of a given parameter in a given scope is used, while all previous
instances are ignored. This is unlikely to cause any confusion as there
are no real-life reasons to keep multiple copies of the same parameter
-in your configuration file.
+in the configuration file.
The first few DHCPv4 configuration elements
define some global parameters. ``valid-lifetime`` defines how long the
"Dhcp4": { "lease-database": { "port" : 12345, ... }, ... }
-Should the database be located on a different system, you may need to
+Should the database be located on a different system, the administrator may need to
specify a longer interval for the connection timeout:
::
that the raw sockets will be used! The use of raw sockets to handle
the traffic from the directly connected clients is currently
supported on Linux and BSD systems only. If the raw sockets are not
- supported on your particular OS, the server will issue a warning and
+ supported on the particular OS in use, the server will issue a warning and
fall back to using IP/UDP sockets.
In a typical environment, the DHCP server is expected to send back a
In the event that both explicit values are specified and
calculate-tee-times is true, the server will use the explicit values.
- If you plan on having a mixture where some subnets or share-networks
- will use explicit values and some will use calculated values you must
+ Administrators with a setup where some subnets or share-networks
+ will use explicit values and some will use calculated values must
not define the explicit values at any level higher than where they
- will be used. Inheriting them from too high of a scope, such as
+ will be used. Inheriting them from too high a scope, such as
global, will cause them to have values at every level underneath
(shared-networks and subnets), effectively disabling calculated
values.
| | values true or false. |
+-----------------------------------+-------------------------------------------------------+
| empty | No value; data is carried in |
- | | suboptions. |
+ | | sub-options. |
+-----------------------------------+-------------------------------------------------------+
| fqdn | Fully qualified domain name (e.g. |
| | www.example.com). |
---------------------
Kea supports custom (non-standard) DHCPv4 options. Assume that we want
-to define a new DHCPv4 option called "foo" which will have a code 222
+to define a new DHCPv4 option called "foo" which will have code 222
and will convey a single, unsigned, 32-bit integer value. We can define
-such an option by using the following entry in the configuration file:
+such an option by putting the following entry in the configuration file:
::
``type`` is set to "record"; otherwise it must be left blank. The latter
parameter specifies the name of the option space being encapsulated by
the particular option. If the particular option does not encapsulate any
-option space, it should be left blank. Note that the ``option-def``
+option space, the parameter should be left blank. Note that the ``option-def``
configuration statement only defines the format of an option and does
not set its value(s).
}
New options can take more complex forms than simple use of primitives
-(uint8, string, ipv4-address, etc); it is possible to define an option
+(uint8, string, ipv4-address, etc.); it is possible to define an option
comprising a number of existing primitives.
For example, assume we want to define a new option that will consist of
comma-separated list in the ``record-types`` field and should be ones
from those listed in :ref:`dhcp-types`.
-The values of the option are set as follows:
+The values of the option are set in an ``option-data`` statement as follows:
::
}
As the Vendor-Specific Information option (code 43) has vendor-specific
-format, i.e. can carry either raw binary value or suboptions, this
+format, i.e. can carry either raw binary value or sub-options, this
mechanism is available for this option too.
In the following example taken from a real configuration, two vendor
Currently there are two option spaces defined for the DHCPv4 daemon:
"dhcp4" (for the top-level DHCPv4 options) and
"vendor-encapsulated-options-space", which is empty by default but in
-which options can be defined. Such options will be carried in the
+which options can be defined. Those options are carried in the
Vendor-Specific Information option (code 43). The following examples
-show how to define an option "foo" in that space that has a code 1, and that
+show how to define an option "foo" with code 1 that
comprises an IPv4 address, an unsigned 16-bit integer, and a string. The
"foo" option is conveyed in a Vendor-Specific Information option.
