Content-Type: multipart/alternative; > boundary="_000_10C1B5EE2EE8C845858FF3FE51AEB42002490F87MX307CL03corpem_ > " > > --_000_10C1B5EE2EE8C845858FF3FE51AEB42002490F87MX307CL03corpem_ > Content-Type: text/plain; charset="utf-8" > Content-Transfer-Encoding: base64 > > SXQgZG9lc27igJl0LCBhdCBsZWFzdCBub3QgYWNjb3JkaW5nIHRvIG15IGludGVycHJldGF0aW9u > IG9mIHRoZSBkb2N1bWVudGF0aW9uIGluIHRoZSBLZWEgQWRtaW5pc3RyYXRvcuKAmXMgR3VpZGUs > IFNlY3Rpb24gMTQuNC40DQoNCkkgdmVyeSBzcGVjaWZpY2FsbHkgbmVlZCB0byBxdWVyeSBhbiBl > eHRlcm5hbCBzZXJ2aWNlICgqTk9UKiBhIGRhdGFiYXNlKSwgYW5kIHRoZW4gZ2VuZXJhdGUgYSBs > ZWFzZSAob3IgcmVzZXJ2YXRpb24pIGJhc2VkIG9uIHRoZSBpbmZvcm1hdGlvbiByZXR1cm5lZCBm > cm9tIHRoYXQgcXVlcnkuDQpNeSBjb251bmRydW0gaXMgdGhhdCBJIGNhbiBjYWxsIGFuIGV4dGVy > bmFsIHNjcmlwdCwgYnV0IGJlY2F1c2UgdGhlIERIQ1Agc2VydmVyIGJsb2NrcyB3YWl0aW5nIG9u > IHRoZSBzY3JpcHQgdG8gY29tcGxldGUsIEkgY2Fubm90IHVwZGF0ZSB0aGUgbGVhc2UgaW5mb3Jt > YXRpb24gdW50aWwgdGhlIHNjcmlwdCBleGl0cy4NCg0KVGhhbmtzLA0KDQotVA0KDQpGcm9tOiBL > ZWEtdXNlcnMgW21haWx0bzprZWEtdXNlcnMtYm91bmNlc0BsaXN0cy5pc2Mub3JnXSBPbiBCZWhh > bGYgT2YgSm9zZXBoIEJlcm5hcmQNClNlbnQ6IFR1ZXNkYXksIEF1Z3VzdCAxNCwgMjAxOCA3OjM0 > IFBNDQpUbzoga2VhLXVzZXJzQGxpc3RzLmlzYy5vcmcNClN1YmplY3Q6IFJlOiBbS2VhLXVzZXJz > XSBTdWdnZXN0aW9ucyByZXF1ZXN0ZWQNCg0KSSBiZWxpZXZlIHRoZSBIb3N0IENvbW1hbmRzIExp > YnJhcnkgcHJlbWl1bSBob29rIGRvZXMgdGhpcy4NCg0KVGhhbmtzLA0KSm9zZXBoIEIuDQoNCk9u > IEF1ZyAxNCwgMjAxOCwgYXQgNTowNSBQTSwgVG9tIEdpbGxtYW4gPFRvbS5HaWxsbWFuQHZpcnR1 > c3RyZWFtLmNvbTxtYWlsdG86VG9tLkdpbGxtYW5AdmlydHVzdHJlYW0uY29tPj4gd3JvdGU6DQpI > b3dkeSBmb2xrcywNCg0KSeKAmW0gdHJ5aW5nIHRvIGltcGxlbWVudCBzb21ldGhpbmcgd2l0aCBr > ZWEgYW5kIEkgd2FzIGhvcGluZyB0byBwaWNrIHRoZSBoaXZlIGJyYWluLg0KDQpXaGF0IEnigJlt > IHRyeWluZyB0byBkbyBpcywgb24gYSByZXF1ZXN0IGZvciBESENQLCBmb3JtYXQgYSBKU09OIHF1 > ZXJ5IHRvIGEgbmV0d29yayBzZXJ2aWNlIHRoYXQgd2lsbCByZXR1cm4gYSBob3N0bmFtZSBhbmQg > SVAgYWRkcmVzcy4gVGhlbiwgZ2VuZXJhdGUgYSBsZWFzZSAodXNpbmcgbWVtZmlsZSkgd2hpY2gg > dGhlbiBnZXRzIHJldHVybmVkIHRvIHRoZSByZXF1ZXN0aW5nIGNsaWVudC4gSSBjYW4gZG8gYWxs > IHRoYXQgaW4gYSBzaGVsbCwgd2hpY2ggSSB3YXMgdXNpbmcgdGhlIGtlYS1ob29rLXJ1bnNjcmlw > dCBob29rIGxpYnJhcnkgdG8gZG8uIFRoZSBmaXJzdCBwYXJ0IGFsbCB3b3JrcyB3ZWxsLiBUaGUg > cHJvYmxlbSBjb21lcyBpbiB0cnlpbmcgdG8gdXBkYXRlIHRoZSBtZW1maWxlLiBUaGUga2VhLWhv > b2stcnVuc2NyaXB0IGNhbGxzIGFuIGV4dGVybmFsIHNoZWxsIHRvIGRvIHRoZSB3b3JrLCBhbmQg > YmxvY2tzIHdhaXRpbmcgb24gdGhhdCBzaGVsbCB0byBleGl0LiBCZWNhdXNlIGl04oCZcyBibG9j > a2VkLCBJIGNhbuKAmXQgaXNzdWUgYW55IGxlYXNlIGNvbW1hbmRzIHRocm91Z2ggdGhlIGNvbnRy > b2wgY2hhbm5lbCB0byBkbyB0aGUgdXBkYXRlcyBJIGRlc2lyZS4NCg0KSeKAmW0gbm90IHN1cmUg > aG93IHRvIGdldCBhcm91bmQgdGhpcywgSSBmZWVsIGxpa2UgbWFraW5nIHRoZSBleHRlcm5hbCBj > YWxsb3V0IG5vbi1ibG9ja2luZyB3b3VsZCBpbnRyb2R1Y2UgcmFjZSBjb25kaXRpb25zIHRoYXQg > d291bGQgYml0ZSBtZSBsYXRlciBvbi4gVGhlIG9ubHkgcmVhbCBzb2x1dGlvbiBJIHNlZSBpcyB1 > c2UgYSAzcmQtcGFydHkgREIgbGlrZSBteXNxbCBhbmQgaGFuZGxlIHRoZSB1cGRhdGVzIHdpdGhp > biB0aGUgc2NyaXB0LCBidXQgdGhhdCBpbnRyb2R1Y2VzIG92ZXJoZWFkIHRoYXQgSeKAmW0gdW53 > aWxsaW5nIHRvIGRvLg0KDQpJ4oCZbSBub3QgbXVjaCBvZiBhIHByb2dyYW1tZXIsIHNvIHNheWlu > ZyDigJxCdWlsZCB5b3VyIG93biBob29rIGxpYnJhcnnigJ0gcmVhbGx5IGlzbuKAmXQgYW4gb3B0 > aW9uIGdpdmVuIHRoZSB0aW1lIGNvbnN0cmFpbnRzIEnigJltIHVuZGVyLiBJIGZlZWwgbGlrZSBJ > IG1pZ2h0IGV2ZW50dWFsbHkgYmUgYWJsZSB0byBpdCwgYnV0IEkgc2ltcGx5IGRvbuKAmXQgaGF2 > ZSB0aGUgdGltZS4NCg0KRG9lcyBhbnlvbmUgaGF2ZSBhbnkgc3VnZ2VzdGlvbnM/IEFueSBjb25z > dHJ1Y3RpdmUgY3JpdGljaXNtIGlzIGFwcHJlY2lhdGVkLg0KDQpUaGFua3MsDQoNCi1Ub20NCl9f > X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpLZWEtdXNlcnMg > bWFpbGluZyBsaXN0DQpLZWEtdXNlcnNAbGlzdHMuaXNjLm9yZzxtYWlsdG86S2VhLXVzZXJzQGxp > c3RzLmlzYy5vcmc+DQpodHRwczovL2xpc3RzLmlzYy5vcmcvbWFpbG1hbi9saXN0aW5mby9rZWEt > dXNlcnMNCg== > > --_000_10C1B5EE2EE8C845858FF3FE51AEB42002490F87MX307CL03corpem_ > Content-Type: text/html; charset="utf-8" > Content-Transfer-Encoding: base64 > > PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy > bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt > YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj > cm
Re: [Kea-users] shared subnet advice
Joe Botha writes: > Please point me in the right direction. I've been playing > with a Kea 1.4 dhcp4 config related to Shared Subnets and > client-classes, but not having much joy. > > I'd like to have two subnets, one with public IPs, one > with RFC1918 IPs. => note this implies a shared network as pools must be in the range of the subnet they are declared. > Based on MAC address of the client, I'd like to handle 3 > cases: > > 1) Some MAC addresses are unknown and should get RFC1918 IPs, > until they authenticate. => you need Kea 1.4 with the KNOWN / UNKNOWN classes which can guard a pool (not a subnet because subnets are selected before host reservations are looked for in the current (so 1.4) code). > 2) Some MAC addresses have fixed IP address reservations in > the public IP pool. > > 3) Some MAC addresses are known and should get a dynamic IP > from the public pool. > > I need to prevent known MACs from getting RFC 1918 IPs. => I think by "known" you mean have a host reservation. BTW it is required for a host reservation to provide at least an address or a hostname. If you want MAC address only matching you need a client class. Thanks Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] IP Reservation for Client-Class
