ISC DHCP ISC Kea

Kea and DHCPv6 ISC’s take on DHCP

Tomek Mrugalski Sep 2019, APNIC’48

• MSc (2003), PhD (2010), both about DHCPv6 • 7 years at Intel • IETF (since 2009) • DHC WG co-chair at IETF • 11 RFCs published, the latest is RFC8415 • ISC (since 2011) • Engineer started Kea project • Currently Director of DHCP engineering • Managing ISC DHCP, Kea and Stork projects • Several RIPE, UKNOF, PLNOG presentations • Open source enthusiast

Philosophy • Non-profit • Open source • But our engineers need to eat…

People • 30+ world wide • 4 continents • Poland, Europe (RIPE NCC)

▪ DHCPv4 and DHCPv6 server ▪ Performance (1000s leases/sec) ▪ Scalable (millions of devices) ▪ Databases (CSV, MySQL, PostgreSQL, Cassandra) ▪ Hooks (C++ libraries) ▪ REST management API ▪ Linux, BSDs, MacOS, … ▪ Open source (MPL2)

ISC DHCP ISC Kea

Started Prehistory (1995) Recent (2011)

Code Not adding anything big Active development with tons of new features Code repository gitlab, github, tarball github, gitlab, tarball, packages

Testing ~30 unit-tests 6000+ unit-tests Memory leak tests (valgrind) 700+ system tests Fuzz testing Docs Man pages User’s Guide (500+ pages) Developer’s Guide Logs Fixed log message Every possible log entry is documented and described IPv6 readiness IPv4 originally, IPv6 added later IPv4 optional

ISC DHCP ISC Kea

Performance OK (with ramdisk tricks) Great (many 1000s leases/sec) Management OMAPI (custom C interface) JSON over REST API/http, JSON over Unix socket HA DHCPv4 failover HA for DHCPv4 and DHCPv6, multiple options for DB clustering Extensibility Shell scripts (out only), JSON everywhere, configuration language Hooks (C++), stable API Configuration Custom complex syntax (almost JSON with optional DB storage for programming language) most elements (more to come) Leases information Custom CSV, MySQL, PgSQL, Cassandra

Hosts information Custom config JSON, MySQL, PgSQL, Cassandra

Configuration Custom config JSON, or MySQL (1.6)

How to identify hosts: Open source • Identifiers: MAC, duid, circuit-id, client-id • Client classification Premium identifier (flex-id) • Almost anything could be used (35 different expressions) • Options (client, relay, vendor) • Fixed fields • Concat, substring • Meta-data (interface name, src/dst IP, …) concat(pkt4.mac, relay4[2].hex)

Tomek Mrugalski, 2018-03-05 The backend concept

MySQL DHCPv4, DHCPv6 server • Leases (addresses, preﬁxes) Lease backend

• Host reservations (per host details) Hosts backend • Options • Pools Changing • Subnets Conﬁguration backend • Shared networks v1.6.0 Rarely Often Often Rarely • Option deﬁnitions • Global parameters

Subnet Subnet Subnet Subnet Subnet id: 100, id: 101, id: 102, id: 103, id: 104, server-tags: server-tags: server-tags: server-tags: server-tags: [ ] [“all”] [“bkk”] [“bkk, “cnx”] [“cnx”]

bkk bkk Kea servers retrieve cnx IPv6 subnets from CB

Diﬀerent servers ‘subscribe’ to diﬀerent subnets

• Sharing conﬁguration between HA partners

• Frequently changing conﬁguration (options, pools, subnets, shared networks)

• Automated conﬁguration deployment • Large conﬁguration (1000+ subnets) • Large scale deployments (many DHCP servers) • Scaling up or down (add new or delete not needed VM servers)

JSON over unix socket kea-dhcp4

JSON over http(s) JSON over unix socket JSON over unix socket

kea-shell JSON over unix socket socat kea-ctrl-agent kea-dhcp6

JSON over unix socket

{ “command”: “list-commands”, “service”: [ “dhcp6” ] } Command kea-dhcp-ddns { • JSON in, JSON out "arguments": [ "build-report", Over 140 commands supported "config-get", • . . . ], • New commands every release "result": 0 Some provided by hooks (optional libs) }© 2019 - Internet Systems Consortium Response • !12 API :: Basics 1. Send list-commands command: # kea-shell --host ::1 --port 8080 --service dhcp6 list-commands ^D