}
(Note that the option space is set to
-"vendor-encapsulated-options-space".) Once the option format is defined,
+``vendor-encapsulated-options-space``.) Once the option format is defined,
the next step is to define actual values for that option:
::
options is that each vendor has its own unique set of options with their
own custom formats. The vendor is identified by a 32-bit unsigned integer
called enterprise-id or vendor-id. For example, vivso with vendor-id
-4491 represents DOCSIS options, and you are likely to see many of them
+4491 represents DOCSIS options, and they are often seen
when dealing with cable modems.
In Kea each vendor is represented by its own vendor space. Since there
request specific vendor options and Kea is able to honor those.
Unfortunately, for many other vendors, such as Genexis (25167) as discussed
above, Kea does not have such a mechanism, so it can't send any
-suboptions on its own. To solve this issue, we came up with the concept of
+sub-options on its own. To solve this issue, we came up with the concept of
persistent options. Kea can be told to always send options, even if the
client did not request them. This can be achieved by adding
-"always-send": true to your option definition. Note that in this
+``"always-send": true`` to the option definition. Note that in this
particular case an option is defined in vendor space 25167. With the
"always-send" enabled, the option will be sent every time there is a
need to deal with vendor space 25167.
It is sometimes useful to define a completely new option space, such as
when a user creates a new option in the standard option space
-("dhcp4") and wants this option to convey suboptions. Since they are in
-a separate space, suboption codes will have a separate numbering scheme
+("dhcp4") and wants this option to convey sub-options. Since they are in
+a separate space, sub-option codes will have a separate numbering scheme
and may overlap with the codes of standard options.
Note that the creation of a new option space is not required when
-defining suboptions for a standard option, because it is created by
-default if the standard option is meant to convey any suboptions (see
+defining sub-options for a standard option, because one is created by
+default if the standard option is meant to convey any sub-options (see
:ref:`dhcp4-vendor-opts`).
Assume that we want to have a DHCPv4 option called "container" with code
-222 that conveys two suboptions with codes 1 and 2. First we need to
-define the new suboptions:
+222 that conveys two sub-options with codes 1 and 2. First we need to
+define the new sub-options:
::
Note that we have defined the options to belong to a new option space
(in this case, "isc").
-The next step is to define a regular DHCPv4 option with our desired code
+The next step is to define a regular DHCPv4 option with the desired code
and specify that it should include options from the new option space:
::
...
}
-The name of the option space in which the suboptions are defined is set
+The name of the option space in which the sub-options are defined is set
in the ``encapsulate`` field. The ``type`` field is set to ``empty``, to
indicate that this option does not carry any data other than
-suboptions.
+sub-options.
Finally, we can set values for the new options:
}
Note that it is possible to create an option which carries some data in
-addition to the suboptions defined in the encapsulated option space.
+addition to the sub-options defined in the encapsulated option space.
For example, if the "container" option from the previous example were
-required to carry a uint16 value as well as the suboptions, the
+required to carry a uint16 value as well as the sub-options, the
``type`` value would have to be set to "uint16" in the option
definition. (Such an option would then have the following data
-structure: DHCP header, uint16 value, suboptions.) The value specified
+structure: DHCP header, uint16 value, sub-options.) The value specified
with the ``data`` parameter — which should be a valid integer enclosed
in quotes, e.g. "123" — would then be assigned to the uint16 field in
the "container" option.
------------------------------------------------------
In many cases it is not required to specify all parameters for an option
-configuration and the default values can be used. However, it is
+configuration, and the default values can be used. However, it is
important to understand the implications of not specifying some of them,
as it may result in configuration errors. The list below explains the
behavior of the server when a particular parameter is not explicitly
- ``code`` - the server requires either an option name or an option code to
identify an option. This parameter may be left unspecified if the
``name`` parameter is specified. However, this also requires that the
- particular option has its definition (it is either a standard option
- or an administrator created a definition for the option using an
+ particular option have a definition (either as a standard option
+ or an administrator-created definition for the option using an
'option-def' structure), as the option definition associates an
option with a particular name. It is possible to configure an option
for which there is no definition (unspecified option format).
