<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:3.0cm 2.0cm 3.0cm 2.0cm;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="DA" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-GB">Do you have a NAC or is it open network?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">I would prefer deny it when entering the network, not when asking for DHCP.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Br,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Thomas<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Kea-users <kea-users-bounces@lists.isc.org> on behalf of Munroe Sollog <mus3@lehigh.edu><br>
<b>Date: </b>Friday, 22 March 2019 at 12.42<br>
<b>To: </b>Francis Dupont <fdupont@isc.org><br>
<b>Cc: </b>"KEA-Users (kea-users@lists.isc.org)" <kea-users@lists.isc.org><br>
<b>Subject: </b>Re: [Kea-users] deny booting or ignore booting<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Perhaps random wasn't a good choice of words. Given a MAC address we need a way of ensuring it does not DHCP. I'm open to alternatives to the ignore/deny booting function. Some sort of client classification?<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Thu, Mar 21, 2019 at 7:43 PM Francis Dupont <<a href="mailto:fdupont@isc.org">fdupont@isc.org</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<p class="MsoNormal">Munroe Sollog writes:<br>
> isc dhcpd supports the concept of "deny booting" or "ignore booting". Kea<br>
> does not seem to support this concept.<br>
<br>
=> this feature is not supported by Kea but you have other ways to get<br>
the same effect.<br>
<br>
> >From time to time we need to ensure that a random device does not get a<br>
> valid lease and is thus prevented from accessing our network (we enforce<br>
> DHCP at the access layer). I found this:<br>
<br>
=> as ISC DHCP booting keyword has a meaning only in a host reservation<br>
it is useless for a random device which by definition has no known<br>
identifier. Note if you want to ban unknown devices both ISC DHCP and<br>
Kea (since 1.5) provide a known/unknown client classification.<br>
<br>
> <a href="http://oldkea.isc.org/ticket/5229" target="_blank">http://oldkea.isc.org/ticket/5229</a><br>
<br>
=> replaced by <a href="https://gitlab.isc.org/isc-projects/kea/issues/239" target="_blank">
https://gitlab.isc.org/isc-projects/kea/issues/239</a><br>
<br>
This ticket is a migration ticket: all features of ISC DHCP were<br>
analyzed:<br>
- some can be translated (*) to Kea<br>
- some are candidate to be added to Kea<br>
- some have low interest (too specific, obsolete or unused, etc) (**)<br>
(*) There is a piece of software named the Migration Assistant which<br>
helps to translate ISC DHCP configurations to Kea. It is still in<br>
development but as we are looking for config samples to test and<br>
improve it you can contact us to know more...<br>
(**) #239 enters in the last category (priority low), the MA code emits<br>
a "no concrete usage known?" message when it finds the booting keyword.<br>
<br>
> I'm not sure what to make of this, but I tried creating a host reservation<br>
> without an IP address and kea errors with:<br>
> <br>
> specified reservation for DUID: hwtype=1 00:50:56:bf:d7:a5 must include at<br>
> least one resource, i.e. hostname, IPv4 address, IPv6 address/prefix,<br>
> options<br>
<br>
=> yes if you have no address (nor prefix in IPv6) you need a hostname.<br>
Note here a host reservation is perhaps not the best feature: what you<br>
want is some kind of access list and for a negative access list a client<br>
class is better. Host reservations and KNOWN/UNKNOWN are faster for<br>
a positive (and large) access list.<br>
<br>
Regards<br>
<br>
Francis Dupont <<a href="mailto:fdupont@isc.org" target="_blank">fdupont@isc.org</a>><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">Munroe Sollog <o:p></o:p></p>
<div>
<p class="MsoNormal">Senior Network Engineer<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a href="mailto:munroe@lehigh.edu" target="_blank">munroe@lehigh.edu</a><o:p></o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>