[Kea-users] deny booting or ignore booting

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

[Kea-users] deny booting or ignore booting

Munroe Sollog
isc dhcpd supports the concept of "deny booting" or "ignore booting".  Kea does not seem to support this concept.

From time to time we need to ensure that a random device does not get a valid lease and is thus prevented from accessing our network (we enforce DHCP at the access layer).  I found this:


I'm not sure what to make of this, but I tried creating a host reservation without an IP address and kea errors with:

specified reservation for DUID: hwtype=1 00:50:56:bf:d7:a5 must include at least one resource, i.e. hostname, IPv4 address, IPv6 address/prefix, options


--
Munroe Sollog
Senior Network Engineer

_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] deny booting or ignore booting

Francis Dupont
Munroe Sollog writes:
> isc dhcpd supports the concept of "deny booting" or "ignore booting".  Kea
> does not seem to support this concept.

=> this feature is not supported by Kea but you have other ways to get
the same effect.

> >From time to time we need to ensure that a random device does not get a
> valid lease and is thus prevented from accessing our network (we enforce
> DHCP at the access layer).  I found this:

=> as ISC DHCP booting keyword has a meaning only in a host reservation
it is useless for a random device which by definition has no known
identifier. Note if you want to ban unknown devices both ISC DHCP and
Kea (since 1.5) provide a known/unknown client classification.

> http://oldkea.isc.org/ticket/5229

=> replaced by https://gitlab.isc.org/isc-projects/kea/issues/239

This ticket is a migration ticket: all features of ISC DHCP were
analyzed:
 - some can be translated (*) to Kea
 - some are candidate to be added to Kea
 - some have low interest (too specific, obsolete or unused, etc) (**)
(*) There is a piece of software named the Migration Assistant which
helps to translate ISC DHCP configurations to Kea. It is still in
development but as we are looking for config samples to test and
improve it you can contact us to know more...
(**) #239 enters in the last category (priority low), the MA code emits
a "no concrete usage known?" message when it finds the booting keyword.

> I'm not sure what to make of this, but I tried creating a host reservation
> without an IP address and kea errors with:
>
> specified reservation for DUID: hwtype=1 00:50:56:bf:d7:a5 must include at
> least one resource, i.e. hostname, IPv4 address, IPv6 address/prefix,
> options

=> yes if you have no address (nor prefix in IPv6) you need a hostname.
Note here a host reservation is perhaps not the best feature: what you
want is some kind of access list and for a negative access list a client
class is better. Host reservations and KNOWN/UNKNOWN are faster for
a positive (and large) access list.

Regards

Francis Dupont <[hidden email]>
_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] deny booting or ignore booting

Munroe Sollog
Perhaps random wasn't a good choice of words.  Given a MAC address we need a way of ensuring it does not DHCP.  I'm open to alternatives to the ignore/deny booting function.  Some sort of client classification?

On Thu, Mar 21, 2019 at 7:43 PM Francis Dupont <[hidden email]> wrote:
Munroe Sollog writes:
> isc dhcpd supports the concept of "deny booting" or "ignore booting".  Kea
> does not seem to support this concept.

=> this feature is not supported by Kea but you have other ways to get
the same effect.

> >From time to time we need to ensure that a random device does not get a
> valid lease and is thus prevented from accessing our network (we enforce
> DHCP at the access layer).  I found this:

=> as ISC DHCP booting keyword has a meaning only in a host reservation
it is useless for a random device which by definition has no known
identifier. Note if you want to ban unknown devices both ISC DHCP and
Kea (since 1.5) provide a known/unknown client classification.

> http://oldkea.isc.org/ticket/5229

=> replaced by https://gitlab.isc.org/isc-projects/kea/issues/239

This ticket is a migration ticket: all features of ISC DHCP were
analyzed:
 - some can be translated (*) to Kea
 - some are candidate to be added to Kea
 - some have low interest (too specific, obsolete or unused, etc) (**)
(*) There is a piece of software named the Migration Assistant which
helps to translate ISC DHCP configurations to Kea. It is still in
development but as we are looking for config samples to test and
improve it you can contact us to know more...
(**) #239 enters in the last category (priority low), the MA code emits
a "no concrete usage known?" message when it finds the booting keyword.

