Kristof Van Doorsselaere kristof.vandoorsselaere at hogent.be
Tue Sep 8 08:51:25 UTC 2015

Dear dhcp mailing list,

I’m testing latest dhcpd 4.3.3 to replace our current production dhcp server, the new server will run dual stack (ipv4/ipv6). On our current dhcp server, (for wired, non 802.1x  enabled networks), we currently implement: deny unknown clients, so only known mac addresses will get an ip. I already read, on several places, this is not possible for ipv6. But last week I found out about  RFC 6939, and now I was trying to figure  out if my ipv6 relay (fortigate firewall) supports this.

Based on the logs below it looks like, this rfc is supported, since the mac address is logged correctly (using the log statement below)


Sep  8 10:00:38 komo dhcpd: Lease for 2001:xxxx:xxxx:3d98:aaaa:8624:d059:50be leased to 40:6c:8f:a:2e:1a

Sep  8 10:00:38 komo dhcpd: did not find: (&(objectClass=dhcpHost)(dhcpClientId=00:01:00:01:1c:e4:9b:70:40:6c:8f:0a:2e:1a))

Sep  8 10:00:38 komo dhcpd: did not find clientid: (&(objectClass=dhcpHost)(dhcpClientId=00:01:00:01:1c:e4:9b:70:40:6c:8f:0a:2e:1a))

Sep  8 10:00:38 komo dhcpd: Lease for 2001:xxxx:xxxx:3d98:aaaa:8624:d059:50be leased to 40:6c:8f:a:2e:1a

Sep  8 10:00:38 komo dhcpd: Reply NA: address 2001:xxxx:xxxx:3d98:aaaa:8624:d059:50be to client with duid 00:01:00:01:1c:e4:9b:70:40:6c:8f:0a:2e:1a iaid = 0 valid for 2592000 seconds

Sep  8 10:00:38 komo dhcpd: Sending Relay-reply to 2001:xxxx:xxxx:ab00:ffff:ffff:ffff:ffff port 547

So now I’m trying to find out if there is any possibility to deny unknown clients based on there mac addresses in a pool6 configuration? Is this something on the roadmap? Or will it never be implemented? (For us this would mean: stop using mac address based allow/deny rules and go for 802.1x all the way (we currently implement this on wifi and a few wired networks) 

Remark: Our mac addresses are stored in ldap, and based on the logs (above) it looks like dhcpv6 is searching for DUID rather then mac adress,  do we have any options here?

Below some more info about my setup:

OS: Debian 8.1

Subnet cfg:

subnet6 2001:xxxx:xxxx:3d98::/64  {

        pool6 {

option dhcp6.name-servers 2001:xxxx:xxxx:ab00::1, 2001:xxxx:xxxx:ab00::2; 

option dhcp6.domain-search “example.com"; 

ignore unknown-clients;

range6  2001:xxxx:xxxx:3d98:aaaa::/80; 

range6  2001:xxxx:xxxx:3d98:bbbb::/80 temporary;



Rfc 6939 specific cfg:

## RFC  6939

option dhcp6.macaddr code 193 = string;

option dhcp6.leased-address code 194 = string;

option dhcp6.macaddr = binary-to-ascii(16, 8, ":", suffix(option dhcp6.client-id, 6));

option dhcp6.leased-address = binary-to-ascii(16,16, ":", substring(suffix(option dhcp6.ia-na, 24),0,16));

log (info, concat ("Lease for ",config-option dhcp6.leased-address, " leased to ", config-option dhcp6.macaddr));

Thanks for your reply,

Kristof van Doorsselaere

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20150908/add5c682/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4206 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20150908/add5c682/attachment.bin>

More information about the dhcp-users mailing list