... | ... | @@ -6,24 +6,25 @@ This release adds new features, improves existing features, clarifies documentat |
|
|
|
|
|
1. **Custom forensic logging** - The forensic logging hook library is now able to log custom expressions. The expressions can include any option (such as relay option 82) or sub-option (such as circuit-id or remote-id or any other sub-options), packet fields, network interface names, local or remote IP address and more. It uses the same expressions engine as when defining client classification or flexible identifiers. This work required several separate tickets to be completed: added (+) plus operator [#1824, #1863], custom forensic logging format [#1860], better handling parameter-less operation [#1866], custom logging option 82 contents (and any other option) on renewals [#1576].
|
|
|
|
|
|
2. **HA+MT stability** - The multi-threaded support for HA is now more stable. In particular, the hooks are now notified when the Kea enters or leaves the critical section. This eliminates previously observed race conditions when shutting down or reconfiguring Kea with HA+MT enabled [#1876, #1818].
|
|
|
2. **HA+MT stability** - The multi-threaded (MT) support for High Availability (HA) is now more stable. In particular, the hooks are now notified when the Kea enters or leaves the critical section. This eliminates previously observed race conditions when shutting down or reconfiguring Kea with HA+MT enabled [#1876, #1818].
|
|
|
|
|
|
3. **Per device access control** - Kea is now able to drop packets coming from devices that have host reservations with class set to DROP (`DROP` class mentioned in `client-classes` field in the `reservations`). This effectively allows to selectively drop incoming packets from some devices, such as customers that have their payments overdue, misbehaving or unwanted devices [#1815].
|
|
|
3. **Per device access control** - Kea is now able to drop packets coming from devices that have matching host reservations with class set to DROP (`DROP` class listed in the `client-classes` field in the `reservations`). This effectively allows to selectively drop incoming packets from some devices, such as customers that have their payments overdue, misbehaving or unwanted devices [#1815].
|
|
|
|
|
|
4. **Better vendor options handling** - Two improvements related to the vendor options made it into this release. First, Kea is now able to process slightly malformed vendor options that have inner length field set to too large value. Previously Kea simply ignored the option. With this improvement, Kea is now able to process slightly non-conformant options [#1860]. Second improvement lets Kea extract the enterprised identifier from vendor class option in DHCPv6 [#1837].
|
|
|
4. **Better vendor options handling in DHCPv6** - Two improvements related to the vendor options made it into this release. First, Kea is now able to process slightly malformed vendor options that have inner length field set to too large value. With this improvement, Kea can now be configured (see `lenient-option-parsing` in `compatibility` scope) to process slightly non-conformant options, rather than simply ignoring them. This should improve compatibility with devices such as RAD MiNID [#1860]. Second improvement lets Kea extract the enterprise identifier from vendor class option in DHCPv6 [#1837].
|
|
|
|
|
|
5. **Security** - Kea now obfuscates passwords in logs when debug is enabled [#1721]. Authentication information is now logged on dedicated logger, making it easier to implement security policies, such as logging to a dedicated secure storage [#1590]. The TLS support is now functional when building with Botan library, instead of the usual OpenSSL. While Botan is much less popular than OpenSSL, it may be a viable alternative in cases where OpenSSL cannot be used for whatever reason [#1665].
|
|
|
5. **Security** - Kea now obfuscates passwords in debug logs when whole configuration is printed [#1721]. Authentication information is now logged on dedicated logger, making it easier to implement security policies, such as logging to a dedicated secure storage [#1590]. The TLS support is now functional when building with Botan library, instead of the usual OpenSSL. While Botan is much less popular than OpenSSL, it may be a viable alternative in cases where OpenSSL cannot be used for whatever reason [#1665].
|
|
|
|
|
|
6. **Bugfixes** - Corrected a bug in DHCPv4 subnet selection. The server ignored
|
|
|
the Subnet Selection option supplied by a client if its query contained a Relay Agent Information (RAI) option without a Link Selection option. After this change, the server respects the Subnet Selection option when RAI lacks the Link Selection option. If RAI includes it, it takes precedence over the Subnet Selection option [#1816]. An assorted collection of issues reported by Coverity Scan has been fixed (#1806, #1854, #1855, #1852, #1850, #1853, #1851, #1805).