> I'm not sure what to make of this, but I tried creating a host reservation
> without an IP address and kea errors with:
>
> specified reservation for DUID: hwtype=1 00:50:56:bf:d7:a5 must include at
> least one resource, i.e. hostname, IPv4 address, IPv6 address/prefix,
> options

=> yes if you have no address (nor prefix in IPv6) you need a hostname.
Note here a host reservation is perhaps not the best feature: what you
want is some kind of access list and for a negative access list a client
class is better. Host reservations and KNOWN/UNKNOWN are faster for
a positive (and large) access list.

Regards

Francis Dupont <[hidden email]>


--
Munroe Sollog
Senior Network Engineer

_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] deny booting or ignore booting

Thomas Andersen

Do you have a NAC or is it open network?

I would prefer deny it when entering the network, not when asking for DHCP.

 

 

 

Br,

Thomas

 

From: Kea-users <[hidden email]> on behalf of Munroe Sollog <[hidden email]>
Date: Friday, 22 March 2019 at 12.42
To: Francis Dupont <[hidden email]>
Cc: "KEA-Users ([hidden email])" <[hidden email]>
Subject: Re: [Kea-users] deny booting or ignore booting

 

Perhaps random wasn't a good choice of words.  Given a MAC address we need a way of ensuring it does not DHCP.  I'm open to alternatives to the ignore/deny booting function.  Some sort of client classification?

 

On Thu, Mar 21, 2019 at 7:43 PM Francis Dupont <[hidden email]> wrote:

Munroe Sollog writes:
> isc dhcpd supports the concept of "deny booting" or "ignore booting".  Kea
> does not seem to support this concept.

=> this feature is not supported by Kea but you have other ways to get
the same effect.

> >From time to time we need to ensure that a random device does not get a
> valid lease and is thus prevented from accessing our network (we enforce
> DHCP at the access layer).  I found this:

=> as ISC DHCP booting keyword has a meaning only in a host reservation
it is useless for a random device which by definition has no known
identifier. Note if you want to ban unknown devices both ISC DHCP and
Kea (since 1.5) provide a known/unknown client classification.

> http://oldkea.isc.org/ticket/5229

=> replaced by https://gitlab.isc.org/isc-projects/kea/issues/239

This ticket is a migration ticket: all features of ISC DHCP were
analyzed:
 - some can be translated (*) to Kea
 - some are candidate to be added to Kea
 - some have low interest (too specific, obsolete or unused, etc) (**)
(*) There is a piece of software named the Migration Assistant which
helps to translate ISC DHCP configurations to Kea. It is still in
development but as we are looking for config samples to test and
improve it you can contact us to know more...
(**) #239 enters in the last category (priority low), the MA code emits
a "no concrete usage known?" message when it finds the booting keyword.

> I'm not sure what to make of this, but I tried creating a host reservation
> without an IP address and kea errors with:
>
> specified reservation for DUID: hwtype=1 00:50:56:bf:d7:a5 must include at
> least one resource, i.e. hostname, IPv4 address, IPv6 address/prefix,
> options

=> yes if you have no address (nor prefix in IPv6) you need a hostname.
Note here a host reservation is perhaps not the best feature: what you
want is some kind of access list and for a negative access list a client
class is better. Host reservations and KNOWN/UNKNOWN are faster for
a positive (and large) access list.

Regards

Francis Dupont <[hidden email]>


 

--

Munroe Sollog

Senior Network Engineer


_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] deny booting or ignore booting

Munroe Sollog
While I appreciate the suggestion. Installing a NAC to accomplish  similar functionality to one line of configuration in our DHCP server is kind of silly. 

On Fri, Mar 22, 2019 at 7:58 AM Thomas Andersen <[hidden email]> wrote:

Do you have a NAC or is it open network?

I would prefer deny it when entering the network, not when asking for DHCP.

 

 

 

Br,

Thomas

 

From: Kea-users <[hidden email]> on behalf of Munroe Sollog <[hidden email]>
Date: Friday, 22 March 2019 at 12.42
To: Francis Dupont <[hidden email]>
Cc: "KEA-Users ([hidden email])" <[hidden email]>
Subject: Re: [Kea-users] deny booting or ignore booting

 

Perhaps random wasn't a good choice of words.  Given a MAC address we need a way of ensuring it does not DHCP.  I'm open to alternatives to the ignore/deny booting function.  Some sort of client classification?

 

On Thu, Mar 21, 2019 at 7:43 PM Francis Dupont <[hidden email]> wrote:

Munroe Sollog writes:
> isc dhcpd supports the concept of "deny booting" or "ignore booting".  Kea
> does not seem to support this concept.

=> this feature is not supported by Kea but you have other ways to get
the same effect.

