There is a long history of specs for stable IPv6 addresses using some
kind of hash (the idea is more interesting for IPv6 because its large
address space even for a link ensure a negligible collision rate).
Regards
Francis Dupont
PS: the random allocator is really random so responds to
tion of the ARM
(Run Script Support for External Hook Scripts) which in fact just
exposes parameters which can be read from some callout points.
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more i
g for a python interpreter
which must exist in your path.
Regards
Francis Dupont
PS: "shebang" is the nickname for the #! magic construct.
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
a "client-classes" clause) the client class
(note for a pool guard even if you use a global reservation you do
not need to enable the early-global-reservations-lookup).
Regards
Francis Dupont
PS: the reservation alternative can be extended to drop not matching
MAC address clien
There is no direct translation of ISC DHCP group to Kea. In your case
IMHO the simplest is to put common setting in a client class and to
add this client class to each host reservation entry...
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions
notation.
(Gitlab #3074)
Regards.
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Regards
Francis Dupont
PS: will be on https://cloudsmith.io/~isc/repos/
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
authors...
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
I was wrong about the DHCPNAK: it can be sent only with a DHCPREQUEST,
when a DHCPDISCOVER fails to offer an address it is simply dropped and
no response is sent.
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https
epending if the server is authoritative on the subnet.
- the most current way to fail is to have the subnet selection to return
nothing so I highly recommend to add an "interface": "ix0.301" to
the subnet 3 configuration.
Regards
Francis Dupont
--
ISC funds the development of this so
At a few exceptions it is possible to add at most one option / sub-option
with a given code-point.
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https
e you can find it in DHCPv6 messages, the problem
is usually there are many ways which are not guaranted to return a value
or the same value.
See 'MAC/Hardware Addresses in DHCPv6' section in the ARM...
Regards
Francis Dupont
--
ISC funds the development of this software with pa
support it as it provides an easy way to get a stable DUID without storage.
Regards
Francis Dupont
PS: 'dhclient -D LL' for the ISC DHCP client.
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more info
It is not directly supported but you can use a (pre)processot to build
the config file (or a part of it). There are many tools to do this from
m4 (old Unix way) to script languages supporting the JSON syntax.
Regards
Francis Dupont
--
ISC funds the development of this software with paid
.
Thanks
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https
Kea does not support names in URL for many reasons explained in tickets
asking for this. Note that IPv6 addresses in URL follow a specific not
so trivial syntax and I can't find an example in the doc... Creating
a ticket for this.
Thanks
Francis Dupont
PS: https://gitlab.isc.org/isc-pro
First Kea has a pretty loose notion of what is a string i.e. it is more
a C++ string than a C one. Second if you really want to set an option value
without any check (other than not empty) you have the flex-option hook.
Regards
Francis Dupont
--
ISC funds the development of this software with
BTW the only supported case of multiple storage is the host cache as the
first host backend followed by the RADIUS fake host backend.
Merry Christmas
Francis Dupont
PS: the host cache was designed for caching values returned by an external
host backend as RADIUS (which is currently the only
In fact I think that Kea provides a solution to your problem: I am
discussing with Darren who should come back to you. The ISC DHCP config
will help (and we have a tool to translate it to Kea...).
Merry Christmas
Francis Dupont
--
ISC funds the development of this software with paid support
.
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea-users@lists.isc.org
https
Can you provide more details: system, OpenSSL version and logs at the debug
level?
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org
ow there was no demand (so no plan) to provide a LDAP
backend to Kea.
Regards
Francis Dupont
PS: LDAP for ISC DHCP seems to provide configuration and host reservations.
Both are pretty different between ISC DHCP and Kea so there is no obvious
migration way.
--
ISC funds the development of this sof
e? Thanks in advance! Best regards
=> option 158 DHO_V4_PCP_SERVER is not supported by Kea (it is commented
in src/lib/dhcp/dhcp4.h) so it is considered as a binary option.
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at
gh a process list?
=> as config-get returns the runtime status it should be exactly what you
are looking for. The number of threads is in the thread-pool-size entry.
