always use deny (was: How does DHCPD determine what IP address to assign and...)

David W. Hankins David_Hankins at isc.org
Wed Jan 2 18:47:47 UTC 2008 

On Wed, Jan 02, 2008 at 11:14:01AM -0600, Keith Neufeld wrote:
> Am I in the minority?

It's impossible to say, but in terms of server operation the actual
default is 'no access list', so clients are permitted by default to
all pools.

So any access list at all is a selective dismissal.

In the model I'm thinking of moving to, the server would start out
from client link detection with a list of all pools arranged in
optimal order, expecting to go into client classification with no
ACL's.  Selecting an address for a client is a simple one-step
operation with no extra work in this (very) general case.

As classes, hosts, or conditional statements get executed and matched,
we'd tag (or clear in the case of multiple class matches) pools for
unlinking from this set.

So in your case with single allow statements in every pool;

	if (no pools to start with)
		log a specific error

	tag pool A
	tag pool B

	if class A matches
		untag pool A
	if class B matches
		untag pool B

	unlink all tagged pools

	if (no pools left)
		log a specific error

	grab the address at the top of the list.

	if (no addresses left)
		log a different, specific error

This is kind of backwards to how it works now; the guts of the ACL
would be executed on the class match rather than on the pool.  It's
a direct reference from the class(es) rather than linear searches in
the middle of processing.

More to the point; it means we don't have to traverse the entire list
of pools to find the best address for the client even with ACL's,
removing that from the list of things to have to worry about scaling.


As far as configuration syntax, this would probably be in conjunction
with a new configuration format or method (sql/ldap), and what we're
talking about is really how our default dhcpd.conf->new converter sets
things up so you get the same results.

In your case, you'd probably want to review these results, and switch
to something else the syntax should expose;

	init to zero the pool list

	if class A matches
		link pool A
	else if class B matches
		link pool B

	if (no pools left)
		log a specific error
	...

-- 
Ash bugud-gul durbatuluk agh burzum-ishi krimpatul.
Why settle for the lesser evil?	 https://secure.isc.org/store/t-shirt/
-- 
David W. Hankins	"If you don't do it right the first time,
Software Engineer		     you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins

More information about the dhcp-users mailing list