[Kea-users] subnet whitelist

Tomek Mrugalski tomasz at isc.org
Mon Jan 25 18:49:19 UTC 2016


On 24.01.2016 22:09, Patrick Hemmer wrote:
> I'm trying to accomplish a setup where kea only hands out addresses to
> authorized clients (identified by mac addr).

> In the old dhcpd you could use the `deny unknown-clients` ACL to
> accomplish this. It doesn't look like kea has any current capabilities
> for ACLs, and I was wondering if this is something that is planned, or
> of there is another way to accomplish this goal (other than writing a
> plugin).
That's actually pretty easy to do if you're ok with reserving addresses.
You just need to define a subnet without any pools in it. All clients
coming in will be rejected. The server will put a note similar to this:

ALLOC_ENGINE_V4_ALLOC_FAIL [hwtype=1 00:1d:7e:bc:41:2a],
cid=[01:00:1d:7e:bc:41:2a], tid=0xbf2a4c74: failed to allocate an IPv4
address after 0 attempt(s)

which means that it gave up sending anything back, because it didn't
find any available addresses. This solves the "reject unknown clients"
part. Now for the clients that you do know by MAC, you'd like to assign
them an address. That's also easy to do: add reservations for them.

Here's the snippet that should work for you:

  "subnet4": [
    {
# Note lack of pools definition. Clients will be rejected, unless
# they're on the reservations list below. In this case they'll get the
# address they have reserved.
       "subnet": "192.0.2.0/24",
       "interface": "eth1",
       "reservations": [
         {
             "hw-address": "00:1d:7e:bc:41:2a",
             "ip-address": "192.0.2.202"
         },
         {
             "hw-address": "f4:6d:04:96:55:54",
             "ip-address": "192.0.2.222"
         }
       ]
    }
  ]

Actually, I used a slightly tweaked doc/examples/kea4/reservations.json.
I did only 3 tweaks: changed interface name (ethX to eth1 in my case),
removed line 41 that defined subnets and finally tweaked one of the
reservation examples to match my actual MAC.

This solution is not perfect, but hopefully will address your needs.
Please let me know if that is indeed the case.

Tomek




More information about the Kea-users mailing list