IMHO easier than parsing debug logs to get the last loaded config.
Thanks
Francis Dupont
--
ISC funds the development of this
Use the REST API "status-get" which should give MT setup details.
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailma
You can't define a client class more than once. If you want to combine
classes I recommend the member clause...
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information
In your particular case I recommend to use the flex-option hook which
works on all options including options managed internally by Kea.
Thanks
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more
lative paths start from it.
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
Kea-users mailing list
Kea
You can't specify the option 51 dhcp-lease-time because it is directly
managed by Kea. BTW if you were allowed to change it (which still can be
done by the flex-option hook) it would not change the valid lifetime in
the lease database so would be very far from what you wanted...
Regards
Fr
he lease-cheks parameter was not set leases should have remained.
Thanks
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/lis
L (vs LLT) DUID i.e. to encapsulate the mac address into the DUID
without (again vs LLT) adding a timestamp.
I know that the ISC DHCP client can do this as I added this command line
option many years ago in it...
Thanks
Francis Dupont
--
ISC funds the development of this software with pai
replace on the wire the DUID by a fixed value...
Thanks
Francis Dupont
PS: DHCPv4 clients have two identifiers: the client-id option and
the mac address. If the client-id option has the precedence this can
be disabled at the subnet level or higher. There is a RFC too explaining
how to deal with
suggest to use an active load-balancer i.e. a box between clients and
servers which splits and monitors exchanges: not only it should solve the
problem but it will avoid extra traffic. With other words you are outside
what the Kea load-balancing can support...
Thanks
Francis Dupont
--
ISC funds
The official (*) answer about ISC DHCP subclass mechanism is to use flex_id
and host reservations if you want to keep the chain of compare vs table
lookup speedup.
Regards
Francis Dupont
PS (*): this means that to port this ISC DHCP feature to Kea is not planned.
--
ISC funds the development
hon programs are easy to write). I do not know
for a "plain" language as rust or go: I am afraid you lost all benefits
from using them, i.e. C++ seems to be the only real candidate.
Thanks
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
; Is there maybe any advice what options should be changed or modified?
=> if it can't be configured it still can be overwritten using the
flex_option hook (I wonder if it is not the most changed option in
DHCPv4? :-) so the response will have the value you want instead
the value deduced from
Francis Dupont
> sorry, guys, but i'm going to ask the most popular question again, to which t
> here is still no working answer: how to set multiple subnets on a same interf
> ace so that a client receives an address from each network?
=> if I understand well you have a
) a client releasing a lease and
shortly after try to get one again should get the the same IP address.
Thanks
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit
onse according to the evaluation of an expression. BTW as it seems
to be something that some wants we are considering on a more direct
way i.e. to add a never-send as a mirror of the always-send flag.
Thanks
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Veronique Lefebure writes:
> I wanted to ask if anyone would have an example of such an external library,
> for adding role-based access control o the Control Agent ?
=> it was added in 2.1.6 as a premium library.
Thanks
Francis Dupont
--
ISC funds the development of this software
to behave ?
=> put reservations with an address in a subnet the address belongs to.
Note you can still use global reservations for other things as KNOWN /
UNKNOWN classification, option setting, etc. With last versions of KEA
you have also optional early global reservation lookup too.
oduces
an intermediate include file which includes these multiple files.
Thanks
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listinfo/
u want:
when it is set to true (which is not the default) the client identifier
in the query message is replaced by the flex-id value so the lease and
the host reservation are identified by the same value. The initial client
identifier is put in the response so this is not visible by the client.
R
ISC DHCP.
Note you can use keama to automatize this...
Regards
Francis Dupont
PS: it is a bit more hairy when you use records: as in Kea the array flag
is for the option there is an ambiguity between an array of records and
a record where the last field is an array so not all ISC DHCP option
def
x27;-')
has no meaning at all. In all programming languages including the shell
(so a command line) it can get a meaning so be misinterpreted.
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ f
member of the
shared network or use a group to factor them. In general the ISC DHCP
configuration is far less structured than the Kea one...
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ fo
re not exclusive but topologies with both are uncommon.
