kea and dhcpv6 - start [apnic training wiki] · © 2019 - internet systems consortium kea and...
TRANSCRIPT
© 2019 - Internet Systems Consortium
Kea and DHCPv6 ISC’s take on DHCP
Tomek Mrugalski Sep 2019, APNIC’48
�1
© 2019 - Internet Systems Consortium
About presenter• MSc (2003), PhD (2010), both about DHCPv6
• 7 years at Intel
• IETF (since 2009)
• DHC WG co-chair at IETF
• 11 RFCs published, the latest is RFC8415
• ISC (since 2011)
• Engineer started Kea project
• Currently Director of DHCP engineering
• Managing ISC DHCP, Kea and Stork projects
• Several RIPE, UKNOF, PLNOG presentations
• Open source enthusiast
!2
© 2018 ISC
What is ISC?History • Silicon Valley • founded in 1994
Philosophy • Non-profit • Open source • But our engineers
need to eat…
People • 30+ world wide • 4 continents • Poland, Europe
(RIPE NCC)
© 2018 ISC
What we do?▪ We do DNS
– BIND – F root servers, 200+ instances
▪ We do IETF standards (86 RFCs so far)▪ We do DHCP
– ISC DHCP – Kea
© 2018 ISC
If you never heard about Kea…
▪ DHCPv4 and DHCPv6 server▪ Performance (1000s leases/sec)▪ Scalable (millions of devices)▪ Databases (CSV, MySQL,
PostgreSQL, Cassandra)▪ Hooks (C++ libraries)▪ REST management API▪ Linux, BSDs, MacOS, …▪ Open source (MPL2)
© 2019 - Internet Systems Consortium
Let’s compare!ISC DHCP ISC Kea
Started Prehistory (1995) Recent (2011)
Code Not adding anything big Active development with tons of new features
Code repository gitlab, github, tarball github, gitlab, tarball, packages
Testing ~30 unit-tests 6000+ unit-testsMemory leak tests (valgrind)700+ system testsFuzz testing
Docs Man pages User’s Guide (500+ pages)Developer’s Guide
Logs Fixed log message Every possible log entry is documented and described
IPv6 readiness IPv4 originally, IPv6 added later IPv4 optional
!6
© 2019 - Internet Systems Consortium
Kea vs ISC DHCPISC DHCP ISC Kea
Performance OK (with ramdisk tricks) Great (many 1000s leases/sec)
Management OMAPI (custom C interface) JSON over REST API/http,JSON over Unix socket
HA DHCPv4 failover HA for DHCPv4 and DHCPv6, multiple options for DB clustering
Extensibility Shell scripts (out only), configuration language
JSON everywhere,Hooks (C++), stable API
Configuration Custom complex syntax (almost programming language)
JSON with optional DB storage for most elements (more to come)
Leases information Custom CSV, MySQL, PgSQL, Cassandra
Hosts information Custom config JSON, MySQL, PgSQL, Cassandra
Configuration Custom config JSON, or MySQL (1.6)
To translate an existing ISC DHCP configuration See Kea Migration Assistant presentation at isc.org/presentations
!7
Tomek Mrugalski, 2018-03-05
Client classification and flexible identifier
How to identify hosts:
Open source • Identifiers: MAC, duid, circuit-id,
client-id • Client classification
Premium identifier (flex-id) • Almost anything could be used
(35 different expressions) • Options (client, relay, vendor) • Fixed fields • Concat, substring • Meta-data (interface name,
src/dst IP, …)
concat(pkt4.mac, relay4[2].hex)
© 2019 - Internet Systems Consortium
The backend concept
• Leases (addresses, prefixes)
• Host reservations (per host details)
• Options • Pools• Subnets• Shared networks• Option definitions• Global parameters
MySQL
Rare
ly
Ofte
n
Lease backend
Hosts backend
Configuration backend v1.6.0
DHCPv4, DHCPv6server
Cha
ngin
g
!9
© 2019 - Internet Systems Consortium
Server tags
bkkbkk cnx
Subnet id: 100,
server-tags: [“all”]
Subnet id: 102,
server-tags: [“bkk, “cnx”]
Subnet id: 101,
server-tags: [“bkk”]
Subnet id: 103,
server-tags: [“cnx”]
Subnet id: 104,
server-tags: [ ]
Kea servers retrieve IPv6 subnets from CB
Different servers ‘subscribe’ to different subnets
!10
© 2019 - Internet Systems Consortium
CB applications
• Sharing configuration between HA partners
• Frequently changing configuration (options, pools, subnets, shared networks)
• Automated configuration deployment
• Large configuration (1000+ subnets)
• Large scale deployments (many DHCP servers)
• Scaling up or down (add new or delete not needed VM servers)
!11
© 2019 - Internet Systems Consortium
Kea API
JSON over unix socket
JSON over unix socket
JSON over unix socket
JSON over http(s)