Configuration of such options requires the use of the option code.
- ``space`` - if the option space is unspecified it will default to
- 'dhcp4', which is an option space holding the standard DHCPv4
+ 'dhcp4', which is an option space holding standard DHCPv4
options.
- ``data`` - if the option data is unspecified it defaults to an empty
value. The empty value is mostly used for the options which have no
payload (boolean options), but it is legal to specify empty values
- for some options which carry variable-length data and which the
- specification allows to have a length of 0. For such options, the
+ for some options which carry variable-length data and for which the
+ specification allows a length of 0. For such options, the
data parameter may be omitted in the configuration.
- ``csv-format`` - if this value is not specified, the server will
architecture EFI x86-64, and sets several fields if it does. See
`Section 2.1 of RFC
4578 <https://tools.ietf.org/html/rfc4578#section-2.1>`__) or the
-documentation of your client for specific values.
+client documentation for specific values.
::
~~~~~~~~~~~~~~~~~~~~~~~
In some cases it is useful to limit the scope of a class to a
-shared network, subnet, or pool. There are two parameters for this,
-which instruct the server to evaluate test expressions when required.
+shared network, subnet, or pool. There are two parameters which are used
+to limit the scope of the class by instructing the server to evaluate test
+expressions when required.
-The first one is the per-class ``only-if-required`` flag which is false
+The first one is the per-class ``only-if-required`` flag, which is false
by default. When it is set to ``true``, the test expression of the class
is not evaluated at the reception of the incoming packet but later, and
only if the class evaluation is required.
}
Required evaluation can be used to express complex dependencies like subnet membership. It can also be used to reverse the
-precedence; if you set an option-data in a subnet, it takes precedence
-over an option-data in a class. When you move the option-data to a
-required class and require it in the subnet, a class evaluated earlier
+precedence; if an option-data is set in a subnet, it takes precedence
+over an option-data in a class. If the option-data is moved to a
+required class and required in the subnet, a class evaluated earlier
may take precedence.
Required evaluation is also available at the shared-network and pool levels.
enable DDNS updates set this value to true.
- ``server-ip`` - the IP address on which D2 listens for requests. The
- default is the local loopback interface at address 127.0.0.1. You may
- specify either an IPv4 or IPv6 address.
+ default is the local loopback interface at address 127.0.0.1.
+ Either an IPv4 or IPv6 address may be specified.
- ``server-port`` - the port on which D2 listens for requests. The default
value is 53001.
honor the client's wishes and generate a DDNS request to the D2 server
to update only reverse DNS data. The parameter
``override-client-update`` can be used to instruct the server to
-override client delegation requests. When this parameter is true,
+override client delegation requests. When this parameter is "true",
kea-dhcp4 will disregard requests for client delegation and generate a
DDNS request to update both forward and reverse DNS data. In this case,
the N-S-O flags in the server's response to the client will be 0-1-1
3. If the candidate name provided is empty, generate an FQDN using a
configurable prefix and suffix.
-4. If the client provided neither option, then take no DNS action.
+4. If the client provides neither option, then take no DNS action.
These rules can be amended by setting the ``replace-client-name``
parameter, which provides the following modes of behavior:
-- ``never`` - Use the name the client sent. If the client sent no name,
+- ``never`` - use the name the client sent. If the client sent no name,
do not generate one. This is the default mode.
-- ``always`` - Replace the name the client sent. If the client sent no
+- ``always`` - replace the name the client sent. If the client sent no
name, generate one for the client.
-- ``when-present`` - Replace the name the client sent. If the client
+- ``when-present`` - replace the name the client sent. If the client
sent no name, do not generate one.
-- ``when-not-present`` - Use the name the client sent. If the client
+- ``when-not-present`` - use the name the client sent. If the client
sent no name, generate one for the client.
..