Flex-id should be a better (easier to use and scales) than one member classes and associated pools. Regards Francis Dupont Phoebe Lee writes: > --65328a0571c58502 > Content-Type: text/plain; charset="UTF-8" > > Sorry for bad wording! > I'd like to have 1 IP reservation for a client-class that will only have 1 > client in the class. Not sure if its possible. > > I'm trying to have IP reservations based on port numbers of a device. I'm > passing port numbers of my device through Option-82 and classifying my end > users through client-classes. > > On Tue, Jul 24, 2018 at 1:33 PM, Francis Dupont wrote: > > > Phoebe Lee writes: > > > Wondering if there's a method of creating a reservation of a single IP > > > based on client-classes instead of a pool. > > > > => I don't understand your question but in 1.4 you can guard a pool > > with a client-class, i.e. only the client-class members can get an > > address from the pool. > > > > Regards > > > > Francis Dupont > > > > --65328a0571c58502 > Content-Type: text/html; charset="UTF-8" > Content-Transfer-Encoding: quoted-printable > > Sorry for bad wording!Id like to have 1 IP reser= > vation for a client-class that will only have 1 client in the class. Not su= > re if its possible.Im trying to have IP rese= > rvations based on port numbers of a device. Im passing port numbers of= > my device through Option-82 and classifying my end users through client-cl= > asses.=C2=A0 quote">On Tue, Jul 24, 2018 at 1:33 PM, Francis Dupont = > t;mailto:fdup...@isc.org; target=3D"_blank">fdup...@isc.org&= > gt; wrote: 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Phoebe= > Lee writes: > Wondering if theres a method of creating a reservation of a singl= > e IP > based on client-classes instead of a pool. > > =3D I dont understand your question but in 1.4 you can guar= > d a pool > with a client-class, i.e. only the client-class members can get an > address from the pool. > > Regards > > Francis Dupont mailto:fdup...@isc.org;>fdup...@isc.org= > t; > > > --65328a0571c58502-- > ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] IP Reservation for Client-Class
Phoebe Lee writes: > Wondering if there's a method of creating a reservation of a single IP > based on client-classes instead of a pool. => I don't understand your question but in 1.4 you can guard a pool with a client-class, i.e. only the client-class members can get an address from the pool. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] custom DUID
sothy shan writes: > we have one issue . we dont have entriprise-number. In this case, we can > assign any number (>52275)? => three choices: - you pick a number at random (you just have to check if it is not assigned to an enterprise which can be used on your network). - you pick the number of your preferred enterprise (if it is no longer exist and was not in networking business it could help). - you get an official number for your enterprise (take time but is 100% safe forever)... Regards Francis Dupont PS: ISC uses its enterprise-number but as far as I know not for DUID-ENs. ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] client-classes for a particular MAC Address of a CPE
Remove the '' in: "test": "/substring(pkt4.mac, 0, 6) = '0x00d0550b6076'", so you should use: "test": "/substring(pkt4.mac, 0, 6) = 0x00d0550b6076", Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] kea 1.3.0 dying with mysql error
Satish Patel writes: > h.host_id, o.option_id>, reason: MySQL server has gone away (error > code: 2006). Server exiting now! => it is a MySQL error so not a Kea one, but I have 2 extra comments: - google gave an idea: increase the maximum packet setting in MySQL (I am afraid it won't solve the problem but just try in the case I am wrong) - Kea 1.4 reconnects databases so the error should be transient (vs fatal) in the new 1.4 release. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Newbie questions
You need either a PRL option (code 55) to list requested options in the discover or request, or to set always-send to true in option data entries of a recent enough Kea config. Regards Francis Dupont PS: always-send adds the option code to the PRL option which is BTW the way to do the same thing in ISC DHCP. For DHCPv6 you have the same thing with the ORO option. Only a few "system" options are added even when not requested, cf DHCP protocol specs. ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Best practice recommendation for reserving/blocking out VIPs?
