[Kea-users] bind kea to non-local IP

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

[Kea-users] bind kea to non-local IP

Munroe Sollog
VRRP should allow for a quick and easy way to implement a failover pair of dhcp servers without breaking poorly implemented DHCP clients (clients that won't re-broadcast the dhcp request when the renewing server doesn't respond).  

However in order to implement keepalived, you have to enable nonlocal ip binding in the kernel:

echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind 

It seems like Kea though, also doesn't like binding to a non-local IP.  So if the other DHCP server fails, it can't seemlessly assume its role and needs to be reconfigured and restarted.

This would be a great feature to implement especially in 1.4 as part of the HA feature set.  As of right now, when I try to configure kea to listen on the standby IP (the IP the other server is currently using), I get:

DHCP4_INIT_FAIL failed to initialize Kea server: configuration error using file '/etc/kea/kea-dhcp4.conf': Failed to select interface: interface 'eth0' doesn't have address '172.31.0.1' assigned (/etc/kea/kea-dhcp4.conf:18:41) (/etc/kea/kea-dhcp4.conf:18:5)

--
Munroe Sollog
Senior Network Engineer

_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] bind kea to non-local IP

Francis Dupont
Kea is like 99.99% of network servers I know: it binds only to local addresses
as required by the standard socket API.

Regards

Francis Dupont <[hidden email]>

PS: I am sure you'll get the same problem with bind9 for instance.
_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] bind kea to non-local IP

James Sumners

I concur with Munroe. I maintain https://github.com/jsumners/ucarp-rhel7 for my HAProxy failover setup. My guess is that your opposition could stem from multiple OSes not supporting this sort of socket binding. Some quick searching shows me that at least FreeBSD supports it via the “IP_BINDANY” options http://fxr.watson.org/fxr/ident?i=IP_BINDANY. On Linux it is is “IP_FREEBIND”. These are defined in netinet/in.h and netinet/ip.h, respectively.

I think this would be a good feature to support since, as far as I can tell, routers don’t typically allow defining a backup “ip helper.”




On December 14, 2017 at 3:04:25 AM, Francis Dupont ([hidden email]) wrote:

Kea is like 99.99% of network servers I know: it binds only to local addresses
as required by the standard socket API.

Regards

Francis Dupont <[hidden email]>

PS: I am sure you'll get the same problem with bind9 for instance.
_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users


_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] bind kea to non-local IP

Munroe Sollog
Francis -

Actually Bind9 supports 'rescanning' for new IPs to listen on and HAProxy supports listening to non-local IPs.  

The real problem we experience is that there are many poorly implemented dhcp clients.  When it come time to renew its IP address, it contacts its last DHCP server and if that server doesn't respond, it gives up.  Having a secondary or tertiary DHCP server doesn't help in this regard unless it can also assume the IP of the primary DHCP server.



On Thu, Dec 14, 2017 at 8:48 AM, James Sumners <[hidden email]> wrote:

I concur with Munroe. I maintain https://github.com/jsumners/ucarp-rhel7 for my HAProxy failover setup. My guess is that your opposition could stem from multiple OSes not supporting this sort of socket binding. Some quick searching shows me that at least FreeBSD supports it via the “IP_BINDANY” options http://fxr.watson.org/fxr/ident?i=IP_BINDANY. On Linux it is is “IP_FREEBIND”. These are defined in netinet/in.h and netinet/ip.h, respectively.

I think this would be a good feature to support since, as far as I can tell, routers don’t typically allow defining a backup “ip helper.”




On December 14, 2017 at 3:04:25 AM, Francis Dupont ([hidden email]) wrote:

Kea is like 99.99% of network servers I know: it binds only to local addresses
as required by the standard socket API.

Regards

Francis Dupont <[hidden email]>

PS: I am sure you'll get the same problem with bind9 for instance.
_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users




--
Munroe Sollog
Senior Network Engineer

_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] bind kea to non-local IP

Francis Dupont
In reply to this post by James Sumners
My concern is simple: it is not in the standard and it defeats the common
code which scans interfaces to get all the addresses a network server may
individually bind to. Now to be frank IMHO a feature which allows to bind
to any address is basically a bit dangerous...

Now if you still think that UCARP is a good way to provide redundant
DHCP service I propose to mark these addresses as virtual and of course
we'll need the way to allow them on all supported (and unsupported when
the feature exists) systems (BTW what is it for macOS? Officially UCARP
is supported on it). Same for VRRP.

Thanks

Francis Dupont <[hidden email]>
_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] bind kea to non-local IP

James Sumners

The only server I have with macOS is a local caching proxy for App Store things. I couldn’t even begin to tell you what it supports in this regard.




On December 14, 2017 at 9:31:34 AM, Francis Dupont ([hidden email]) wrote:

My concern is simple: it is not in the standard and it defeats the common
code which scans interfaces to get all the addresses a network server may
individually bind to. Now to be frank IMHO a feature which allows to bind
to any address is basically a bit dangerous...

Now if you still think that UCARP is a good way to provide redundant
DHCP service I propose to mark these addresses as virtual and of course
we'll need the way to allow them on all supported (and unsupported when
the feature exists) systems (BTW what is it for macOS? Officially UCARP
is supported on it). Same for VRRP.

Thanks

Francis Dupont <[hidden email]>


_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] bind kea to non-local IP

Francis Dupont
In reply to this post by Munroe Sollog
Munroe Sollog writes:
> Actually Bind9 supports 'rescanning' for new IPs to listen on and HAProxy
> supports listening to non-local IPs.

=> rescan allows to add or remove addresses to interfaces, not
virtual addresses. The DNS uses anycast addresses which is another way
to provide a service at a "fixed" address by multiple servers.
Of course it works better with an essentially "state less" protocol as DNS,
and not with DHCP at the exception of INFORM...

> The real problem we experience is that there are many poorly implemented
> dhcp clients.  When it come time to renew its IP address, it contacts its
> last DHCP server and if that server doesn't respond, it gives up.

=> it is a clear (but common) violation of the protocol both at the letter
and in the spirit.
Perhaps it is the reason DHCPv6 requires the use of multicast?

Thanks

Francis Dupont <[hidden email]>
_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] bind kea to non-local IP

Munroe Sollog
I’m happy to try to resolve my problem of sticky clients another way, I just don’t see how. 


On Thu, Dec 14, 2017 at 9:47 AM Francis Dupont <[hidden email]> wrote:
Munroe Sollog writes:
> Actually Bind9 supports 'rescanning' for new IPs to listen on and HAProxy
> supports listening to non-local IPs.

=> rescan allows to add or remove addresses to interfaces, not
virtual addresses. The DNS uses anycast addresses which is another way
to provide a service at a "fixed" address by multiple servers.
Of course it works better with an essentially "state less" protocol as DNS,
and not with DHCP at the exception of INFORM...

> The real problem we experience is that there are many poorly implemented
> dhcp clients.  When it come time to renew its IP address, it contacts its
> last DHCP server and if that server doesn't respond, it gives up.

=> it is a clear (but common) violation of the protocol both at the letter
and in the spirit.
Perhaps it is the reason DHCPv6 requires the use of multicast?

Thanks

Francis Dupont <[hidden email]>
--
Munroe Sollog
Senior Network Engineer

_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users