[Kea-users] deny booting or ignore booting

Francis Dupont fdupont at isc.org
Thu Mar 21 23:43:18 UTC 2019


Munroe Sollog writes:
> isc dhcpd supports the concept of "deny booting" or "ignore booting".  Kea
> does not seem to support this concept.

=> this feature is not supported by Kea but you have other ways to get
the same effect.

> >From time to time we need to ensure that a random device does not get a
> valid lease and is thus prevented from accessing our network (we enforce
> DHCP at the access layer).  I found this:

=> as ISC DHCP booting keyword has a meaning only in a host reservation
it is useless for a random device which by definition has no known
identifier. Note if you want to ban unknown devices both ISC DHCP and
Kea (since 1.5) provide a known/unknown client classification.

> http://oldkea.isc.org/ticket/5229

=> replaced by https://gitlab.isc.org/isc-projects/kea/issues/239

This ticket is a migration ticket: all features of ISC DHCP were
analyzed:
 - some can be translated (*) to Kea
 - some are candidate to be added to Kea
 - some have low interest (too specific, obsolete or unused, etc) (**)
(*) There is a piece of software named the Migration Assistant which
helps to translate ISC DHCP configurations to Kea. It is still in
development but as we are looking for config samples to test and
improve it you can contact us to know more...
(**) #239 enters in the last category (priority low), the MA code emits
a "no concrete usage known?" message when it finds the booting keyword.

> I'm not sure what to make of this, but I tried creating a host reservation
> without an IP address and kea errors with:
> 
> specified reservation for DUID: hwtype=1 00:50:56:bf:d7:a5 must include at
> least one resource, i.e. hostname, IPv4 address, IPv6 address/prefix,
> options

=> yes if you have no address (nor prefix in IPv6) you need a hostname.
Note here a host reservation is perhaps not the best feature: what you
want is some kind of access list and for a negative access list a client
class is better. Host reservations and KNOWN/UNKNOWN are faster for
a positive (and large) access list.

Regards

Francis Dupont <fdupont at isc.org>


More information about the Kea-users mailing list