|
|
|
6. **Bugfixes** - Corrected a bug in the DHCPv4 subnet selection logic. The server ignored the Subnet Selection option supplied by a client if its query contained a Relay Agent Information (RAI) option without a Link Selection option. After this change, the server respects the Subnet Selection option when RAI lacks the Link Selection option. If RAI includes it, it takes precedence over the Subnet Selection option [#1816]. An assorted collection of smaller issues reported by Coverity Scan has been fixed [#1806, #1854, #1855, #1852, #1850, #1853, #1851, #1805].
|
|
|
|
|
|
7. **Build improvements** - Unit tests compilation fix on CentOS 7 [#1888], Kea-netconf compilation fix [#1883], forensic logging unit test no longer fail on FreeBSD [#1879], added support for gcc11, which fixed the build problems on Fedora 34 [#1834, #1833, #1871, #1839], fixed building Sphinx documentation [#1877], compatibility with Sphinx 3.3.1 and newer [#1560].
|
|
|
7. **Build improvements** - Unit tests on CentOS 7 [#1888] and the Kea-netconf compilation [#1883] are now fixed, forensic logging unit test no longer fail on FreeBSD [#1879], added support for gcc11, which makes Kea compilation on Fedora 34 viable now [#1834, #1833, #1871, #1839], fixed two problems when generating Sphinx documentation, in particular when using Sphinx 3.3.1 or newer [#1877, #1560].
|
|
|
|
|
|
8. **Testing** - Perfdhcp is now able to simulate DHCPv6 traffic coming from multiple subnets. While perfdhcp is not typically used by end users (although they certainly can if they want to simulate DHCP traffic and stress test their deployment), this tool is backbone of ISC performance testing. This extended capability will allow testing more complex IPv6 scenarios that more closely replicate actual deployments [#1416].
|
|
|
8. **Testing** - Perfdhcp is now able to simulate a DHCPv6 traffic coming from multiple subnets. While perfdhcp is not typically used by end users (although they certainly can if they want to stress test their deployment), this tool is a backbone of ISC performance testing. This extended capability will allow testing more complex IPv6 scenarios that more closely replicate actual deployments [#1416].
|
|
|
|
|
|
## Incompatible Changes
|
|
|
|
|
|
**Dropping Python 2 support** - We dropped support for python2, which was officially EOLed on 1 Jan 2020. Most distributions have full native python3 support. CentOS 7 is the only distribution that still has python2 by default, but installing python3 is an easy task. When the Kea recently added support for introduced TLS connection, we determined that we are not going to implement this for legacy python2. As such, CentOS 7 have couple options. This affects only kea-shell tool. Users, who want to use kea-shell on CentOS 7 should install python3. kea-shell will still work on python2, but the TLS will not be supported. If python3 installation is not feasible for whatever reason, it is recommended to use different tools or environments. kea-shell simply sends JSON commands over HTTPS and prints JSON responses. [#1873]
|
|
|
**Dropping Python 2 support** - Python 2 support was EOLed on 1 Jan 2020. Nowadays most distributions have full native Python 3 support, with the exception of CentOS 7. On CentOS 7, python 2 is still the default, but Python 3 installation is an easy task. Kea version 1.9.8 dropped support for Python 2 in `kea-shell`. Kea users on CentOS 7 have several options. Users, who want to use `kea-shell` on CentOS 7 should install Python 3 packages. If this is not viable, `kea-shell` will still work with Python 2 for now, but the TLS will not be supported. This partial backwards compatibility is expected to disappear when Kea 2.0.0 is released. The third alternative here is to use different tools or environments. `kea-shell` simply sends JSON commands over HTTPS and prints JSON responses. Such capabilities are available using various tools (such as `curl`, `socat`, `postman`) or scripting environments [#1873].
|
|
|
|
|
|
**Kea shell in a separate RPM package** - `Kea-shell` is now available in a separate RPM package. The base Kea package no longer depends on Python 2 package.
|
|
|
|
|
|
## Known Issues
|
|
|
|
... | ... | |