I don't fully understand your problem but: - the simplest is to not have addresses you want reserve in a pool - using host reservations work too but with a performance penalty (cf out-of-pool text in the doc) and with a hairy but handle case if you change dynamically the config (cf conflict text in the doc). Note you do not need to use an existing MAC in a host reservation, the only constraint is to use a different MAC (or identifier in general) between host reservations. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] user-context
itay cohen writes: > i'm trying to get user-context from a selected subnet on lease4_select api > with a hook, => what are you trying to do? lease4_select is a REST API, hooks are linked DSO using a programming language (typically C++ but it is not required). Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] kea http uefi boot
I looked at for possible candidates fro client-architecture options. One is the option 93 (client-system in Kea which BTW does not allow to redefine options). The value 16 is not in RFC 4578 table but it is 11 year old... Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] map class with pool
Satish Patel writes: > [root@dhcp kea]# /usr/local/sbin/keactrl start > INFO/keactrl: Starting /usr/local/sbin/kea-dhcp4 -c > /usr/local/etc/kea/kea-dhcp4.conf > 2018-06-03 00:42:40.940 ERROR [kea-dhcp4.dhcp4/19854] DHCP4_INIT_FAIL > failed to initialize Kea server: configuration error using file > '/usr/local/etc/kea/kea-dhcp4.conf': > /usr/local/etc/kea/kea-dhcp4.conf:244.8-21: got unexpected keyword > "client-class" in pools map. > INFO/keactrl: Starting /usr/local/sbin/kea-ctrl-agent -c > /usr/local/etc/kea/kea-ctrl-agent.conf => can you double check you are running Kea 1.4-beta? This feature was added after 1.3 release. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Client Classification question
> [substr(client-fqdn.name, 0, 3)) == 'web'] error: :1.1: > Invalid character: s at (/usr/local/etc/kea/kea-dhcp4.conf:235:14) => substr is not recognized (it is substring). BTW there are other syntax errors, for instance the extra closing parenthesis. And for the option it is option[].hex ... Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Releasing or deleting a lease
lease_cmds hook (in Kea core code)? Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Option82 with different versions of KEA
"Batuhan BAKIP" writes: > I look logs "reason: subnet with the prefix of '10.0.1.0/24' already > exists", yes it is true but same configuration is running on kea version > 1.1.0. How to do same job on version 1.3.0? => the code checking if two subnets are the same is deeply buggy (known problem but which requires some design to get the right fix so its solution was postponed). The simplest is to use the fact the code uses the string itself to compare subnets so changing slightly it will give what you want. Note the bug will be fixed one day so it is not for the long term... Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] kea DHCPv6
sothy shan writes: > Now, I want to group users based on user-class option or > vendor-class-identifier. Based on the reading, LAN network, these are only > two ways dhcp server to classify users. => please use user-class (vendor-class-identifier was not designed to be used alone). > Now I am lacking configuration at client side and server side. > > My question is that? > 1) my approach is correct? => yes. > 2) any configuration based on user-class or vendor-class-identifier? => not in the distrib as far as I can remember but this list is the right place to ask for some examples. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Issue building Kea 1.4.0-beta - configure: error: Needs log4cplus library
"Chaigneau, Nicolas" writes: > Executing configure with the following option : > > --with-log4cplus > > (directory which contains < include > and < lib > sub-dirs for Log4cplus) > > > This doesn't seem to work for Kea 1.4.0-beta. > (It worked with Kea 1.3.0) => on which system? > I get the following output : > > checking log4cplus/logger.h usability... yes > checking log4cplus/logger.h presence... yes > checking for log4cplus/logger.h... yes > checking for log4cplus library... no > configure: error: Needs log4cplus library > > Any idea ? => look at the config.log where the problem is logged with details. Note we fixed in the past similar problems and if your compiler is not C++11 compatible by default you can get spurious warnings (this is why on my macOS I set the CXX environment variable to "g++ --std=c++11" in the shell before calling autoreconf and ./configure. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] next-server-address in hooks for UEFI config servers
Gokulakrishnan Gopalakrishnan writes: > Currently, I'm hardcoding 'next-server' in kea.conf. Is it possible to do > it via hook code? => yes of course. BTW the way to set the next server address field (aka siaddr) in BOOTP/DHCP packet is the Pkt4 setSiaddr() method. Regards Francis Dupont ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] next-server-address in hooks for UEFI config servers
Gokulakrishnan Gopalakrishnan writes: > I'm trying to assign IPs to my servers using Kea 1.3.0. Some of my servers > are UEFI configured ones and those are failing in getting IP. > When I dig deep, I found out that setting "next-server": "192.168.1.1" > manually in kea.conf works fine. I was setting next-server via hooks code > (pasted below). => next-server is a BOOTP/DHCP field, not an option. Note some of these fields have a corresponding option used for instance when the field is too small (can't happen with an IPv4 address :-). > // Add next server option to packet. > opt = response->getOption(DHO_HOME_AGENT_ADDRS); => This option gives a list (vs one) of addresses of the Mobile IP home agent. So it is something different (but if it makes the client happy...). Regards Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Host reservation with remote-id
Mathias Aichinger writes: > How can I realize this with KEA? => you'll get more detailed answer but at the first look you need flex-id. > Does it work with the Premium API? => yes. Regards Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Provide /32 network with DHCP
I can't see any problem other than a /32 *network* is useless because it has no available address: the broadcast address is reserved. Regards Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Circuit-ID
Oops, I messed the PS. Here is the corrected version. > PS: if you get a cryptic error message please signal it so we can > improve it. BTW the last ticket (5600) is a perfect example of that... ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] DHCP4 Relay Information source
I don't fully understand your question but DHCPv4 messages have a field to carry the relay address (aka giaddr). Regards Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Option 60 vendor class
vendor-class-identifier (code 60) is a string so you should dynamic cast the result of getOption() with DHO_VENDOR_CLASS_IDENTIFIER to an OptionString. There are a lot of examples in unit tests and as far as I can remember at least a post in this list as you are not the first asking this. Regards Francis Dupont <fdup...@isc.org> PS: look at src/lib/dhcp/std_option_defs.h for definitions of standard options. getData works only on unknown options or options which are not defined to a specific content type (i.e, binary). ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] DUID host reservations
I'd like to add something: for DHCPv4 the DUID indentifier is from a client-id following the RFC 4361, i.e. the document which provides the standard way to get a stable identifier DHCPv4 and DHCPv6 for a dual stack client. Extremely useful if you are and will be in this situation... Thanks Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Dynamic IP address assigned to client with MAC reservation
Using Client Identifier and Hardware Address BTW there is an explicit reference about PXE in this. Thanks Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Dynamic IP address assigned to client with MAC reservation
I recommend to add some debug in logs so you can verify the MAC address and client ID. With PXE you can get some surprises with the same client presenting different identities at each phase. Fortunately there are some switches to force Kea to do what you want (and they are described in the manual). If you find what did not work as you expected and how to solve it please post your conclusion here so we can aliment FAQs and knowledge bases... Of course this applies to anyone who got the same problem (it is the whole principle of this list :-). Thanks Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] MySQL DB does not work when "lease-database" is set
Kevin Olbrich writes: > If I use MySQL, no lease is ever created. The server also never answers any > DHCP request. > > Changing from mysql to memfile (commented out code above), everything works > fine. > No error is logged, "it just dont work" with mysql. => I am afraid MySQL does not work at all in your setup and its very long default timeout hides that. There were recent works to improve this (better timeouts, reconnect, etc) so I leave my colleagues who worked on it to give better answers. Regards Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] [Kea Users] the renew-timer and rebind-timer problem
