Kea issueshttps://gitlab.isc.org/isc-projects/kea/-/issues2023-07-31T13:34:54Zhttps://gitlab.isc.org/isc-projects/kea/-/issues/2547How is TLS configured for the Control Agent when not in HA?2023-07-31T13:34:54Zvps-ericHow is TLS configured for the Control Agent when not in HA?In section [23.1.2 TLS/HTTPS Configuration](https://kea.readthedocs.io/en/latest/arm/security.html#tls-https-configuration) of the Kea ARM version 2.2.0, it is stated that the `trust-anchor` option specifies a path to the certificate aut...In section [23.1.2 TLS/HTTPS Configuration](https://kea.readthedocs.io/en/latest/arm/security.html#tls-https-configuration) of the Kea ARM version 2.2.0, it is stated that the `trust-anchor` option specifies a path to the certificate authority certificate of the [HA] peer, and that this setting must be specified along with `cert-file` and `key-file` to enable TLS.
Confusingly, the "Security considerations" of the [Kea documentation of 2.1.7-git](https://reports.kea.isc.org/dev_guide/d7/dc0/controlAgent.html#CtrlAgentSecurity) states that you will
> ...not implement the secure layer [TLS] within Kea...
and that
> ...a reverse HTTP proxy can be setup[sic] using one of the third party HTTP server implementations...
These things seem to conflict. Back to the original point, though, is my confusion about how to enable TLS for the control agent when not in HA (and also when in HA with one or more backup servers, when there would be more than one peer). Why is it necessary to configure the peer's certificate authority certificate in the control agent configuration when the system has its own certificate authority certificate store?next-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/2540kea4 drops packet when server id option is included twice, but because of wro...2023-04-06T12:02:31ZWlodzimierz Wencelkea4 drops packet when server id option is included twice, but because of wrong reasonWe have pretty complicated test for fqdn sanitisation, we came across weird problem. When Kea gets v4 packet that include server id option twice - it's get dropped but Kea logs:
```
2022-08-19 02:35:41.529 DEBUG [kea-dhcp4.bad-packets/16...We have pretty complicated test for fqdn sanitisation, we came across weird problem. When Kea gets v4 packet that include server id option twice - it's get dropped but Kea logs:
```
2022-08-19 02:35:41.529 DEBUG [kea-dhcp4.bad-packets/169499.139645022918400] DHCP4_PACKET_DROP_0003 [hwtype=1 00:1f:d0:00:00:22], cid=[no info], tid=0x8c57ee, from interface enp0s9: it contains a foreign server identifier
```
interesting part is that value of server id is correct.
packet:
```
###[ Ethernet ]###
dst = ff:ff:ff:ff:ff:ff
src = 08:00:27:6d:ee:67
type = IPv4
###[ IP ]###
version = 4
ihl = None
tos = 0x0
len = None
id = 1
flags =
frag = 0
ttl = 64
proto = udp
chksum = None
src = 0.0.0.0
dst = 255.255.255.255
\options \
###[ UDP ]###
sport = bootpc
dport = bootps
len = None
chksum = None
###[ BOOTP ]###
op = BOOTREQUEST
htype = 1
hlen = 6
hops = 0
xid = 9197550
secs = 0
flags =
ciaddr = 0.0.0.0
yiaddr = 0.0.0.0
siaddr = 0.0.0.0
giaddr = 0.0.0.0
chaddr = b'\x00\x1f\xd0\x00\x00"'
sname = b''
file = b''
options = 'c\\x82Sc'
###[ DHCP options ]###
options = [message-type='request' server_id=192.168.50.252 server_id=192.168.50.252 requested_addr=192.168.50.11 client_FQDN='\x01\x00\x00client2.four.example.com.' end]
```backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/2531test timer multiplicator2022-09-01T13:43:29ZFrancis Duponttest timer multiplicatorOn some systems a few tests fail because maximum delay timers fire too soon. This ticket adds a new environment variable to make these timers longer. Of course the default will be 1...On some systems a few tests fail because maximum delay timers fire too soon. This ticket adds a new environment variable to make these timers longer. Of course the default will be 1...outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/2529patching query options core hook2023-08-10T13:23:02ZFrancis Dupontpatching query options core hookThe idea is to clone the flex option core hook into a similar hook patching the query vs the response. It should be simpler (no client class) and will solve a lot of customer problems including the RAI link selector one.
The only not ea...The idea is to clone the flex option core hook into a similar hook patching the query vs the response. It should be simpler (no client class) and will solve a lot of customer problems including the RAI link selector one.
