[Kea-users] 1.4 - limit subnet to static reservations/leases

Jason Guy jguy at cumulusnetworks.com
Thu Feb 14 15:05:35 UTC 2019

Keep in mind ifupdown2 is just a front-end for configuring the networking.
The actual DHCP client is dhclient. There is certainly a dhclient.conf you
can change, but do you want to do that on all clients? I just use the mac
address for linux machines, and client-id is the default for windows (as I
recall). I have not yet successfully made DHCPv6 relay return a static host
reservation, so I have not tested DUID with IPv6. My advice is use the mac
address and keep it simple. Seems unlikely to have MAC spoofing without
many other layer2 issues occurring. Just my opinion.


On Thu, Feb 14, 2019 at 9:37 AM ѽ҉ᶬḳ℠ <vtol at gmx.net> wrote:

> Kai Meitzner
> On 14/02/2019 14:35, Tomek Mrugalski wrote:
> On 14.02.2019 12:20, ѽ҉ᶬḳ℠ wrote:
> Though perhaps a bit off topic, please bear with me, I have been
> wondering about DUID in ipv4 since thought that it would be only
> applicable to ipv6?
> That was the original idea. But then the reality kicked in. The primary
> use case for DUIDs in ipv4 is to be able to match requests coming from
> dual-stack devices.
> To my understanding the DUID would be provided by the dhcp client but I
> have not found way to figure the clients's ipv4 DUID, all linux distros,
> in order to use it for host reservation. Neither iproute2 nor ifupdown2
> seem to provide that information. Is there a way to harvest those ipv4 DUID?
> Not sure. If the client supports it, as a last resort you can capture
> the traffic and extract its client-id option. That's not exactly a
> convenient way, I admit that. I found a discussion about it on systemd
> github: https://github.com/systemd/systemd/issues/394. It mentions some
> pull requests that apparently were merged. You may want to look around
> that area and see if anything comes up.
> Tomek
> The current dnsmasq ipv*4* leases (still in place) supposedly showing
> client identifier, e.g.
> ff:a9:13:fb:9b:00:02:00:00:ab:11:f0:18:bd:02:af:a5:19:a1.
> Perusing online resources has not cleared up for me whether there is a
> correlation between DUID and client identifier, some sources hinting the
> client identifier containing the DUID?
> Suppose such client identifier would be matching *client-id* in the Kea
> conf?
> Since client-id spoofing would appear more difficult than mac spoofing I
> would probably prefer client-id. Just have to check whether client-ids are
> indeed ephemeral.
> Seems a bit a of cumbersome way to run first a dhcp server to gather
> client-id/DUID from its linux clients to utilise such for host reservation
> matching. My network management preference though is ifupdown2.
> _______________________________________________
> Kea-users mailing list
> Kea-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/kea-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20190214/b66c9608/attachment.htm>

More information about the Kea-users mailing list