sonic3021 writes: > I'm looking for a solution so that kea doesn't send the renew-timter and > rebind-timers. > I comment the parameter in config json file but the server also send thease > options in default value > I find some printer can't process the dhcp packet contain the option 58 and > 59 > is someone have solution already ??? => it is a funny problem because the code only add these options when timers have a value in the subnet configuration, and this is an impossible condition because timers have default global values which are inherited by subnets where they are not specified... Unfortunately I am afraid the only solution is to attach a piece of code on the pkt4_send hook point which simply removes these options (bool delOption(uint16_t type); which is a Pkt method is your friend) from the response4 parameter... Should take between 10 and 20 lines. Thanks Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] subnet and DHCP options for MySQL backend
A lease database backend is for the whole server. If you have specific subnet / options setting they go into the configuration inside subnet entries independently of backends. Regards Francis Dupont <fdup...@isc.org> PS: BTW there must be at least one subnet because incoming packets are localized (aka subnet selection) with success to get useful services (cf. subnet[46]_select last statement in the developer guide, i.e. https://jenkins.isc.org/job/Kea_doc/doxygen/de/df3/dhcpv4Hooks.html copied here in the case you have no access to it: If any callout sets the status to SKIP, the server will not select any subnet. Packet processing will continue, but will be severely limited. ) ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Problems adding the premium package hooks libraries
Dylan Masson writes: > Thanks. I have added all of the .so files from that dir, including the > libdhcp_host_cmds.so file, and "reservation-add" is > still not showing. > { > "library": "/usr/local/lib/hooks/libdhcp_flex_id.so", => you should include only needed hooks. Some, for instance flex-id, require a parameter so can fail to initialize. > And I am getting the statistics commands, but not the reservation ones: => you should get it: one of the unit tests of the host cmds hook explicitely checks the result of list-commands (I know because I copied this code). Now it is not a system test... I'll check when I'll get some free time (tomorrow? surely before Monday if it is not solved before). Regards Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Problems adding the premium package hooks libraries
I am working on a new hook so I have a build where "make install" works well. Note I kept the default prefix "/usr/local", this gives: % ls /usr/local/lib/hooks libdhcp_flex_id.a libdhcp_host_cache.alibdhcp_legal_log.a libdhcp_flex_id.la libdhcp_host_cache.la libdhcp_legal_log.la libdhcp_flex_id.so libdhcp_host_cache.so libdhcp_legal_log.so libdhcp_ha.alibdhcp_host_cmds.a libdhcp_subnet_cmds.a libdhcp_ha.la libdhcp_host_cmds.lalibdhcp_subnet_cmds.la libdhcp_ha.so libdhcp_host_cmds.solibdhcp_subnet_cmds.so Regards Francis Dupont <fdup...@isc.org> PS: of course only the *.so are useful. If you find it is inconvenient to get also the .a and .la, please open a (Kea trac) ticket or (better) push a request on github fixing the install of the lease cmds hook (the user chk hook is not installed). ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Build warnings under Debian Stretch
Jason Guy writes: > This is the 1.3 source package I am helping the maintainer with. So the > hooks are whatever is in the 1.3.0 tar. Everything builds, and I am going > to be deploying with this package. But I wanted to get a second opinion. :) => I thought about a change in the legal log/forensic hook to take lease changes by the lease cmds hook into account. But it did not add a requirement for the config / cfg-client library. IMHO it was supposed a tool from the library would be used and at the end it was not so the library is useless. The next time the hook will be updated it will be reconsidered and if still useless removed... BTW it has no impact as anything using the hook really requires the library so it is just an extra entry in a table. Thanks Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Build warnings under Debian Stretch
Jason Guy writes: > In my latest build, I see a few warnings, and I was not sure if these are > something I should file a bug for, or simply ignore under Debian. None of > these cause a problem, but I want to verify these will not be an issue: => useless dependency is just useless... > dpkg-shlibdeps: warning: package could avoid a useless dependency if > debian/kea-common/usr/lib/x86_64-linux-gnu/libkea-dhcpsrv.so.8.0.0 was not > linked against libz.so.1 (it uses none of the library's symbols) => I am afraid this libz dependency is very indirect, perhaps from a crypto library. config.status should say more but it should not be enough a problem to justify an effort to solve it. > dpkg-shlibdeps: warning: package could avoid a useless dependency if > debian/kea-common/usr/lib/x86_64-linux-gnu/hooks/libdhcp_lease_cmds.so > debian/kea-common/usr/lib/x86_64-linux-gnu/libkea-dhcp_ddns.so.1.0.2 > debian/kea-common/usr/lib/x86_64-linux-gnu/libkea-process.so.1.0.0 > debian/kea-common/usr/lib/x86_64-linux-gnu/libkea-dhcpsrv.so.8.0.0 were not > linked against libkea-cfgclient.so.4 (they use none of the library's > symbols) >dh_installdeb -O-B >dh_gencontrol -O-B => a bit more surprising. BTW what is the version of lease cmds hook code? > dpkg-gencontrol: warning: Depends field of package kea-dev: unknown > substitution variable ${shlibs:Depends} >dh_md5sums -O-B >dh_builddeb -O-B => fully Debian specific (and internal). IMHO this should be ignored. Thanks Francis Dupont <fdup...@isc.org> PS: I noted we should look at the Debian tool which detects useless dependencies. ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] DHCP6 subnet select fails. Basic config
Tim Howe writes: > This had actually occurred to me, but I only saw the > outbound-interface in the docs as being an option for IPv4. Also, when > I try to add it to the interface clause for dhcpv6 I get a syntax error. => you are right: the code for DHCPv6 is missing without good reasons, and reading the DHCPv4 code I don't think it works. So I created a ticket to get DHCPv4 fixed and DHCPv6 code added. Unfortunately I have no idea about when the ticket will be addressed... Regards Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] DHCP6 subnet select fails. Basic config
Tim Howe writes: > ... > 2018-01-22 12:11:34.743 DEBUG [kea-dhcp6.packets/55758] DHCP6_RESPONSE_DATA r > esponding with packet type 2 data is localAddr=[2607:fda0:101:1600::2]:547 re > moteAddr=[2607:fda0:101:1601::1]:547 > msgtype=2(ADVERTISE), transid=0xa09dfc > > 2018-01-22 12:11:34.743 ERROR [kea-dhcp6.packets/55758] DHCP6_PACKET_SEND_FAI > L failed to send DHCPv6 packet: pkt6 send failed: sendmsg() returned with an > error: No route to host => 2607:fda0:101:1601::1 (the relay closest to the server) is not reachable according to the kernel which returns an error on sendmsg() system call. IMHO something is wrong in the server system configuration. BTW if the problem is the packet should be sent on an interface which is not the incoming interface the outbound-interface clause allows to use either the incoming interface (same-as-inbound) or the route table (use-routing). Thanks Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Client classification based on MAC vendor prefix + multi-subnet DDNS
> Tobias - writes: Forget option 81: I believed that by FQDN you meaned the option 81 but in fact now I believe it is the FQDN used in DDNS. BTW you have no control on the option 81: this option or the host name one (code 12) are more from the client, and your config says to replace it. Thanks Francis Dupont <fdup...@isc.org> PS: of course when clients know their name and provide it things are simpler (:-)! ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Client classification based on MAC vendor prefix + multi-subnet DDNS
I can't see what is in the ... in subnet definitions but I am afraid there is no "interface": "br0" so no subnet can't be selected from the incoming packet. I sent in this a description of the algorithm of the subnet selection. To summary with a broadcast packet from a directly connected client without specific options the only thing which works is to match the interface. When you have a class guard in a subnet definition either the packet is in the class and this subnet is selected, or it is not and this subnet is rejected and the next (in the config file order) subnet is tried. Note this applies to subnets in a shared network, i.e. a class guard in a subnet entry is strict: pools or reservations under the subnet are only for class members (i.e. it is not the ISC DHCP behavior and class for pools (which I expect to be merged next week) will be different too). About the classes themselves I expect the branch where I added logical expressions using classes will be reviewed soon so you should no longer need to evaluate twice the substring equal expression. For the "not using the classes" I can't say because I lack infos. If you use Kea 1.3 perhaps you should try a shared network as pools and host reservations in a shared network are for the whole shared network as soon as they are not under a subnet with a class guard. Pools with class could help too but they are not yet available. Thanks Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Client classification based on MAC vendor prefix + multi-subnet DDNS