2. Get list of currently supported commands in return:

{ { “command”: “list-commands”, "arguments": [ "build-report", “service”: [ “dhcp6” ] "config-get", } "config-set", "config-test", "remote-global-parameter4-del", "remote-global-parameter4-get", "remote-global-parameter4-get-all”, . . . “remote-subnet6-list”, "server-tag-get", "shutdown", “statistic-{get,remove,reset}“, “statistic-{get,remove,reset}-all”, "version-get" ], "result": 0 © 2019 - Internet Systems Consortium } !13 API :: List IPv6 subnets • Send list-commands command: # echo ' "server-tags": [ "all" ] ' | \ kea-shell --host ::1 --port 8000 --service dhcp6 remote-subnet6-list • Get list of currently supported commands in return: [ { "arguments": { "count": 0, "subnets": [

] }, "result": 3, "text": "0 IPv6 subnet(s) found." } ]

© 2019 - Internet Systems Consortium !14 API :: Add new IPv6 subnet • Send remote—subnet6-set command: echo ' "subnets": [ { "id": 100, "subnet": "2001:db8:1::/48", "shared-network-name": "", "pools": [ { "pool": "2001:db8:1::/64" } ] } ], "server-tags": [ "all" ] ' | kea-shell --host ::1 --port 8000 --service dhcp6 remote-subnet6-set • Get list of currently supported commands in return: { { “command”: “remote-subnet6-set”, "arguments": { “arguments”: { "subnets": [ "subnets": [ { { "id": 100, "id": 100, "subnet": “2001:db8:1::/48", "subnet": "2001:db8:1::/64" "shared-network-name": “”, } “pools”: [ { ] “pool”: “2001:db8:1::/64” }, } ] "result": 0, } ], "text": "IPv6 subnet successfully set." "server-tags": [ "all" ] } }

© 2019 - Internet Systems Consortium !15 Getting in touch • Software is open source, free • There are some premium (paid) add-ons • ISC provides support with various levels • gitlab, github • kea-users, kea-dev mailing lists

Not possible to conﬁgure default route using DHCPv6

• Why? • Long argument in IETF • RA exists to do that (don’t duplicate mechanisms)

• Fate sharing • Multi-homing

Relay-Forward Server Client Solicit Relay Agent Solicit

https://www.cloudshark.org/captures/ed586947ac56 (single relay) https://www.cloudshark.org/captures/a93239e296bc (two relays)

• Up to 8 relays • Usually 1 • CMTS • Each relay adds extra encapsulation layer © 2019 - Internet Systems Consortium !19 MAC vs DUID • DUID - unique identifier, one of 4 types: • LLT (MAC + time) • EN (Enterprise-id) • LL (MAC) • UUID • Solved late 1990s problem - unreliable NICs • Brought a lot of new ones • Don’t know device’s DUID until its first boot • Not printed on the box • When you clone VM, you may get the same DUID • Dual boot device (win/linux or PXE) has different DUIDs • Kea has a solution to that problem: • RFC6939 (client-link-layer address option) • Extract MAC address from 5 different sources, configurable • See https://kea.readthedocs.io/en/v1_6_0/arm/dhcp6- srv.html#mac-hardware-addresses-in-dhcpv6 for details

• Three diﬀerent containers: • IA_NA - non-temporary (“normal”) addresses • IA_TA - temporary addresses, obsolete • IA_PD - Preﬁx delegation

• Each container can have multiple addresses/preﬁxes • e.g. old address with 0 lifetimes, new address

• There may be multiple containers per message • Frequent to request address and preﬁx in one go • May be multiple containers of the same type (“give me 3 preﬁxes”)

isc.org/kea kea.readthedocs.io gitlab.isc.org/isc-projects/kea