[Kea-users] deny booting or ignore booting

Munroe Sollog mus3 at lehigh.edu
Fri Mar 22 12:42:18 UTC 2019


Perhaps random wasn't a good choice of words.  Given a MAC address we need
a way of ensuring it does not DHCP.  I'm open to alternatives to the
ignore/deny booting function.  Some sort of client classification?

On Thu, Mar 21, 2019 at 7:43 PM Francis Dupont <fdupont at isc.org> wrote:

> Munroe Sollog writes:
> > isc dhcpd supports the concept of "deny booting" or "ignore booting".
> Kea
> > does not seem to support this concept.
>
> => this feature is not supported by Kea but you have other ways to get
> the same effect.
>
> > >From time to time we need to ensure that a random device does not get a
> > valid lease and is thus prevented from accessing our network (we enforce
> > DHCP at the access layer).  I found this:
>
> => as ISC DHCP booting keyword has a meaning only in a host reservation
> it is useless for a random device which by definition has no known
> identifier. Note if you want to ban unknown devices both ISC DHCP and
> Kea (since 1.5) provide a known/unknown client classification.
>
> > http://oldkea.isc.org/ticket/5229
>
> => replaced by https://gitlab.isc.org/isc-projects/kea/issues/239
>
> This ticket is a migration ticket: all features of ISC DHCP were
> analyzed:
>  - some can be translated (*) to Kea
>  - some are candidate to be added to Kea
>  - some have low interest (too specific, obsolete or unused, etc) (**)
> (*) There is a piece of software named the Migration Assistant which
> helps to translate ISC DHCP configurations to Kea. It is still in
> development but as we are looking for config samples to test and
> improve it you can contact us to know more...
> (**) #239 enters in the last category (priority low), the MA code emits
> a "no concrete usage known?" message when it finds the booting keyword.
>
> > I'm not sure what to make of this, but I tried creating a host
> reservation
> > without an IP address and kea errors with:
> >
> > specified reservation for DUID: hwtype=1 00:50:56:bf:d7:a5 must include
> at
> > least one resource, i.e. hostname, IPv4 address, IPv6 address/prefix,
> > options
>
> => yes if you have no address (nor prefix in IPv6) you need a hostname.
> Note here a host reservation is perhaps not the best feature: what you
> want is some kind of access list and for a negative access list a client
> class is better. Host reservations and KNOWN/UNKNOWN are faster for
> a positive (and large) access list.
>
> Regards
>
> Francis Dupont <fdupont at isc.org>
>


-- 
Munroe Sollog
Senior Network Engineer
munroe at lehigh.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20190322/e8b63006/attachment.htm>


More information about the Kea-users mailing list