Tobias - writes: > First: > > I'm trying to put my virtual machines in a separate subnet. The virtual mac= > hines have the vendor prefix of 52:54:00. > > If I would do this in code, I would use AND to mask away the last three oct= > ets and then compare against 52:54:00:00:00:00 but I seem to be unable to d= > o that. > > Since I was unable to fnd an example for Kea, I tried to do what people sug= > gested for dhcpd since the expression looked similar to what is availible i= > n Kea, but it didn't work. => in theory a substring(pkt4.mac, 0, 3) does the jobs BTW you can debug classification expression (admin guide, 13.9. Debugging Expressions). It should explain why it does not work in your example. > Second: > > How would I configure DDNS to have two qualifying suffixes? The two subnets= > have different subdomains. I've been unable to find anything that works so= > I'm still stuck only having DDNS for the first subnet. => Unfortunately it is not yet supported (it was recognized as an useful feature to add but no milestone was selected for this work and current one (1.4) is already fully booked). Thanks Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Lease time per scope / subnet
> is there a chance to manage the lease-time per subnet? => I don't understand your question as the answer is in your quote below. > In the kea-dhcp4.conf file is documented that ... > // Global timers specified here apply to all subnets unless there are > // subnet specific values defined in particular subnets => so you can specify per subnet values and if you don't the shared network values if the subnet is in a shared network which specifies values or global values or default applies. BTW if you do a config-get or a config-write you should see what values are applied per subnet. Regards Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Kea implementation planning
Ben Monroe writes: > 1) Is it normal for a subnet to have a single DHCP instance or > multiples instances? => single > 2) In the case that multiple DHCP servers exist on a the same subnet, > are the instances all active and load balanced? Or is only one active while > the others are inactive until some kind of failover occurs? => you can do both. > 3) If multiple DHCP servers exist on the same subnet and are all > active, what is to prevent a client from receiving multiple DHCP responses? => nothing! > 4) Is it normal to run both DNS and DHCP services on a single server? > Are there advantages to running DNS and DHCP on separate servers? => it is common but of course you get a single point of failure. > The answers to these questions will help in deciding whether I should > install Kea on the same server instances (Raspberry Pi 3) that are running > DNS (Bind), how many servers, or whether I should split them to dedicated > servers (likely also Raspberry Pi 3). => you have another choice: use a file or a database for leases and in the second case where to put the database server (same box than Kea or another box). Thanks Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] (no subject)
Jason Guy writes: > > => there is a documentation somewhere but I don't remember where it is... > > I am afraid it is only for one of the 2 SQL backends but it works in fact > > for both (Cassandra is another thing and this afternoon it did not support > > host reservation :-). > > I currently have mysql, but if postgres is required for this, I would > switch backends > if necessary, since I am currently planning to redeploy the services in the > network. > I will read the docs again and see what I can find. => I believed someone would add a pointer to the doc in the list... There are not enough difference between MySQL and PostgreSQL to require a switch. IMHO if you know only one you should keep it... Ah! Got it: http://kea.isc.org/wiki/HostReservationsHowTo (and it is for both! Perhaps not very up-to-date but you are not running the very last code too, in particulaer in production :-). > This does makes sense. I was not sure what exactly is entered in the column > for a given > host reservation. I assumed it was just a class name defined globally or > under the > subnet. For the other fields (next_server, hostname, or boot_file_name), I > would > expect to simply enter the option data expected (ipv4 address or ascii > string). => yes, there is a minimal encoding between JSON and database representation. I can look at the code if you'd like... classes: ,,... without a space after comma hostname: i.e. the string as it next_server: or NULL (same than the ip-address) dhcp4_server_hostname and dhcp4_boot_file_name: strings You have some constraints in length so I recommend to read the schema (SQL is supposed to be user friendly and you have "shells" to play with). Regards Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] DHCP6 subnet select fails. Basic config
Tim Howe writes: > I somehow managed to not make it part of my paste in my > previous email, but I am attempting to select the subnet based on the > interface-id (option-18). => so you have a relay. > "subnet6": [ > { > "interface-id": "3/2/1/1", > "subnet": "2607:fda0:101:1601::/64", > "pools": [ { "pool": "2607:fda0:101:1601:4::/80" } ] > > I see it in the debug log data: > link-address=::, peer-address=fe80::1e74:dff:fe4b:cd76, 1 option(s) > type=00018, len=7: 33:2f:32:2f:31:2f:31 => the link-address must not be :: cf RFC 3315 20.1.1 page 59. This is critical because it is the way Kea subnet selection recognizes direct vs relayed incoming packets (*). > However, Kea appears to be ignoring it or is failing to match > it against the string as I have written it. > > I also tried specifying the interface-id in a few different > ways such as "'3/2/1/1'", "33:2f:32:2f:31:2f:31", and "332f322f312f31", > but it fails to match on all of them. Is there some other trick to > getting that to match? => interface-id is used as an option with the content set from the string in the config so it is "3/2/1/1". If you have strange bytes in it you have to use unicode escape. Note as far as I know nobody uses something else than ASCII even it is just an opaque vector of bytes... > I am running Kea 1.2.0 still, is this by any chance a known bug > I can fix by upgrading? (been waiting for FreeBSD port to get > refreshed). => I am afraid that upgrading Kea won't help. Regards Francis Dupont <fdup...@isc.org> PS: the algorithm for Kea subnet6 selection is: if first_relay_linkaddr is :: // directly connected client if interface name is not "" try subnet6 with this interface name if remote address is not :: try subnet6 with this remote address else // relayed message try interface id try link address ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] (no subject)
Jason Guy writes: > I do not see any documentation for specifying parameters this way, or what > specifically needs to be entered into the row to utilize this. Any > information or pointers on how to do this would be helpful. => there is a documentation somewhere but I don't remember where it is... I am afraid it is only for one of the 2 SQL backends but it works in fact for both (Cassandra is another thing and this afternoon it did not support host reservation :-). > I don't want to > define my host reservations in the configuration file, but I understand if > I have to define the client class before referencing it in the database. => at the exception of built-in classes when a class is not defined it does nothing and it raises a warning when option values are computed (the idea is to help when the class name was mistyped). So it is not a formal requirement to define classes but it does not make sense to not define them... Thanks Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] DHCP6 subnet select fails. Basic config
Tim Howe writes: > 2018-01-11 09:04:51.971 ERROR [kea-dhcp6.dhcp6/45759] DHCP6_INIT_FAIL failed > to initialize Kea server: configuration error using file '/usr/local/etc/kea/ > kea.conf': subnet configuration failed: parser error: interface (defined for > locally reachable subnets) and interface-id (defined for subnets reachable vi > a relays) cannot be defined at the same time for subnet 2607:fda0:101:1601::/ > 64(/usr/local/etc/kea/kea.conf:180:9) => you confused interface which says this subnet is for the link directly connected to the interface, and interface-id which says the link is behind a relay which adds this opaque interface-id RAI suboption to packets which comes from clients on the link. Of course you can be in both cases at the same time. Remember I wrote after recommending the interface clause in subnet that I assume there is no relay. > Now I'm back to needing different subnets for each subscriber > again whereas they can share the same vlan with v4. => no, a vlan should map to a subnet (link in IPv6 terms). Thanks Francis Dupont <fdup...@isc.org> PS: the interfaces-config global clause specifies interfaces Kea is listen on. In ISC DHCP it is a command line parameter. ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] classless in-addr.arpa
ddns-rev-domainname is marked as not translatable in the migration assistant... In the Kea code (d2_cfg_mgr.*) the constant has a @todo saying it should be configurable so you should ask for this. Now we have a lot of things to do for the current release and limited man-power... Regards Francis Dupont <fdup...@isc.org> PS: D2CfgMgr::IPV4_REV_ZONE_SUFFIX global scope constant ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] DHCP6 subnet select fails. Basic config
Tim Howe writes: > "subnet6": [ > { > "subnet": "2607:fda0:101:1601::/64", > "pools": [ { "pool": "2607:fda0:101:1601:4::/80" } ] > } > ] => add an interface clause in your subnet6 (I assume clients are directly connected as you didn't mention relays). Without it no subnet is selected or with other words the server has no idea about where is the client... Regards Francis Dupont <fdup...@isc.org> PS: a /80 pool is not a problem. ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] allow only the IP specified by circuit-id?
