[Kea-users] DHCP NAK through relay option 82

Thu Apr 4 07:54:25 UTC 2024

Hi Jeff,
   As you have discovered, classes based on option 82 values will only 
match relayed traffic.
Therefore, all things being equal, Kea will not be able to select a 
subnet for renewing clients.
Have you considered using host reservations with "circuit-id" as the 
identifier?

Kind Regards Peter

On 03/04/2024 21.09, Jeff Kletsky wrote:
>
> I had hoped that someone would post a better "solution" than what I've 
> been using.
>
> My topology is a Cisco SG-series switch in Level 3 mode that is 
> supplying DHCP (v4) relay to a dedicated subnet with the Kea hosts.
>
> With the caveat that I have not tested this approach for robustness 
> under attack, what I do is check to see if the request appears to be a 
> valid REBIND and then select a client class based on either the VLAN 
> from the circuit ID or that it appears to be a directly sent rebind.
>
> I don't recall how I decided that Kea would select the proper subnet 
> on these direct rebind requests. I am probably relying on undocumented 
> behavior. I recall not performing a match against the IP range for a 
> given VLAN as I didn't want to have to keep the subnet information in 
> sync across different files.
>
> If anyone can improve on this, I'd appreciate the feedback.
>
> Jeff
>
>
> // Renew prefers to go direct to the issuing server
> // so there is no circuit identifier or topology
> //
> // Kea doesn't check the existing leases and its
> // KNOWN selector appears to be related to the client
> // having a reservation.
> //
> // Select based on it being a Request (renew) packet
> // that went direct with matching Ip addresses
>
> {
>     "name": "is_request",
>     "test": "option[53].hex == 0x3"
> },
>
> {
>     "name": "is_direct",
>     "test": "pkt4.giaddr == 0.0.0.0"
> },
>
> {
>     "name": "addresses_match",
>     "test": "pkt4.ciaddr == pkt.src"
> },
>
> {
>     "name": "is_direct_rebind",
>     "test": "member('is_request') and member('is_direct') and 
> member('addresses_match')"
> },
>
> // Try just the combination of relay circuit check or rebind
>
> {
>     "name": "VLAN_84",
>     "test": "member('circuit_84') or member('is_direct_rebind')"
> },
>
> [continues for other VLANs in use]
>
>
>
> On 3/28/24 10:40 AM, Brazda.Libor at seznam.cz wrote:
>> Hi, I am trying to start kea dhcp with client classification using 
>> option 82 through dhcp relay server.
>>
>> When client tries to do renew of ip address, tries to prolongate his 
>> lease, kea response with NAK.
>> The problem is that when client makes simple dhcp discover, the 
>> packet goes broadcast through the router, router acts like dhcp relay 
>> and relays packet to dhcp server kea with added option 82.
>> But when client makes dhcp renewal-packet goes unicast directly to 
>> dhcp server without option 82. As I understand, this causes kea to 
>> response with NAK, because packet doesn't match to subnet rule 
>> criteria. In the logs I see message "ailed to select a subnet for 
>> incoming packet, src 100.64.1.1, type DHCPREQUEST"
>>
>> Is there a way to configure kea to accept renewal requests if lease 
>> already exists and mac address of a client corresponds to stores lease?
>>
>> Full log - https://pastebin.com/yviEFneL
>> Full config - https://pastebin.com/2DxfQKb6
>>
>> Thanks for any advice
>>
>> Libor
>>
>
-- 
Peter Davies
Support Engineer
Internet Systems Corporation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20240404/55db54cf/attachment.htm>