Please note the localization process is the same for ISC DHCP and Kea:
it follows the standard so selectors are used in the same order,
and in both when shared networks are used the "selected subnet" is
in fact the selected shared
on of Kea you can try the early global
reservation lookup. Or simply write a hook which puts queries from
unknown clients in the DROP class.
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/
ter to false. See the example in the
9.3.11 "Multiple Reservations for the Same IP" section in the ARM.
Thanks
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe
ds in files as it was done
for the basic HTTP authentication. IMHO (but I am not neutral) this is
good trade-off between security (which can't be done at 100%) and
usability (e.g. people understand well file access rights).
Regards
Francis Dupont
--
ISC funds the development of this
"data": "0x6774"
> },
=> note if it is allowed to specify more than once an option data of course
only one will be applied.
> The Relay -Reply that I got shows only one vendor (Cisco ) even though opti=
> on-data has Cisco and xyz()
=> yes and i
e gateway.
>
> I can't use ddns-send-updates set to false in a reservation. It only works
> in a subnet declaration or at global scope.
>
> What am I missing?
=> I suggest to try a shared network with two subnets covering the same
range but with different textual repr
ar for "new" crypto
if the OpenSSL library version is old
- dump the handshake messages on the wire: they are in clear text
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more infor
> Is there a way to add lots of MAC addresses to a DROP class config...
=> not yet but the next version should provide an easy and fast way
to do this!
Regards
Francis Dupont
--
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.i
funny when the resolution
returns more than one address
I do not know if there is already a KB article about this (if not we
should write one as you are far to be the first to ask) or if Stork
provides this feature (it is interactive so these problems can be handled).
Regards
Francis Dupont
Munroe Sollog writes:
> Is it possible to configure the forensic logging hook to output to syslog?
=> no, forensic/legal logs are sent to a file or a SQL database (MySQL or
PostgreSQL).
Regards
Francis Dupont
___
ISC funds the development o
The "wrong version number" error is returned by some crypto libraries
when TLS is expected but clear text HTTP is received.
Regards
Francis Dupont
PS: I say "some" because at least one has a dedicated code to detect
this very common error and emits a more user friendly
Erik Edwards writes:
> { "name": "vendor-class", "data": "HTTPClient" }>
=> IMHO you mean vendor-class-identifier (option 60): there is no option
named vendor-class in the DHCPv4 option space.
Regards
Francis Dupont
___
class e.g. Desktop using the test part as
its expression (i.e. substring(option[vendor-class-identifier].text, 0, 9)
== 'PXEClient'. The expression grammar can return a boolean or a string
so what you can do with an ifelse can be done with a class.
Regards
Francis Dupont
___
asy: configure/load it in the kea-dhcp4 and the kea-dhcp6 servers.
I do not believe it will share something between the two servers at
the exception of course of the RADIUS server itself.
Thanks
Francis Dupont
PS: some hook libraries explicitely check if they are loaded in the right
server in t
it was reported in its logs?
Thanks
Francis Dupont
PS: a secret mismatch gives BADSIG so IMHO this is around the key itself
(name, algorithm, ...).
PPS: looking the bind9 code for BADKEY you have:
- key name mismatch
- algorithm name mismatch (both logger as
"key name and algorithm d
queries are dropped vs. no resource can be assigned).
Regards
Francis Dupont
PS: Change 1898 included in Kea 1.9.8.
___
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more
Can you demangle the C++ symbol? The tool doing this is c++filt and
is not portable.
Thanks
Francis Dupont
Makhdoom Naeem writes:
> sudo /usr/sbin/kea-dhcp4 -t /etc/kea/kea-dhcp4.conf
> /usr/sbin/kea-dhcp4: symbol lookup error: /usr/sbin/kea-dhcp4: undefined
&g
different address or port...)
- if your system allows this you may use :: to match both :: and 0.0.0.0
Usually it is controled by the IPV6_V6ONLY flag which has a system
dependent default value. I suppose you use Linux where the default
is in /proc/sys/net/ipv6/bindv6only
Regards
Francis Du
s not allow 2x2 widths.