Tim Howe writes: > I got that IP the first time. When I plugged in another > device, it seems to assign a new IP out of the general pool. I assumed > it was because the lease was still valid. I thought I might have to > set the lease time very low(?) Or is there some way to say "No, ONLY > assign this IP given this circuit ID"? => you can try to set match-client-id to false but if the hardware address is different IMHO only you first idea will work: to get back the same lease the lease must have expired... Thanks Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] allow only the IP specified by circuit-id?
Tim Howe writes: > I thought I had assignment based on circuit-id working, but then I > plugged another device into the circuit and instead of getting the same > IP address, it got a new one out of the pool... => it is a different device so to assign a different IP address is the expected behavior. > How do I make Kea only ever hand out that IP for the > circuit-id? Something with lease expiration maybe? => the simplest is to make a host reservation using the circuit-id as the identifier and specifying what IP address is (statically) assigned. Thanks Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] circuit-id?
Tim Howe writes: > Trying to get started with KEA. > > I have configured a gPON connection on my test bench to use option-82 > and send a circuit-id in a format that should look like "3/2/1/800" > which will be something like slot/port/ont-port/vlan. > > When I try to configure a reservation like the following: > > { >"circuit-id": "3/2/1/800", >"ip-address": "10.2.171.29" > } > > Kea tells me: invalid host identifier value '3/2/1/800'. => the circuit-id must be either a quoted-string or in hexadecimal. > I tried entering it into the config like so: "'3/2/1/800'", and > when I do that (put single quotes in), it doesn't complain about the > config, but it also doesn't work. => this is a quoted-string so accepted by the parser. > Also, probably unrelated but it confuses me, the log file says > this about the circuit-id: > > 2018-01-05 14:36:59.034 DEBUG [kea-dhcp4.hosts/90659] HOSTS_CFG_GET_ONE_SUBNE > T_ID_IDENTIFIER get one host with IPv4 reservation for subnet id 1, identifie > d by circuit-id=332F322F312F => 332F322F312F is 3/2/1/ i.e. there is not the trailing vlan 800. > What do I not understand? => IMHO there is not in packets what you expected. I recommend to check the real content with another tool (tcpdump, wireshark, tshark, etc) which can display packets from the wire. If the problem on the relay side can't be fixed '3/2/1/' should match. Thanks Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] VIVSO and use with client classification
Jason Guy writes: > I am not entirely sure why the ONIE documentation shows the IANA and ONIE > suboptions, => the IANA block is a round around for an ISC DHCP bug and is fully useless for Kea. > but this is a "real-world" use-case => so in fact this is not... > although I don't know if they are in the same packet. => they are (DHCPv6 but not DHCPv4 uses multiple options, one per vendor, and as it is used by DHCPv4-over-DHCPv6 it is correctly handled by the code (but not by configs because they are a bit too specialized for cable labs :-)). > When you say that "full support of multiple > vendors", do you mean in the same packet, or in the config? => same packet again. When you receive a VIVSO only the first vendor block is unpacked. If you try to send one (by config or using current code) only the first vendor block is handled. > I suppose this is easy enough to do in a hook though. => not so easy because the OptionVendor class was not designed to handle multiple vendors. > I suppose that makes sense since the substring matching is done in hex. > Since the client classification I am working with, needs to return a VIVSO > option > with additional suboptions populated by the classifier, then defining the > schema in an option-def is necessary, right? => it is not necessary: an unknown (sub)option is considered as being binary and can be specified only by its code. Not very convenient but still working. > > => almost this but hex uses hexadecimal so you have to translate "powerpc" > > in 0x706f7765727063 > > I read in the docs that a substring match with the .hex is compared as > ASCII to the right operand. => you are right. > I figured there would be an ordering feature... For now it is good to know > the classes are ordered lexicographically. => the ticket fixing this is in the review queue. > > "option-data": [ > > >{ > > >"code": 125, > > >"csv-format": true, > > >"data": "42623,0", > > > > => I don't believe this data works (at least it didn't when I created > > a ticket to fix it some years ago :-). => according to what I read from the code the ",0" is simply ignored. > This raises an interesting question in general. If I wanted to use vendor > options from multiple vendor enterprise-ids (not in the same packet), this > may not work? => with the "not in the same packet" it should be possible to find a way to have different option-data entries and to control which one will be used. > Would this be the proper syntax to define/support multiple VIVSO options? => there is none for the same option-data. For different option-data entries it is like other options. > > >{ > > >"code": 0, > > > > => if it does not bug it should! > > > > Hmm...the configuration was accepted. I can look in the logs, hopefully it > was gracefully handled and ignored. => I have to see how code 0 is handled. It is forbiden in most of spaces but not in VIVSO suboptions according to the standard. Thanks Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Client classification substring match
Jason Guy writes: > I can imagine, regex can get complicated. I have been tempted to write some > hooks, > but I have not touched C in a long time. I am sure I can do it, but wanted > to understand > and use all of the available "built-in" functionality first. :) > Is there a sample "hello world" hook to start from? ;) => src/hooks/dhcp/user_chk (which was designed in this purpose) and src/hooks/dhcp/lease_cmds (more about lease management). Thanks Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] execute scripts and kea
"Philippe Maechler" writes: > We're currently using the ISC-DHCPD in our cable and ftth network. All > the devices need a dedicated configuration file, which we generate either > statically or dynamically with the execute statement. => note Kea allows dynamic configuration changes and structures handling the current configuration are accessible from hooks which run in the Kea process address space. > Unfortunately when an access systems breaks, we have several hundred > requests at the same time and the script, which generates the > config-files > takes a rather long time (~1-2 secs per cpe). During this time the whole > dhcpd isn't handling out other leases => moving from scripts to C++ should solve this. > Does kea have something like the execute statement? => no but it has an integrated extension mechanism with hooks. > There is already a hook, which lets you run your own script (see New Kea > hook to call external scripts: kea-hook-runscript) => it is more for scripts with an "external" action as adding a route. > Tomek Mrugalski wrote: One thing you should consider in the future is > that if the script takes a long time to execute, it will freeze whole > Kea execution. => yes, hooks are synchronous (DHCP service is essentially sequential because of resource assignement (*)). > I hoped that KEA would be different and that the freeze would only > affect the current client/mac address or the current transaction id => you hoped DHCP would be different... (:-) > Is there a way around this limitation? => an easy one: run a server per shared network (or subnetwork if you have no shared networks). Note this allows too to reuse the same (private) address space too. Thanks Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] VIVSO and use with client classification