kea-ctrl-agent
kea-dhcp4
kea-dhcp6
kea-dhcp-ddns
kea-shell socat
JSON over unix socket
JSON over unix socket
JSON over unix socket
{ “command”: “list-commands”, “service”: [ “dhcp6” ] }
{ "arguments": [ "build-report", "config-get", . . . ], "result": 0 }
Command
Response
• JSON in, JSON out
• Over 140 commands supported
• New commands every release
• Some provided by hooks (optional libs)!12
© 2019 - Internet Systems Consortium
API :: Basics
{ "arguments": [ "build-report", "config-get", "config-set", "config-test", "remote-global-parameter4-del", "remote-global-parameter4-get", "remote-global-parameter4-get-all”, . . . “remote-subnet6-list”, "server-tag-get", "shutdown", “statistic-{get,remove,reset}“, “statistic-{get,remove,reset}-all”, "version-get" ], "result": 0 }
1. Send list-commands command:# kea-shell --host ::1 --port 8080 --service dhcp6 list-commands^D
2. Get list of currently supported commands in return:{ “command”: “list-commands”, “service”: [ “dhcp6” ] }
!13
© 2019 - Internet Systems Consortium
API :: List IPv6 subnets
[ { "arguments": { "count": 0, "subnets": [ ] }, "result": 3, "text": "0 IPv6 subnet(s) found." } ]
• Send list-commands command:# echo ' "server-tags": [ "all" ] ' | \ kea-shell --host ::1 --port 8000 --service dhcp6 remote-subnet6-list
• Get list of currently supported commands in return:
!14
© 2019 - Internet Systems Consortium
API :: Add new IPv6 subnet
{ "arguments": { "subnets": [ { "id": 100, "subnet": "2001:db8:1::/64" } ] }, "result": 0, "text": "IPv6 subnet successfully set." }
• Send remote—subnet6-set command:
• Get list of currently supported commands in return:
echo ' "subnets": [ { "id": 100, "subnet": "2001:db8:1::/48", "shared-network-name": "", "pools": [ { "pool": "2001:db8:1::/64" } ] } ], "server-tags": [ "all" ] ' |kea-shell --host ::1 --port 8000 --service dhcp6 remote-subnet6-set
{ “command”: “remote-subnet6-set”, “arguments”: { "subnets": [ { "id": 100, "subnet": “2001:db8:1::/48", "shared-network-name": “”, “pools”: [ { “pool”: “2001:db8:1::/64” } ] } ], "server-tags": [ "all" ] }
!15
© 2019 - Internet Systems Consortium
Getting in touch
https://gitlab.isc.org/isc-projects/kea!16
• Software is open source, free• There are some premium (paid) add-ons• ISC provides support with various levels• gitlab, github• kea-users, kea-dev mailing lists
© 2019 - Internet Systems Consortium
DHCPv6 quirks
!17
© 2019 - Internet Systems Consortium
No routing configurationNot possible to configure default route using DHCPv6
• Why?
• Long argument in IETF
• RA exists to do that (don’t duplicatemechanisms)
• Fate sharing
• Multi-homing
!18
© 2019 - Internet Systems Consortium
Relay-Forward
Relayed DHCPv6 traffic
!19
ServerClient Relay AgentSolicit Solicit
• Up to 8 relays • Usually 1 • CMTS • Each relay adds extra encapsulation layer
https://www.cloudshark.org/captures/a93239e296bchttps://www.cloudshark.org/captures/ed586947ac56 (single relay)
(two relays)
© 2019 - Internet Systems Consortium
MAC vs DUID• DUID - unique identifier, one of 4 types:• LLT (MAC + time)• EN (Enterprise-id)• LL (MAC)• UUID
• Solved late 1990s problem - unreliable NICs• Brought a lot of new ones• Don’t know device’s DUID until its first boot• Not printed on the box• When you clone VM, you may get the same DUID• Dual boot device (win/linux or PXE) has different DUIDs
• Kea has a solution to that problem:• RFC6939 (client-link-layer address option)• Extract MAC address from 5 different sources, configurable• See https://kea.readthedocs.io/en/v1_6_0/arm/dhcp6-
srv.html#mac-hardware-addresses-in-dhcpv6 for details
!20
© 2019 - Internet Systems Consortium
IAs, TAs, PDs
• Three different containers:• IA_NA - non-temporary (“normal”) addresses• IA_TA - temporary addresses, obsolete• IA_PD - Prefix delegation
• Each container can have multiple addresses/prefixes• e.g. old address with 0 lifetimes, new address
• There may be multiple containers per message• Frequent to request address and prefix in one go• May be multiple containers of the same type (“give me 3
prefixes”)
!21
© 2019 - Internet Systems Consortium
isc.org/kea kea.readthedocs.io gitlab.isc.org/isc-projects/kea
!22
Questions?