ISC DHCP ISC Kea
Total Page:16
File Type:pdf, Size:1020Kb
Kea and DHCPv6 ISC’s take on DHCP Tomek Mrugalski Sep 2019, APNIC’48 © 2019 - Internet Systems Consortium !1 About presenter • MSc (2003), PhD (2010), both about DHCPv6 • 7 years at Intel • IETF (since 2009) • DHC WG co-chair at IETF • 11 RFCs published, the latest is RFC8415 • ISC (since 2011) • Engineer started Kea project • Currently Director of DHCP engineering • Managing ISC DHCP, Kea and Stork projects • Several RIPE, UKNOF, PLNOG presentations • Open source enthusiast © 2019 - Internet Systems Consortium !2 What is ISC? History • Silicon Valley • founded in 1994 Philosophy • Non-profit • Open source • But our engineers need to eat… People • 30+ world wide • 4 continents • Poland, Europe (RIPE NCC) © 2018 ISC What we do? ▪ We do DNS – BIND – F root servers, 200+ instances ▪ We do IETF standards (86 RFCs so far) ▪ We do DHCP – ISC DHCP – Kea © 2018 ISC If you never heard about Kea… ▪ DHCPv4 and DHCPv6 server ▪ Performance (1000s leases/sec) ▪ Scalable (millions of devices) ▪ Databases (CSV, MySQL, PostgreSQL, Cassandra) ▪ Hooks (C++ libraries) ▪ REST management API ▪ Linux, BSDs, MacOS, … ▪ Open source (MPL2) © 2018 ISC Let’s compare! ISC DHCP ISC Kea Started Prehistory (1995) Recent (2011) Code Not adding anything big Active development with tons of new features Code repository gitlab, github, tarball github, gitlab, tarball, packages Testing ~30 unit-tests 6000+ unit-tests Memory leak tests (valgrind) 700+ system tests Fuzz testing Docs Man pages User’s Guide (500+ pages) Developer’s Guide Logs Fixed log message Every possible log entry is documented and described IPv6 readiness IPv4 originally, IPv6 added later IPv4 optional © 2019 - Internet Systems Consortium !6 Kea vs ISC DHCP ISC DHCP ISC Kea Performance OK (with ramdisk tricks) Great (many 1000s leases/sec) Management OMAPI (custom C interface) JSON over REST API/http, JSON over Unix socket HA DHCPv4 failover HA for DHCPv4 and DHCPv6, multiple options for DB clustering Extensibility Shell scripts (out only), JSON everywhere, configuration language Hooks (C++), stable API Configuration Custom complex syntax (almost JSON with optional DB storage for programming language) most elements (more to come) Leases information Custom CSV, MySQL, PgSQL, Cassandra Hosts information Custom config JSON, MySQL, PgSQL, Cassandra Configuration Custom config JSON, or MySQL (1.6) To translate an existing ISC DHCP configuration See Kea Migration Assistant presentation at isc.org/presentations © 2019 - Internet Systems Consortium !7 Client classification and flexible identifier How to identify hosts: Open source • Identifiers: MAC, duid, circuit-id, client-id • Client classification Premium identifier (flex-id) • Almost anything could be used (35 different expressions) • Options (client, relay, vendor) • Fixed fields • Concat, substring • Meta-data (interface name, src/dst IP, …) concat(pkt4.mac, relay4[2].hex) Tomek Mrugalski, 2018-03-05 The backend concept MySQL DHCPv4, DHCPv6 server • Leases (addresses, prefixes) Lease backend • Host reservations (per host details) Hosts backend • Options • Pools Changing • Subnets Configuration backend • Shared networks v1.6.0 Rarely Often Often Rarely • Option definitions • Global parameters © 2019 - Internet Systems Consortium !9 Server tags Subnet Subnet Subnet Subnet Subnet id: 100, id: 101, id: 102, id: 103, id: 104, server-tags: server-tags: server-tags: server-tags: server-tags: [ ] [“all”] [“bkk”] [“bkk, “cnx”] [“cnx”] bkk bkk Kea servers retrieve cnx IPv6 subnets from CB Different servers ‘subscribe’ to different subnets © 2019 - Internet Systems Consortium !10 CB applications • Sharing configuration between HA partners • Frequently changing configuration (options, pools, subnets, shared networks) • Automated configuration deployment • Large configuration (1000+ subnets) • Large scale deployments (many DHCP servers) • Scaling up or down (add new or delete not needed VM servers) © 2019 - Internet Systems Consortium !11 Kea API JSON over unix socket JSON over unix socket kea-dhcp4 JSON over http(s) JSON over unix socket JSON over unix socket kea-shell JSON over