DHCPv6: deny unknown-clients doesn't work
Ole Holm Nielsen
Ole.H.Nielsen at fysik.dtu.dk
Mon Apr 29 14:02:03 UTC 2013
We're testing a new DHCPv6 service on our DHCP server. We want to
implement basic network access control by permitting only registered
DHCP clients (DUIDs) to obtain an IPv6 address from the DHCPv6 server.
On a DHCPv6 client (Fedora 18 Linux) I've started the dhclient process
(using NetworkManager) and learned the client DUID from the
/var/lib/NetworkManager/dhclient6*.lease file. I've added this DUID to
the dhcpd6.conf file with basically this configuration:
subnet6 2001:878:200:2010::/64 {
deny unknown-clients;
range6 2001:878:200:2010:c0ff::1 2001:878:200:2010:c0ff::af;
host myclient { host-identifier option dhcp6.client-id
"\000\004\256\343\332\033%\205\032\207 d\305\013\344\312W\305"; }
}
Problem: Even though myclient does receive an IPv6 address from the
DHCPv6 server, so does every other device on the network, despite the
"deny unknown-clients" configuration! The file
/var/lib/dhcpd/dhcpd6.leases is full of unknown/unauthorized devices :-(
We really want this "deny unknown-clients" to work with DHCPv6. How come
it doesn't seem to be honored by the DHCPv6 server? Is it a bug? Or is
there another way to configure this?
Our DHCPv6 server runs RedHat RHEL 6.4 Linux, DHCP version
dhcp-4.1.1-34.P1.el6.x86_64.
The very same issue was reported in
https://lists.isc.org/pipermail/dhcp-users/2012-July/015705.html but no
one ever seemed to suggest a solution.
--
Ole Holm Nielsen
Department of Physics, Technical University of Denmark
More information about the dhcp-users
mailing list