The only not easy point (code and doc can be reused at a very high level) is to pick a name for it!next-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/2525Support multiple vendor options in flex_option hook2023-11-13T22:36:40ZFrancis DupontSupport multiple vendor options in flex_option hookCurrently the code assumes there is at most one instance of a vendor option and ignore vendor class options even it knows vendor IDs.Currently the code assumes there is at most one instance of a vendor option and ignore vendor class options even it knows vendor IDs.backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/2524Support multiple vendor options in expression evaluation2023-06-19T12:22:48ZFrancis DupontSupport multiple vendor options in expression evaluationCurrently expressions handle vendor IDs in the syntax but the code and unit tests are not prepared to have multiple vendor options (v4 124 and 125, v6 16 and 17) i.e. the first vendor option masks others.Currently expressions handle vendor IDs in the syntax but the code and unit tests are not prepared to have multiple vendor options (v4 124 and 125, v6 16 and 17) i.e. the first vendor option masks others.backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/2523More libload unit tests for premium hooks2022-09-01T13:33:10ZFrancis DupontMore libload unit tests for premium hooks#2235 added new libload unit tests checking if a hook is used with the right server but for hooks registering new commands (the common case for these new tests) it is interesting (and easy) too to check if the commands are correctly regi...#2235 added new libload unit tests checking if a hook is used with the right server but for hooks registering new commands (the common case for these new tests) it is interesting (and easy) too to check if the commands are correctly registered after load and not registered before load and after unload.outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/2522Using special characters in expressions is not documented.2023-07-05T10:39:18ZMarcin GodzinaUsing special characters in expressions is not documented.Using special characters in expressions is not documented.
For example to use `'` (single quote) as delimiter for `split` expression you need to use it's ASCI value:
`split(option[39].text, 0x27, 1)`Using special characters in expressions is not documented.
For example to use `'` (single quote) as delimiter for `split` expression you need to use it's ASCI value:
`split(option[39].text, 0x27, 1)`next-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/2521Change v4 vivco-suboptions definition2023-11-02T13:20:23ZFrancis DupontChange v4 vivco-suboptions definitionChange the Vendor-Identifying Vendor class option (name "vivco-suboptions", code 124) from uint32 + binary to uint32 + uint8 + tuple array. Even if the RFC 3925 layout is more an array of records we have a trouble with multiple vendor id...Change the Vendor-Identifying Vendor class option (name "vivco-suboptions", code 124) from uint32 + binary to uint32 + uint8 + tuple array. Even if the RFC 3925 layout is more an array of records we have a trouble with multiple vendor id (the uint32 field): either a second vendor id is different and parsing uses the same value without reading it which is incorrect, or the second id is the same and it is not allowed by the RFC. See also #2520 about arrays and record types.
RFC 3925 layout is:
```
1 1 1 1 1 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| option-code | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| enterprise-number1 |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data-len1 | |
+-+-+-+-+-+-+-+-+ |
/ vendor-class-data1 /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ----
| enterprise-number2 | ^
| | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| data-len2 | | optional
+-+-+-+-+-+-+-+-+ | |
/ vendor-class-data2 / |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
~ ... ~ V
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ----
...
The vendor-class-data comprises a series of separate items, each of
which describes some characteristic of the client's hardware
configuration or capabilities. Examples of vendor-class-data
instances might include the version of the operating system the
client is running or the amount of memory installed on the client.
Each instance of the vendor-class-data is formatted as follows:
1 1 1 1 1 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data-len | |
+-+-+-+-+-+-+-+-+ opaque-data |
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
```
Note this includes a rewrite of the OptionVendorClass code in simpler (only one set of tuples, only the check of the data-len (uint8 / second field) to add) and **must** be considered when #1518 will be merged.backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/2520Change v6 vendor-class option definition.2023-03-10T23:20:36ZFrancis DupontChange v6 vendor-class option definition.The idea is to change the DHCPv6 vendor-class (code 16) definition from uint32 + binary into uint32 + tuple array. This has a lot of advantages **but is not backward compatible**. Note if ISC DHCP allows arrays of records for Kea the arr...The idea is to change the DHCPv6 vendor-class (code 16) definition from uint32 + binary into uint32 + tuple array. This has a lot of advantages **but is not backward compatible**. Note if ISC DHCP allows arrays of records for Kea the array flag for a record type means the last field is an array. Currently there is only one standard option using tuples.
Quoting RFC 8415 figures 28 and 29 vendor-class option layout is:
```
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_VENDOR_CLASS | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| enterprise-number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. .
. vendor-class-data .