unix socket socat kea-ctrl-agent kea-dhcp6 JSON over unix socket { “command”: “list-commands”, “service”: [ “dhcp6” ] } Command kea-dhcp-ddns { • JSON in, JSON out "arguments": [ "build-report", Over 140 commands supported "config-get", • . ], • New commands every release "result": 0 Some provided by hooks (optional libs) }© 2019 - Internet Systems Consortium Response • !12 API :: Basics 1. Send list-commands command: # kea-shell --host ::1 --port 8080 --service dhcp6 list-commands ^D 2. Get list of currently supported commands in return: { { “command”: “list-commands”, "arguments": [ "build-report", “service”: [ “dhcp6” ] "config-get", } "config-set", "config-test", "remote-global-parameter4-del", "remote-global-parameter4-get", "remote-global-parameter4-get-all”, . “remote-subnet6-list”, "server-tag-get", "shutdown", “statistic-{get,remove,reset}“, “statistic-{get,remove,reset}-all”, "version-get" ], "result": 0 © 2019 - Internet Systems Consortium } !13 API :: List IPv6 subnets • Send list-commands command: # echo ' "server-tags": [ "all" ] ' | \ kea-shell --host ::1 --port 8000 --service dhcp6 remote-subnet6-list • Get list of currently supported commands in return: [ { "arguments": { "count": 0, "subnets": [ ] }, "result": 3, "text": "0 IPv6 subnet(s) found." } ] © 2019 - Internet Systems Consortium !14 API :: Add new IPv6 subnet • Send remote—subnet6-set command: echo ' "subnets": [ { "id": 100, "subnet": "2001:db8:1::/48", "shared-network-name": "", "pools": [ { "pool": "2001:db8:1::/64" } ] } ], "server-tags": [ "all" ] ' | kea-shell --host ::1 --port 8000 --service dhcp6 remote-subnet6-set • Get list of currently supported commands in return: { { “command”: “remote-subnet6-set”, "arguments": { “arguments”: { "subnets": [ "subnets": [ { { "id": 100, "id": 100, "subnet": “2001:db8:1::/48", "subnet": "2001:db8:1::/64" "shared-network-name": “”, } “pools”: [ { ] “pool”: “2001:db8:1::/64” }, } ] "result": 0, } ], "text": "IPv6 subnet successfully set." "server-tags": [ "all" ] } } © 2019 - Internet Systems Consortium !15 Getting in touch • Software is open source, free • There are some premium (paid) add-ons • ISC provides support with various levels • gitlab, github • kea-users, kea-dev mailing lists © 2019 - Internet Systems Consortium https://gitlab.isc.org/isc-projects/kea !16 DHCPv6 quirks © 2019 - Internet Systems Consortium !17 No routing configuration Not possible to configure default route using DHCPv6 • Why? • Long argument in IETF • RA exists to do that (don’t duplicate mechanisms) • Fate sharing • Multi-homing © 2019 - Internet Systems Consortium !18 Relayed DHCPv6 traffic Relay-Forward Server Client Solicit Relay Agent Solicit https://www.cloudshark.org/captures/ed586947ac56 (single relay) https://www.cloudshark.org/captures/a93239e296bc (two relays) • Up to 8 relays • Usually 1 • CMTS • Each relay adds extra encapsulation layer © 2019 - Internet Systems Consortium !19 MAC vs DUID • DUID - unique identifier, one of 4 types: • LLT (MAC + time) • EN (Enterprise-id) • LL (MAC) • UUID • Solved late 1990s problem - unreliable NICs • Brought a lot of new ones • Don’t know device’s DUID until its first boot • Not printed on the box • When you clone VM, you may get the same DUID • Dual boot device (win/linux or PXE) has different DUIDs • Kea has a solution to that problem: • RFC6939 (client-link-layer address option) • Extract MAC address from 5 different sources, configurable • See https://kea.readthedocs.io/en/v1_6_0/arm/dhcp6- srv.html#mac-hardware-addresses-in-dhcpv6 for details © 2019 - Internet Systems Consortium !20 IAs, TAs, PDs • Three different containers: • IA_NA - non-temporary (“normal”) addresses • IA_TA - temporary addresses, obsolete • IA_PD - Prefix delegation • Each container can have multiple addresses/prefixes • e.g. old address with 0 lifetimes, new address • There may be multiple containers per message • Frequent to request address and prefix in one go • May be multiple containers of the same type (“give me 3 prefixes”) © 2019 - Internet Systems Consortium !21 Questions? isc.org/kea kea.readthedocs.io gitlab.isc.org/isc-projects/kea © 2019 - Internet Systems Consortium !22.