Jason Guy writes: > Hi. We are using Kea in our lab and I am trying to figure out how to use > complex client classification with custom options. This pertains to booting > open networking switches from the network using ONIE (references config > options using VIVSO => VIVSO uses "vendor options". The only thing missing in Kea is the full support of multiple vendors (BTW real world cases with multiple vendors in the same packet are very uncommon). > *Questions on VIVSO with client classification:* > I was not entirely sure about this, but I assumed I have to first create > the option definition for the nested option structure of the VIVSO, before > a client class can parse it. => not for parsing them: unknown options are just considered as binary so it is less a problem than to set them where a human friendly format is a big improvement. > Regarding the use of VIVSO suboptions in client classification => you have the same tools (and limits) than for options. > but I think it is like this: > > substring(vendor[42623].option[4].hex) == "powerpc" => almost this but hex uses hexadecimal so you have to translate "powerpc" in 0x706f7765727063 > I assume the *vendor[42623]* is essentially "option[125].suboption[42623]". > Then the final "*.option[4].hex*" will reference the suboption value? => yes (cf TokenVendor::evaluate code) > Since the vivso options and sub-option codes are defined, can the option > name be used in the brackets instead of the option code number? => the parser uses enterprise_id (integer or *) and option_code rules. The second (option_code) accepts an integer (and checks it is in the right range) or a name. Unfortunately it tries to resove the name into a code only in the dhcp4 or dhcp6 spaces. So it does not work even the information is available and an intermediate action in the bison rule in theory should be able to do that. > Finally, I wanted to create multiple classifiers to build some logic > deciding what option values to send back to the client. > Does the classification code process all classifications before returning > the final answer? Or does it match in a specific order and return on first > successful match? => all classifications: each matching class is added to the packet. Note if currently classes are matched following the lexicographic order of their names this will be fixed to follow the definition order (there are other improvements to come). > For example, if a client sent the onie.arch = powerpc, and the onie.machine > = dell_switch, would the first class here return the installer_url option, > or will it fall through to the second class which is more specific? => both are added in the packet but when both add the same option the first one wins (an option is added only when it is not present, and of course if it was requests (in the PRL / ORO) or marked as always-send). Now I believe you understand my statement about classification order... > "option-data": [ >{ >"code": 125, >"csv-format": true, >"data": "42623,0", => I don't believe this data works (at least it didn't when I created a ticket to fix it some years ago :-). >"name": "vivso-suboptions" >"space": 'dhcp4" >} > ], > "option-def": [ >{ >"code": 1, >"name": "installer_url", >"space": "onie", => the space must be "vendor-42623" (and please open a ticket because the doc fails to give this information (search vendor-4491 string to find it) at the place users should look at). >"type": "string" >}, > { >"code": 42623, => it will bug. In fact you don't need this definition. >"encapsulate": "onie", >"name": "vivso-onie", >"space": "dhcp4", >"type": "empty" >}, >{ >"code": 0, => if it does not bug it should! >"name": "vivso-iana", >"space": "dhcp4", >"type": "string" >} Thanks Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Client classification substring match
Jason Guy writes: > I have a question on substring matching with the vendor class identifier, > which seems easy enough, but the strings *can* have a variable length. This > is also a problem for isc-dhcp apparently, in that you must indicate the > range of the substring match. => BTW Kea substring is a super set of ISC DHCP one, for instance it can run from the end of string. > I don't see in the docs any way to do a regex (which would be excellent). => after a nasty bug in bind9 with a regex library which matches some particular samples in nearly unbound time I am not so sure. BTW you can still write a hook: classification is for usual / easy cases. > However in the current function *substring( option, start, end )*, why > specify the end index? => it is not an end index but the length (which can be negative as the start or be "all"). Is there a documentation saying "end"? > Thoughts? => I am afraid you did read the right documentation... Thanks Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] log the dhcp options the client requests
Munroe Sollog writes: > I have this in our old dhcpd config file and I'd like to replicate > something like this in kea. Any idea how to do such a thing? => not yet (cf #5271: as it is a low priority MA ticket this means it was noted as something we can do in Kea if we need ideas). Of course you can log the request details (but not only PRL / ORO) or write a hook doing this (it is possible the log statement will be implemented as a hook). Note you can post a feature request (or wrote the hook code and make a pull request for it on github). Regards Francis Dupont <fdup...@isc.org> PS: I have in the review queue a ticket which adds (as a side effect) a contrib directory in configure.ac so next year IMHO we'll be able to resume the idea to provide a contrib sub module / distribution. ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] bind kea to non-local IP
Munroe Sollog writes: > Actually Bind9 supports 'rescanning' for new IPs to listen on and HAProxy > supports listening to non-local IPs. => rescan allows to add or remove addresses to interfaces, not virtual addresses. The DNS uses anycast addresses which is another way to provide a service at a "fixed" address by multiple servers. Of course it works better with an essentially "state less" protocol as DNS, and not with DHCP at the exception of INFORM... > The real problem we experience is that there are many poorly implemented > dhcp clients. When it come time to renew its IP address, it contacts its > last DHCP server and if that server doesn't respond, it gives up. => it is a clear (but common) violation of the protocol both at the letter and in the spirit. Perhaps it is the reason DHCPv6 requires the use of multicast? Thanks Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] bind kea to non-local IP
My concern is simple: it is not in the standard and it defeats the common code which scans interfaces to get all the addresses a network server may individually bind to. Now to be frank IMHO a feature which allows to bind to any address is basically a bit dangerous... Now if you still think that UCARP is a good way to provide redundant DHCP service I propose to mark these addresses as virtual and of course we'll need the way to allow them on all supported (and unsupported when the feature exists) systems (BTW what is it for macOS? Officially UCARP is supported on it). Same for VRRP. Thanks Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] bind kea to non-local IP
Kea is like 99.99% of network servers I know: it binds only to local addresses as required by the standard socket API. Regards Francis Dupont <fdup...@isc.org> PS: I am sure you'll get the same problem with bind9 for instance. ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Kea LFC not executed anymore after some time (Kea 1.2.0) + other timers
I have to verify in the code but it seems to be the result of a lost signal... BTW there is a known race in signal handling with at least a ticket (#4068), if we are lucky it could be enough to address it. Regards Francis Dupont <fdup...@isc.org> PS: strace (Linux), ktrace (BSD), dtrace (Solaris), etc, allow to get all system calls and signals but I am afraid it leads to huge files. ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Equivalent to ISC dhcpd "not authoritative"?
Owen Dunn writes: > It would be really useful for kea to have an equivalent to ISC dhcpd's > "not authoritative" but I can't find one from digging around in the source > code. => there is not (and BTW it is the subject of the #5184). > It would really help migration to kea in environments where you already > have DHCP servers giving out static leases and don't want to risk kea > sending something a NAK. => this can be simulated by a hook which takes a list of not authoritative subnet IDs, put the query in a special class and reset the subnet at the subnet4_select point, and drop the NAK at pkt4_send. If there is enough interest we can develop a premium hook code. Regards Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Does anybody use Debian stretch as OS?