> >From time to time we need to ensure that a random device does not get a
> valid lease and is thus prevented from accessing our network (we enforce
> DHCP at the access layer).  I found this:

=> as ISC DHCP booting keyword has a meaning only in a host reservation
it is useless for a random device which by definition has no known
identifier. Note if you want to ban unknown devices both ISC DHCP and
Kea (since 1.5) provide a known/unknown client classification.

> http://oldkea.isc.org/ticket/5229

=> replaced by https://gitlab.isc.org/isc-projects/kea/issues/239

This ticket is a migration ticket: all features of ISC DHCP were
analyzed:
 - some can be translated (*) to Kea
 - some are candidate to be added to Kea
 - some have low interest (too specific, obsolete or unused, etc) (**)
(*) There is a piece of software named the Migration Assistant which
helps to translate ISC DHCP configurations to Kea. It is still in
development but as we are looking for config samples to test and
improve it you can contact us to know more...
(**) #239 enters in the last category (priority low), the MA code emits
a "no concrete usage known?" message when it finds the booting keyword.

> I'm not sure what to make of this, but I tried creating a host reservation
> without an IP address and kea errors with:
>
> specified reservation for DUID: hwtype=1 00:50:56:bf:d7:a5 must include at
> least one resource, i.e. hostname, IPv4 address, IPv6 address/prefix,
> options

=> yes if you have no address (nor prefix in IPv6) you need a hostname.
Note here a host reservation is perhaps not the best feature: what you
want is some kind of access list and for a negative access list a client
class is better. Host reservations and KNOWN/UNKNOWN are faster for
a positive (and large) access list.

Regards

Francis Dupont <[hidden email]>


 

--

Munroe Sollog

Senior Network Engineer

--
Munroe Sollog
Senior Network Engineer

_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] deny booting or ignore booting

Francis Dupont
In reply to this post by Munroe Sollog
Munroe Sollog writes:
> Perhaps random wasn't a good choice of words.  Given a MAC address we need
> a way of ensuring it does not DHCP.  I'm open to alternatives to the
> ignore/deny booting function.  Some sort of client classification?

=> the simplest (and most efficient as a rogue client can for instance
flood the server with junk queries) is to use a firewall feature to
drop messages on the floor. At the Kea server level the standard way
is to create a client class which matches all other clients and
to guard subnets or pools with this class so not resource will be
available to it. You can also write a hook to filter out messages
but it requires to write some code (vs a config update).

Regards

Francis Dupont <[hidden email]>

PS: I cited the hook because it is the standard way to plug an
authentication/authorization service to Kea.
_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] deny booting or ignore booting

Munroe Sollog
 The firewall idea is interesting, but all of our DHCP is via relay and I don’t think I can capture the source MAC address from the relay. 

 We have 35,000 hosts DHCP-ing, to whitelist all but 100 sounds very inefficient. Further, in this case, we are only able to enumerate badness, new devices that behave properly should not be limited. 

There has to be a way to give kea a list of MAC addresses to ignore. 

On Fri, Mar 22, 2019 at 8:03 AM Francis Dupont <[hidden email]> wrote:
Munroe Sollog writes:
> Perhaps random wasn't a good choice of words.  Given a MAC address we need
> a way of ensuring it does not DHCP.  I'm open to alternatives to the
> ignore/deny booting function.  Some sort of client classification?

=> the simplest (and most efficient as a rogue client can for instance
flood the server with junk queries) is to use a firewall feature to
drop messages on the floor. At the Kea server level the standard way
is to create a client class which matches all other clients and
to guard subnets or pools with this class so not resource will be
available to it. You can also write a hook to filter out messages
but it requires to write some code (vs a config update).

Regards

Francis Dupont <[hidden email]>

PS: I cited the hook because it is the standard way to plug an
authentication/authorization service to Kea.
--
Munroe Sollog
Senior Network Engineer

_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] deny booting or ignore booting

Thomas Andersen
In reply to this post by Munroe Sollog

Hi,

 

Installing a NAC for that purpose solely, would be overkill :)

But when you have 35,000 devices, I would presume you already had some sort of NAC, to control/verify who’s on your network.

 

That being 802.1x, Mac auth or CWP.

 

We use clearpass for all network authentication, which has the option of blacklist mac addresses. Similar OpenSource like packetfence has the same featureset as ClearPass. More or less.