Now I saw enough options 43 with not compliant contents I am not
surprised...
Regards
Francis Dupont
___
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for
y the last entry value is taken) results.
Strangely it does not seem to be illegal JSON (the spec aka ECMA 404 says
nothing) but of course all JSON tools give either an error or only one
value on duplicated entries of maps (Kea term) / objects (standard name).
Thanks
Francis D
that a client (Windows 7) gets ::::: as its IP
> address.
=> it is the first address of the pool so it is not an error. Note
the easiest way to remove an address from a pool is to reserve it to
a nonexistent host.
Thanks
Francis Dupont
/128: /64 is convenient but /128 is the real legal value...
In conclusion this thread is about how to use Kea but not about Kea itself.
Regards
Francis Dupont
PS: as DHCP does not provide the local prefix length the right protocol is
the Neighbor Discovery or simply static config
27;voip'),concat('/', concat(hexstring(pkt4.mac, ''), '=
> .bin')),'')"
=> I do not think this will work because the hook implementation uses
a per code std::map for the configuration so the second entry will
overwrite the first one.
Thanks
Fr
Yes multiple actions are supported by the flex option hook.
Thanks
Francis Dupont
___
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit
lare the option-data for every shared subnet I have?
=> you should but it is one of the uses of client classes (possible but
a but hairy to do with current Kea: it is one of the things I plan to make
cleaner and easier).
Thanks
Francis Dupont
___
ace was designed for allocation so the type is Lease::TYPE_V4 and
the anypool to false (critical as it defaults to true).
Thanks
Francis Dupont
PS: the main reason pools are not saved in leases nor get their own
statistics is a pool is a bit hard to identify. If you have an idea
for a code and user
day so 1.9.3 is scheduled in four weeks but
if you can't wait the fix is already available...
Thanks
Francis Dupont
PS: the bug can give multiple options too but currently it was reported
only the DHCPv6 option 17...
___
ISC funds the development
other client.
> Can you confirm this is correct ?
=> yes reserved addresses are reserved.
Thanks
Francis Dupont
___
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/cont
There is a new section is the developer guide about how to cross compile
Kea with an extended example for Debian Buster.
Regards
Francis Dupont
___
ISC funds the development of this software with paid support subscriptions.
Contact us at https
ic subnet.
=> option 51 (dhcp-lease-time) is set by the server code so you should not
configure it. Option 150 is not a standard option so you have to define it
(option-def at the global scope) before using it.
Thanks
Francis Dupont
PS: if you go to
https://www.iana.org/assignments/bootp-dhcp-para
c Storage for Leases in the ARM (or 9.2.2.1 if you use
DHCPv6, the ARM is the Kea Administrator Reference Manual at
https://kea.readthedocs.io/en/latest/ and the persist flag is the first
documented parameter).
Regards
Francis Dupont
___
ISC funds the
subnet id.
# This unique index guarantees that there is only one occurrence of the
# particular IPv4 address for a given subnet.
Regards
Francis Dupont
___
ISC funds the development of this software with paid support subscriptions.
Contact us
m/michaeltandy/log4j-json, I found more but
for log4j2).
I can see 3 problems to do this in Kea:
- there is no hook in Kea for logging i.e. no easy place to insert code
- the JSON code is in another and later library (backward dependency)
- it requires significant manpower to develop.
Regards
pported by Config Backend or Netconf.
(Gitlab #35,!517, git 49ce6286f5d00f99c1c890f12cbc0fd633c9dbf6)
which was added in 1.7.1
Regards
Francis Dupont
___
ISC funds the development of this software with paid support subscriptions.
Contact u
> at the end of configure a report is displayed, saved in config.report
and compiled into servers and agents so can be recovered using the -W
command line argument. There is a command too named build-report.
Regards
Francis Dupont
PS: if you want the runtime library infos (can be different) use
for a lot of other objects.
Thanks
Francis Dupont
___
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
To unsubscribe visit https://lists.isc.org/mailman/listin
e callout point and return DROP when the query4->getFlags()
has FLAG_BROADCAST_MASK set). As the broadcast flag has a function
in the protocol perhaps it is possible to tweak the configuration
so they failed to be served (e.g. responses do not reach them) but
a direct way is more reliable.