Can you fill an entry in "Install Kea from sources" in the wiki (http://kea.isc.org/wiki/Install)? Thanks Francis Dupont <fdup...@isc.org> PS: we should keep these more up to date (:-)... ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] limiting how many leases someone can get
John Ratliff writes: > I would like to replace ISC DHCP with kea. Currently, we're using > classes to put a lease limit of 1 on each household. The class is > created based on remote-id or circuit-id (option 82 information). > > Is it possible to do something similar with kea? I see that you can do a > lease reservation based on circuit-id, but I didn't see anything about > lease restrictions. It seems like the limits are based on MAC alone. => it is not supported by Kea and IMHO it will be hard to do without a significant amount of new code (which BTW you can add with a hook). Regards Francis Dupont <fdup...@isc.org> PS: I create a new ticket #5433 and added a reference to it in the migration assistant (which of course translate it into a comment so it does not help you). ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] lease time
reservations don't allow this (not in the syntax). In fact as the syntax (src/bin/dhcp4/dhcp4_parser.yy and the same for 4 -> 6) shows it is a global or subnet property. Perhaps there is a hack using a shared network and a fake subnet (reservations don't need to match the subnet there are defined :-) it is possible but IMHO it is simpler to ask a new feature making timers settable per client classes. Regards Francis Dupont <fdup...@isc.org> PS: I have a good idea you'd like to do this but it will be even better if you can describe a real world example. ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] ignore the broadcast flag in a discover and response with unicast
It requires to write code but it does not strictly require C++ code even it this case it will be simpler than to master interfaces between C++ and "external" languages as Python, OCaml, Lua or V8 cf. the fdxhook branch available on github where I describe such experiment. Regards Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] one interface, multiple subnets
I am afraid we have not yet a lot of feedback on shared networks (and 1.3 release is not yet out even it should be very very soon). Thanks Francis Dupont <fdup...@isc.org> PS: I'll be able to say more about the ISC DHCP to Kea Migration Assistant but I didn't yet update the shared network translation code (it handles only the trivial case where there is only one subnet in a shared network)... and it is still a prototype. ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] DDNS update for win10 clients
Thomas Markwalder writes: > However this will override the flags for all clients. => note there is a ticket about making dhcp-ddns setting local from a similar feature in ISC DHCP (e.g. in a client class matching MSFT vendor class). Regards Francis Dupont <fdup...@isc.org> PS: I apologize for the reuse of the thread for something clearly for kea-dev ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] DDNS update for win10 clients
Dominik Epple writes: > 2. kea-ddns.log > > 2017-10-21 21:49:35.374 INFO [kea-dhcp-ddns.d2-to-dns/29350] > DHCP_DDNS_ADD_SUCCEEDED DHCP_DDNS Request ID > 0001015DEBCEB134F279474D91EFAC78C1B7BD25006A8C3BC36295F2AC60DA6258A9F0: > successfully added the DNS mapping addition for this request: => here you have the details of the Name Change Request > Type: 0 > (CHG_ADD) > Forward Change: no > Reverse Change: yes > FQDN: [APFEL.lan.] > IP Address: [192.168.1.104] > DHCID: > [0001015DEBCEB134F279474D91EFAC78C1B7BD25006A8C3BC36295F2AC60DA6258A9F0] > Lease Expires On: 20171021204935 > Lease Length: 3600 => so the forward_change boolean field is false. I don't believe it comes from the config, IMHO it is from Windows 10 requests. It should be fine to have the dump of working (Linux or Android) and not working (Windows 10) requests to understand what is different so perhaps wrong. Thanks Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Subdividing a subnet based on class
"Sutherland, Rob" writes: > Given that a subnet can be split into separate pools of IP addresses, can > leases be allocated from a particular pool based on a client class? => you have to create to client classes (one with the expression, the other with its negation) and split the subnet into two subnets with their own pools and a match for one of the classes. Note the user/admin guide has a section about this with the same kind of problem to solve. Thanks Francis Dupont <fdup...@isc.org> PS: there is not yet a magic way to combine client classes even I think about it (it will make ISC DHCP allow/deny easier to translate)... ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] Kea vivso-suboption
Joern Wallstabe writes: > sorry, first mail did not contain any text.. here it comes: > > I am trying to fill option 125 using the provided example in kea.conf (see > conf snippet below). > But dhcp offer only shows enterprise-number in option 125 and no suboptions= > . > I have tried version 1.2 an the latest 1.3 beta. > > Has anybody a hint, how to solve this problem ? > > Thank you in advance, Joern > > > "subnet4": [ > { > ... >"option-data": [ > { > "name": "routers", > "data": "192.0.2.1" > }, > { "name": "vivso-suboptions", > "data": "4491" > }, > { "name": "tftp-servers", > "space": "vendor-4491", > "data": "192.168.1.1" > }, > { > "name": "vendor-encapsulated-options", > "csv-format": false > } > ] > => vendor-encapsulated-options space is (in fact now was in 1.3) the space for the option 43. Option 125 is managed with the vendor-4491 space. Look at 8.3.4 in the devel user/admin guide (but if you use the old option 43 please note that 1.3 improves a lot the way it is done). Regards Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] lease4_select - hook
itay cohen writes: > on hook lease4_select can i know if a lease came from dynamic pool or > reservation ? => IMHO there is no direct way, i.e. the lease is passed and you have access to everything so you can check using for instance the assigned address with the subnet ID and the host manager. Thanks Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
Re: [Kea-users] one interface, multiple subnets
Marco Broglia writes: > We (a university) are using the old ISC DHCP server (v4.2.4) and we'd like > to adopt the new Kea DHCP Server. > > We setup a Kea Dhcp server with a given ip (ex 10.1.1.1). We have to > configure/xfer about 200 subnets 10.x.y.0/24 with out-of-pool reservations > and (possibly) dynamic dns update. No dynamic pools. > > I read in the reference ("8.6. How the DHCPv4 Server Selects a Subnet for > the Client") > > "the server will only process messages received through this interface > from a directly connected client if there is a subnet configured to which > this IPv4 address belongs". => I can't find the statement you cite. BTW it does not really matter as the real text does not bring immediate answer to your question. > How can we configure a multi subnet environment ? Every subnet has its own > id and router (gateway) and other options. Eg id 10230, subnet 10.2.3.0/24, > routers 10.2.3.1. => you need a way to put a discover in the right subnet. If you are lucky this way can go into a client class expression. Note for a discover you don't have the address so the subnet does not trivially match as for a renewal request. Another point: the subnet should be tried so it should have an interface. > First tests shown that all the dhcp requests from client in that subnet are > ignored because there is no interface on that subnet on the server. => see "another point". > we can't define all the hosts in the same /8 subnet. => in fact not only you can but it is likely the easiest. But if you can wait for the next release (end of this month) it has a shared-network feature which allows to group host reservations so not to have to spread option-data's to host reservations, and not to use client classes as all pools are empty, i.e.: "shared-networks": [ { "name": "foo", "interface": "bar", "subnet4": [ { "id": 1002, "subnet": "10.1.2.0/24", "option-data": { { ... } ], "pools": [ ], "reservations": [ { "hw-address": "1a:1b:1c:1d:1e:1f", "ip-address": "10.1.2.1" }, ... Look at the devel version of the user/admin's guide section 8.4.3. Regards Francis Dupont <fdup...@isc.org> ___ Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users