 

Br,

Thomas

 

From: Munroe Sollog <[hidden email]>
Date: Friday, 22 March 2019 at 13.03
To: Thomas Andersen <[hidden email]>
Cc: Francis Dupont <[hidden email]>, "KEA-Users ([hidden email])" <[hidden email]>
Subject: Re: [Kea-users] deny booting or ignore booting

 

While I appreciate the suggestion. Installing a NAC to accomplish  similar functionality to one line of configuration in our DHCP server is kind of silly. 

 

On Fri, Mar 22, 2019 at 7:58 AM Thomas Andersen <[hidden email]> wrote:

Do you have a NAC or is it open network?

I would prefer deny it when entering the network, not when asking for DHCP.

 

 

 

Br,

Thomas

 

From: Kea-users <[hidden email]> on behalf of Munroe Sollog <[hidden email]>
Date: Friday, 22 March 2019 at 12.42
To: Francis Dupont <[hidden email]>
Cc: "KEA-Users ([hidden email])" <[hidden email]>
Subject: Re: [Kea-users] deny booting or ignore booting

 

Perhaps random wasn't a good choice of words.  Given a MAC address we need a way of ensuring it does not DHCP.  I'm open to alternatives to the ignore/deny booting function.  Some sort of client classification?

 

On Thu, Mar 21, 2019 at 7:43 PM Francis Dupont <[hidden email]> wrote:

Munroe Sollog writes:
> isc dhcpd supports the concept of "deny booting" or "ignore booting".  Kea
> does not seem to support this concept.

=> this feature is not supported by Kea but you have other ways to get
the same effect.

> >From time to time we need to ensure that a random device does not get a
> valid lease and is thus prevented from accessing our network (we enforce
> DHCP at the access layer).  I found this:

=> as ISC DHCP booting keyword has a meaning only in a host reservation
it is useless for a random device which by definition has no known
identifier. Note if you want to ban unknown devices both ISC DHCP and
Kea (since 1.5) provide a known/unknown client classification.

> http://oldkea.isc.org/ticket/5229

=> replaced by https://gitlab.isc.org/isc-projects/kea/issues/239

This ticket is a migration ticket: all features of ISC DHCP were
analyzed:
 - some can be translated (*) to Kea
 - some are candidate to be added to Kea
 - some have low interest (too specific, obsolete or unused, etc) (**)
(*) There is a piece of software named the Migration Assistant which
helps to translate ISC DHCP configurations to Kea. It is still in
development but as we are looking for config samples to test and
improve it you can contact us to know more...
(**) #239 enters in the last category (priority low), the MA code emits
a "no concrete usage known?" message when it finds the booting keyword.

> I'm not sure what to make of this, but I tried creating a host reservation
> without an IP address and kea errors with:
>
> specified reservation for DUID: hwtype=1 00:50:56:bf:d7:a5 must include at
> least one resource, i.e. hostname, IPv4 address, IPv6 address/prefix,
> options

=> yes if you have no address (nor prefix in IPv6) you need a hostname.
Note here a host reservation is perhaps not the best feature: what you
want is some kind of access list and for a negative access list a client
class is better. Host reservations and KNOWN/UNKNOWN are faster for
a positive (and large) access list.

Regards

Francis Dupont <[hidden email]>


 

--

Munroe Sollog

Senior Network Engineer

--

Munroe Sollog

Senior Network Engineer


_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] deny booting or ignore booting

Munroe Sollog
I'm going to start calling you Thomas "Scope Creep" Andersen. :) . In all seriousness, we can talk about the value of NACs and sure there are some, but it is clearly out of scope for lifecycling our dhcp server.

On Fri, Mar 22, 2019 at 9:06 AM Thomas Andersen <[hidden email]> wrote:

Hi,

 

Installing a NAC for that purpose solely, would be overkill :)

But when you have 35,000 devices, I would presume you already had some sort of NAC, to control/verify who’s on your network.

 

That being 802.1x, Mac auth or CWP.

 

We use clearpass for all network authentication, which has the option of blacklist mac addresses. Similar OpenSource like packetfence has the same featureset as ClearPass. More or less.

 

Br,

Thomas

 

From: Munroe Sollog <[hidden email]>
Date: Friday, 22 March 2019 at 13.03
To: Thomas Andersen <[hidden email]>
Cc: Francis Dupont <[hidden email]>, "KEA-Users ([hidden email])" <[hidden email]>
Subject: Re: [Kea-users] deny booting or ignore booting

 

While I appreciate the suggestion. Installing a NAC to accomplish  similar functionality to one line of configuration in our DHCP server is kind of silly. 