. . . . .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
...
The vendor-class-data field is composed of a series of separate
items, each of which describes some characteristic of the client's
hardware configuration. Examples of vendor-class-data instances
might include the version of the operating system the client is
running or the amount of memory installed on the client.
Each instance of vendor-class-data is formatted as follows:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-...-+-+-+-+-+-+-+
| vendor-class-len | opaque-data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-...-+-+-+-+-+-+-+
```outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/2518RFC9243: YANG for DHCPv62022-10-14T11:17:11ZTomek MrugalskiRFC9243: YANG for DHCPv6Now that [rfc9243](https://datatracker.ietf.org/doc/html/rfc9243) has been published, it's a good time to consider whether we want to abandon Kea specific YANG model and migrate to a standard one or stick with it.
If you are a user who ...Now that [rfc9243](https://datatracker.ietf.org/doc/html/rfc9243) has been published, it's a good time to consider whether we want to abandon Kea specific YANG model and migrate to a standard one or stick with it.
If you are a user who deployed Kea with NETCONF, please share your thoughts on this.
Alternatively, we could support both models, but it seems more troublesome to maintain in the long term.outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/2499don't extend dhcpdb_create scripts any more2024-03-27T13:32:29ZWlodzimierz Wenceldon't extend dhcpdb_create scripts any moreWe should stop to make two paths of database creation. It leads to mistakes more work during releases additional jobs to check differences. So rather to develop scripts like `dhcpdb_create.mysql` (`dhcpdb_create.pgsql`) and upgrade scrip...We should stop to make two paths of database creation. It leads to mistakes more work during releases additional jobs to check differences. So rather to develop scripts like `dhcpdb_create.mysql` (`dhcpdb_create.pgsql`) and upgrade scripts (eg. upgrade_009_to_010.sh.in) separately we should develop just upgrade scripts which will be executed by dhcpdb_create.sh script.
It's ugly to do it this late in a process but it will make our life much easier in the future.
- [ ] as part of the refactor process, please make sure there's a VERY good reason why there's .in version that needs to be expanded during configure.next-stable-3.0https://gitlab.isc.org/isc-projects/kea/-/issues/2495Kea uses predictable filenames for sockets in /tmp2023-07-05T10:39:19ZParide LegoviniKea uses predictable filenames for sockets in /tmpDebian maintainer of the Kea package here; this is a forward of Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014929 and Ubuntu bug https://bugs.launchpad.net/ubuntu/+source/isc-kea/+bug/1863100.
---
The default Kea con...Debian maintainer of the Kea package here; this is a forward of Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014929 and Ubuntu bug https://bugs.launchpad.net/ubuntu/+source/isc-kea/+bug/1863100.
---
The default Kea configuration files place control sockets under `/tmp`, e.g.:
```
+---
| "control-socket": {
| "socket-type": "unix",
| "socket-name": "/tmp/kea4-ctrl-socket"
| },
+---[ /etc/kea/kea-dhcp4.conf ]
```
This can be a security issue, especially given that the socket have fixed names, as any use can create a file/socket with that name under `/tmp`. Please move the control sockets to `/run/kea`. Thanks!next-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/2490logged messages in Dhcpv4Srv::selectSubnet4o6 use the same name as those in D...2023-07-05T10:39:18ZRazvan Becheriulogged messages in Dhcpv4Srv::selectSubnet4o6 use the same name as those in Dhcpv4Srv::selectSubnetnext-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/2489Add support for logging and stat collection related to IPv6 HR conflicts2023-06-19T12:21:15ZDan TheisenAdd support for logging and stat collection related to IPv6 HR conflictsThis is related to #2419
Investigate code paths related to IPv6 Host Reservation conflicts, and add a `ALLOC_ENGINE_V6_DISCOVER_ADDRESS_CONFLICT` log message as well as `v6-reservation-conflicts` and `subnet[id].v6-reservation-conflicts...This is related to #2419
Investigate code paths related to IPv6 Host Reservation conflicts, and add a `ALLOC_ENGINE_V6_DISCOVER_ADDRESS_CONFLICT` log message as well as `v6-reservation-conflicts` and `subnet[id].v6-reservation-conflicts` stats to reflect issues with allocating IPv6 Host Reservations.backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/2480Documentation - Update KB Article Understanding Client Classification2023-07-31T13:34:54ZPeter DaviesDocumentation - Update KB Article Understanding Client Classification**Update KB Article Understanding Client Classification**
The early-global-reservations-lookup for classed was implemented in release 2.1.4 see #2249
This optionally changes the phases of subnet selection and host reservation.