Rega
The Kea gitlab URL is in the ARM but as you ask I put it here again:
https://gitlab.isc.org/isc-projects/kea
If you do not know gitlab the # is for an issue and the ! for a
merge request.
Regards
Francis Dupont
PS: just received my Raspberry Pi 4 "starter kit" so now we are several
a
for the system logging: they are sent to standard output or error,
to a file or to syslog. According to its documentation rsyslogd
is able to send logs to a database including a PostgreSQL one
(I never used this but perhaps someone in the list did/does?)
Thanks
is...
Regards
Francis Dupont
PS: tickets are on Kea gitlab with numbers:
- #1194 (initial request)
- #1221 (cross compiling: it is mine and I am very interested to
complete it)
- #1223 (closed, i.e. included in 1.7.8 last release)
___
ISC funds the
The server sends an option only when it was required by the client
(code in the PRL option of the discover) or when it has the
always-send flag set to true in the option data.
Regards
Francis Dupont
___
ISC funds the development of this software with
Please retry adding -f (or --force) to autoreconf?
Thanks
Francis Dupont
Bill Schoolfield writes:
> I've tried this. No luck. I'm stuck. Any help appreciated.
>
>
> >
> >
> >
> > It goes in the top level directory, i.e. one up from src.
> >
>
client_id = ?, valid_lifetime = ?, expire = ?, subnet_id =
> ?,
> > fqdn_fwd = ?, fqdn_rev = ?, hostname = ?, state = ? WHERE address =
> > ?>, reason: Incorrect datetime value: '2020-03-08 02:04:29' for column
> > 'expire' at row 1 (error code 1292)
=>
rally. For details, see new section "Flexible Option
for Option value settings" in the Kea Administrator Reference
Manual.
(Gitlab #219,!523, git 2bf854c029b9b07ee6161bc1fcb4dfdc9846ee42)
Regards
Francis Dupont
PS: BTW the hook source code
ost-reservation-identifiers using it
should work but if you have several shared networks or subnets I understand
you prefer to change the global value. Unfortunately this requires to
reload or reconfig the whole server configuration.
Regards
Francis Dupont
_
. when you use an old Kea version which does not support
them).
Regards
Francis Dupont
PS: teh Kea Migration Assistant is available in the public repository and
should be integrated into the distribution of the next ISC DHCP.
You can get soem idea from it and of course if you can propose imp
I do not believe it is possible directly but it should be indirectly using
different subnets (with per subnet different lifetimes) in a shared
network. Note you can also guard a pool (but not a subnet) using the
UNKNOWN client class.
Regards
Francis Dupont
Gibbins, John (IM&T, Black Moun
called only by 2 internal methods).
We'll revisit the definition of the callout point to see if it is a bug
and if it is we'll fix it.
Thanks
Francis Dupont
___
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/li
host reservations are read-only for servers and
the new configuration backend was designed to support sharing: this
constraint is only for leases).
Thanks
Francis Dupont
> example:
> Kea1 configured to multiple subnets and/or interfaces:
>
> Subnet 1 (with dynamic pool) + host re
red database (available for host reservations
for a long time, new in 1.6.0 for subnets) so edit once.
Regards
Francis Dupont
___
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
> 192.168.2.176" } ],
> "subnet": "192.168.0.1/24"
^ 2
>
> }
> ]
Regards
Francis Dupont
PS: you should get an error message saying "does not match the prefix
of a subnet"...
___
But you can play with lifetime and expired-leases-processing timers to
make more likely a client to get the same IP address.
Regards
Francis Dupont
___
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
is a protected member of the Dhcpv4Srv
which is derived into the ControlledDhcpv4Srv singleton so if it is changed
to be public using ControlledDhcpv4Srv::getInstance() will give an access
to it.
Now why do you need AllocationEngine instance? I can't see obvious reason
to ask for this...
Reg
Francis Dupont
___
Kea-users mailing list
Kea-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/kea-users
1 - 100 of 347 matches
Mail list logo