 

On Fri, Mar 22, 2019 at 7:58 AM Thomas Andersen <[hidden email]> wrote:

Do you have a NAC or is it open network?

I would prefer deny it when entering the network, not when asking for DHCP.

 

 

 

Br,

Thomas

 

From: Kea-users <[hidden email]> on behalf of Munroe Sollog <[hidden email]>
Date: Friday, 22 March 2019 at 12.42
To: Francis Dupont <[hidden email]>
Cc: "KEA-Users ([hidden email])" <[hidden email]>
Subject: Re: [Kea-users] deny booting or ignore booting

 

Perhaps random wasn't a good choice of words.  Given a MAC address we need a way of ensuring it does not DHCP.  I'm open to alternatives to the ignore/deny booting function.  Some sort of client classification?

 

On Thu, Mar 21, 2019 at 7:43 PM Francis Dupont <[hidden email]> wrote:

Munroe Sollog writes:
> isc dhcpd supports the concept of "deny booting" or "ignore booting".  Kea
> does not seem to support this concept.

=> this feature is not supported by Kea but you have other ways to get
the same effect.

> >From time to time we need to ensure that a random device does not get a
> valid lease and is thus prevented from accessing our network (we enforce
> DHCP at the access layer).  I found this:

=> as ISC DHCP booting keyword has a meaning only in a host reservation
it is useless for a random device which by definition has no known
identifier. Note if you want to ban unknown devices both ISC DHCP and
Kea (since 1.5) provide a known/unknown client classification.

> http://oldkea.isc.org/ticket/5229

=> replaced by https://gitlab.isc.org/isc-projects/kea/issues/239

This ticket is a migration ticket: all features of ISC DHCP were
analyzed:
 - some can be translated (*) to Kea
 - some are candidate to be added to Kea
 - some have low interest (too specific, obsolete or unused, etc) (**)
(*) There is a piece of software named the Migration Assistant which
helps to translate ISC DHCP configurations to Kea. It is still in
development but as we are looking for config samples to test and
improve it you can contact us to know more...
(**) #239 enters in the last category (priority low), the MA code emits
a "no concrete usage known?" message when it finds the booting keyword.

> I'm not sure what to make of this, but I tried creating a host reservation
> without an IP address and kea errors with:
>
> specified reservation for DUID: hwtype=1 00:50:56:bf:d7:a5 must include at
> least one resource, i.e. hostname, IPv4 address, IPv6 address/prefix,
> options

=> yes if you have no address (nor prefix in IPv6) you need a hostname.
Note here a host reservation is perhaps not the best feature: what you
want is some kind of access list and for a negative access list a client
class is better. Host reservations and KNOWN/UNKNOWN are faster for
a positive (and large) access list.

Regards

Francis Dupont <[hidden email]>


 

--

Munroe Sollog

Senior Network Engineer

--

Munroe Sollog

Senior Network Engineer



--
Munroe Sollog
Senior Network Engineer

_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] deny booting or ignore booting

Ambauen  Daniel (ID NET)
In reply to this post by Thomas Andersen
Hi

> Installing a NAC for that purpose solely, would be overkill :)
> But when you have 35,000 devices, I would presume you already had some sort of NAC, to control/verify who’s on your network.
>  
> That being 802.1x, Mac auth or CWP.

+1

Well, we see over 40’000 devices in our network and we are using IEEE 802.1x.
From my point of view the network access control is definitely not a task of the DHCP service.  

Regards
Daniel

 

