Subnet reselection by address and class in RADIUS
Presume client C has Framed-Pool P and Framed-IP-Address A in RADIUS. Reselect is enabled in Kea.
Supposition of expected behavior:
- Kea looks for a subnet that matches both criteria, that is: address A is in the subnet's range, and the subnet has a pool classified with class P.
- If subnet not found, Kea reselects to
SUBNET_ID_UNUSED
.
Current behavior:
- Kea looks for a subnet that has a pool classified with class P. If found, Kea settles for it and does not continue the reselection process, even though it may violate the reservation through Framed-IP-Address.
- If subnet not found, Kea looks for a subnet that has address A in its range. If found, Kea settles for it, even though it may violate the reservation through Framed-Pool.
- If subnet not found, Kea reselects to
SUBNET_ID_UNUSED
.
In other words, there is an OR relation between the two attributes, when, in fact, there should be an AND because both things happen in the lease allocation process: the reserved address is leased and the class is assigned to the client. In further words, Framed-Pool has priority over Framed-IP-Address in reselection, even though this is not documented, but there probably should not be any priority if the supposition above is correct.
Edge case that violates the current behavior mentioned above even if it is considered correct:
- Kea looks for a subnet that has a pool classified with class P. Kea finds subnet S and it happens to be the same subnet assigned to the client as part of the initial subnet selection process. Kea considers this as not a reselection since the subnet ID technically did not change, and thus continues the process of reselecting, believing it has not found the right subnet yet.
- Kea looks for a subnet that has address A in its range. It finds one and is a different subnet than S. It selects that subnet, even though the first one would have been selected were it not for the unfortunate circumstance of having the subnet already selected to S before making the RADIUS auth call.