[Kea-users] deny booting or ignore booting

Munroe Sollog mus3 at lehigh.edu
Fri Mar 22 12:50:42 UTC 2019


 The firewall idea is interesting, but all of our DHCP is via relay and I
don’t think I can capture the source MAC address from the relay.

 We have 35,000 hosts DHCP-ing, to whitelist all but 100 sounds very
inefficient. Further, in this case, we are only able to enumerate badness,
new devices that behave properly should not be limited.

There has to be a way to give kea a list of MAC addresses to ignore.

On Fri, Mar 22, 2019 at 8:03 AM Francis Dupont <fdupont at isc.org> wrote:

> Munroe Sollog writes:
> > Perhaps random wasn't a good choice of words.  Given a MAC address we
> need
> > a way of ensuring it does not DHCP.  I'm open to alternatives to the
> > ignore/deny booting function.  Some sort of client classification?
>
> => the simplest (and most efficient as a rogue client can for instance
> flood the server with junk queries) is to use a firewall feature to
> drop messages on the floor. At the Kea server level the standard way
> is to create a client class which matches all other clients and
> to guard subnets or pools with this class so not resource will be
> available to it. You can also write a hook to filter out messages
> but it requires to write some code (vs a config update).
>
> Regards
>
> Francis Dupont <fdupont at isc.org>
>
> PS: I cited the hook because it is the standard way to plug an
> authentication/authorization service to Kea.
>
-- 
Munroe Sollog
Senior Network Engineer
munroe at lehigh.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20190322/8257060b/attachment.html>


More information about the Kea-users mailing list