> From: Munroe Sollog <[hidden email]>
> Date: Friday, 22 March 2019 at 13.03
> To: Thomas Andersen <[hidden email]>
> Cc: Francis Dupont <[hidden email]>, "KEA-Users ([hidden email])" <[hidden email]>
> Subject: Re: [Kea-users] deny booting or ignore booting
>  
> While I appreciate the suggestion. Installing a NAC to accomplish  similar functionality to one line of configuration in our DHCP server is kind of silly.
>  
> On Fri, Mar 22, 2019 at 7:58 AM Thomas Andersen <[hidden email]> wrote:
>> Do you have a NAC or is it open network?
>> I would prefer deny it when entering the network, not when asking for DHCP.
>>  
>>  
>>  
>> Br,
>> Thomas
>>  
>> From: Kea-users <[hidden email]> on behalf of Munroe Sollog <[hidden email]>
>> Date: Friday, 22 March 2019 at 12.42
>> To: Francis Dupont <[hidden email]>
>> Cc: "KEA-Users ([hidden email])" <[hidden email]>
>> Subject: Re: [Kea-users] deny booting or ignore booting
>>  
>> Perhaps random wasn't a good choice of words.  Given a MAC address we need a way of ensuring it does not DHCP.  I'm open to alternatives to the ignore/deny booting function.  Some sort of client classification?
>>  
>> On Thu, Mar 21, 2019 at 7:43 PM Francis Dupont <[hidden email]> wrote:
>>> Munroe Sollog writes:
>>> > isc dhcpd supports the concept of "deny booting" or "ignore booting".  Kea
>>> > does not seem to support this concept.
>>>
>>> => this feature is not supported by Kea but you have other ways to get
>>> the same effect.
>>>
>>> > >From time to time we need to ensure that a random device does not get a
>>> > valid lease and is thus prevented from accessing our network (we enforce
>>> > DHCP at the access layer).  I found this:
>>>
>>> => as ISC DHCP booting keyword has a meaning only in a host reservation
>>> it is useless for a random device which by definition has no known
>>> identifier. Note if you want to ban unknown devices both ISC DHCP and
>>> Kea (since 1.5) provide a known/unknown client classification.
>>>
>>> > http://oldkea.isc.org/ticket/5229
>>>
>>> => replaced by https://gitlab.isc.org/isc-projects/kea/issues/239
>>>
>>> This ticket is a migration ticket: all features of ISC DHCP were
>>> analyzed:
>>>  - some can be translated (*) to Kea
>>>  - some are candidate to be added to Kea
>>>  - some have low interest (too specific, obsolete or unused, etc) (**)
>>> (*) There is a piece of software named the Migration Assistant which
>>> helps to translate ISC DHCP configurations to Kea. It is still in
>>> development but as we are looking for config samples to test and
>>> improve it you can contact us to know more...
>>> (**) #239 enters in the last category (priority low), the MA code emits
>>> a "no concrete usage known?" message when it finds the booting keyword.
>>>
>>> > I'm not sure what to make of this, but I tried creating a host reservation
>>> > without an IP address and kea errors with:
>>> >
>>> > specified reservation for DUID: hwtype=1 00:50:56:bf:d7:a5 must include at
>>> > least one resource, i.e. hostname, IPv4 address, IPv6 address/prefix,
>>> > options
>>>
>>> => yes if you have no address (nor prefix in IPv6) you need a hostname.
>>> Note here a host reservation is perhaps not the best feature: what you
>>> want is some kind of access list and for a negative access list a client
>>> class is better. Host reservations and KNOWN/UNKNOWN are faster for
>>> a positive (and large) access list.
>>>
>>> Regards
>>>
>>> Francis Dupont <[hidden email]>
>>
>>  
>> --
>> Munroe Sollog
>> Senior Network Engineer
>> [hidden email]
> --
> Munroe Sollog
> Senior Network Engineer
> [hidden email]
> _______________________________________________
> Kea-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/kea-users

_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] deny booting or ignore booting

Francis Dupont
"Ambauen Daniel (ID NET)" writes:
> From my point of view the network access control is definitely not a
> task of the DHCP service.

=> I agree: it is clearly too late and DHCP is more than poor about security.

Regards

Francis Dupont <[hidden email]>
_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] deny booting or ignore booting

Francis Dupont
In reply to this post by Munroe Sollog
Munroe Sollog writes:
> There has to be a way to give kea a list of MAC addresses to ignore.

=> this is what I called a black list and in Kea it can be implemented
with a client class and guards in subnets or pools (the effect is a bit
different: when all subnets are guarded against a rogue client no subnet
is selected. For pools it makes only resources (i.e addresses) not
available for the rogue client (of course I suppose it has no reservations).

Regards

Francis Dupont <[hidden email]>
_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] deny booting or ignore booting

Munroe Sollog
This sounds promising, can you point me towards some documentation or examples where I could read more?

On Fri, Mar 22, 2019 at 1:28 PM Francis Dupont <[hidden email]> wrote:
Munroe Sollog writes:
> There has to be a way to give kea a list of MAC addresses to ignore.

=> this is what I called a black list and in Kea it can be implemented
with a client class and guards in subnets or pools (the effect is a bit
different: when all subnets are guarded against a rogue client no subnet
is selected. For pools it makes only resources (i.e addresses) not
available for the rogue client (of course I suppose it has no reservations).

Regards

Francis Dupont <[hidden email]>


--
Munroe Sollog
Senior Network Engineer

_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users