It need...**Update KB Article Understanding Client Classification**
The early-global-reservations-lookup for classed was implemented in release 2.1.4 see #2249
This optionally changes the phases of subnet selection and host reservation.
It needs to be explained in the KB article:
https://kb.isc.org/docs/understanding-client-classificationnext-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/2479Documentation - upgrading Kea servers with a common DB backend2023-07-31T13:34:54ZPeter DaviesDocumentation - upgrading Kea servers with a common DB backend**Documentation - upgrading Kea servers with a common DB backend**
Kea implementations where servers do not share common databases Kea may be upgraded individually.
In this way the down time of dhcp services may be limited.
Some u...**Documentation - upgrading Kea servers with a common DB backend**
Kea implementations where servers do not share common databases Kea may be upgraded individually.
In this way the down time of dhcp services may be limited.
Some users employ a common database backend for leases and/or configuration data.
As Kea software upgrades normally increment database schema versions, individual upgrades may have unfortunate side effects.
We would like advice regarding this type of upgrade added to:
4.3.2.2 Upgrading a MySQL Database From an Earlier Version of Kea
4.3.3.3 Upgrading a PostgreSQL Database From an Earlier Version of Keanext-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/2449atomic lease limits2022-08-11T11:51:44ZAndrei Pavelandrei@isc.orgatomic lease limitsMake the checking of lease limits atomic to the lease allocation process, and thus resulting in a hard limit cap, as outlined below:
* [ ] Add the limits to the lease candidate's user context under path `ISC.limits` in the `leaseX_selec...Make the checking of lease limits atomic to the lease allocation process, and thus resulting in a hard limit cap, as outlined below:
* [ ] Add the limits to the lease candidate's user context under path `ISC.limits` in the `leaseX_select` callout.
* [ ] Add before-event triggers on the lease tables in MySQL and PostgreSQL that check the limits and prevent the subsequent INSERT or UPDATE statement if a limit is exceeded. If the INSERT or UPDATE is carried out, `ISC.limits` is removed from the user context.
* [ ] Signal the event of reaching a limit to the lease manager which logs its details.
* [ ] Make sure the event is properly handled as a frequent application logic event in the calling contexts (e.g. allocation engine, HA service, lease_cmds), as opposed to a technical failure which can disrupt the usual service or can be costly in terms of performance.outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/2446Update the flow charts in the documentation, esp for HR lookup sequence2023-07-31T13:34:54ZVicky Riskvicky@isc.orgUpdate the flow charts in the documentation, esp for HR lookup sequenceThe flow charts in the documentation represent the sequence of operations for Kea 1.8. It would be useful to add new charts that show how this has changed in 2.1, particularly for the HR lookup behavior.The flow charts in the documentation represent the sequence of operations for Kea 1.8. It would be useful to add new charts that show how this has changed in 2.1, particularly for the HR lookup behavior.next-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/2427Kea HA hot-standby mode - standby peer not catching up2023-07-31T13:42:46ZfavqKea HA hot-standby mode - standby peer not catching upHi,
I'm testing a Kea HA setup in hot-standby mode, with the following settings:
* Kea 2.0.1 DHCPv4 + control agent.
* Two Kea instances: one "primary" and the other "standby".
* memfile backend with file persistence enabled.
* Lease...Hi,
I'm testing a Kea HA setup in hot-standby mode, with the following settings:
* Kea 2.0.1 DHCPv4 + control agent.
* Two Kea instances: one "primary" and the other "standby".
* memfile backend with file persistence enabled.
* Lease synchronization enabled in the HA setup.
* The only hooks libraries in use are ha and lease_cmds.
I ran perfdhcp simulating multiple clients against the primary. After a while of sending many requests to the primary, I see that both instances have stored leases, but the standby didn't completely catch up with the primary.
That is, when I inspect the leases on both instances using the lease4-get-all API command, I see that the number of leases did increase on both instances, but the standby has less leases than the primary.
If I manually call the ha-sync API command, or if I restart the standby, or if I reload the configuration in the standby, the standby does a sync and catches up with the primary, and the number of leases becomes equal again. However, if I then run perfdhcp repeatedly, standby eventually starts falling behind again.
Note that, when this happens, if I call the "ha-heartbeat" API command on both instances, they both report an "unsent-update-count" of 0.
A similar thing happens with DHCPv6.
Is this behavior expected? Is it normal for the standby to not catch up with the primary during HA operation, needing manual intervention ("ha-sync", restart or config reload) to catch up?
Thank you.outstanding