[Kea-users] Duplicate Addresses, address pool exhaustion with DHCPDECLINE flood

attila.domjan.hu at gmail.com attila.domjan.hu at gmail.com
Tue Apr 23 05:59:38 UTC 2019

I will disable in kea the decline feature too. In our FTTH access
network IP conflict never ever can happen, because of the dhcp snooping
based ip- and arp anti spoofing, so it is just a vulnerability. I suggest, the dhcpdecline feature should be disable via configuration option.


On Thu, 2019-04-18 at 19:31 +0200, Tomek Mrugalski wrote:
> On 18/04/2019 15:16, Alberto Pollastro wrote:
> > I agree with Kari; it could be useful to have an option which
> > permits to
> > ignore the DHCP DECLINE messages like the one present in ISC dhcpd
> > ("declines" keyword in config file:
> > https://www.isc.org/wp-content/uploads/2018/02/dhcp44.html
> > ).
> > Another option it could be to implement on server side a DHCP
> > per source MAC rate limiting (or a kind of Fail2ban for DECLINE
> > messages) because usually the L2 switch support DHCP rate limiting
> > accordint to the switch port.
> We were thinking about rate limiting of various things, but never got
> round to implement this mechanism.
> As a crude workaround, you could try setting up
> "decline-probation-period" to something very small, like 10 seconds
> or
> less. But please keep in mind that this would be effectively
> disabling a
> protocol feature that's there for a reason.
> Also, if you want to do some experiments, disabling DECLINE handling
> on
> the server side is a trivial code modification. Open up
> src/bin/dhcp4/dhcp4_srv.cc and comment out line 1024:
> // processDecline(query, ctx);
> Note the side effect is that your buggy client will think the lease
> was
> declined, will revert back to discover and the server will assign the
> same lease again. This loop will likely repeat over and over again.
> Depending on your situation this may be a better or worse workaround
> compared to low decline-probation-period.
> Tomek
> _______________________________________________
> Kea-users mailing list
> Kea-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/kea-users

More information about the Kea-users mailing list