**Note**
- Note that formerly, this parameter was a boolean and permitted only
+ Note that in early versions of Kea, this parameter was a boolean and permitted only
values of ``true`` and ``false``. Boolean values have been deprecated
- and are no longer accepted. If you are currently using booleans, you
+ and are no longer accepted. Administrators currently using booleans
must replace them with the desired mode name. A value of ``true``
maps to ``"when-present"``, while ``false`` maps to ``"never"``.
The suffix used when generating an FQDN, or when qualifying a partial
name, is specified by the ``qualifying-suffix`` parameter. This
-parameter has no default value, thus it is mandatory when DDNS updates
+parameter has no default value; thus, it is mandatory when DDNS updates
are enabled. To set its value simply set it to the desired string:
::
where address-text is simply the lease IP address converted to a
hyphenated string. For example, if the lease address is 172.16.1.10, the
qualifying suffix "example.com", and the default value is used for
-``generated-prefix``, the generated FQDN would be:
+``generated-prefix``, the generated FQDN is:
myhost-172-16-1-10.example.com.
Name sanitizing is meant to catch the more common cases of invalid
characters through a relatively simple character-replacement scheme.
It is difficult to devise a scheme that works well in all cases, for
- both Host Name and FQDN options. If you find you have clients that
- are using odd corner cases of character combinations that cannot be
- readily handled with this mechanism, you should consider writing a
- hook that can carry out sufficiently complex logic to address your
+ both Host Name and FQDN options. Administrators who find they have clients
+ with odd corner cases of character combinations that cannot be
+ readily handled with this mechanism should consider writing a
+ hook that can carry out sufficiently complex logic to address their
needs.
- If your clients include domain names in the Host Name option and you
- want these preserved, you will need to make sure that the dot, '.',
+ If clients include domain names in the Host Name option and the administrator
+ wants these preserved, they will need to make sure that the dot, '.',
is considered a valid character by the hostname-char-set expression,
such as this: "[^A-Za-z0-9.-]". This will not affect dots in FQDN
Option values. When scrubbing FQDNs, dots are treated as delimiters
and used to separate the option value into individual domain labels
that are scrubbed and then re-assembled.
- If your clients are sending values that differ only by characters
- considered as invalid by your hostname-char-set, be aware that
+ If clients are sending values that differ only by characters
+ considered as invalid by the hostname-char-set, be aware that
scrubbing them will yield identical values. In such cases, DDNS
conflict rules will permit only one of them to register the name.
The ``dhcp4o6-port`` global parameter specifies the first of the two
consecutive ports of the UDP sockets used for the communication between
-the DHCPv6 and DHCPv4 servers (the DHCPv4 server is bound to ::1 on
-``port`` + 1 and connected to ::1 on ``port``).
+the DHCPv6 and DHCPv4 servers. The DHCPv4 server is bound to ::1 on
+``port`` + 1 and connected to ::1 on ``port``.
With DHCPv4-over-DHCPv6, the DHCPv4 server does not have access to
several of the identifiers it would normally use to select a subnet. To
the data remain consistent. However, in some cases it may be convenient
to tolerate certain inconsistent data. For example, a network
administrator that temporarily removed a subnet from a configuration
-wouldn't want all the leases associated with it to disappear from the
-lease database. Kea has a mechanism to better control sanity checks such
+would not want all the leases associated with it to disappear from the
+lease database. Kea has a mechanism to control sanity checks such
as this.
Kea supports a configuration scope called ``sanity-checks``. It
currently allows only a single parameter, called ``lease-checks``, which
-governs the verification that is done when a new lease is loaded from a
-lease file. With the sanity-checks mechanism, it is possible to tell Kea
-to try to correct inconsistent data.
+governs the verification carried out when a new lease is loaded from a
+lease file. This mechanism permits Kea to attempt to correct inconsistent data.
Every subnet has a subnet-id value; this is how Kea internally
identifies subnets. Each lease has a subnet-id parameter as well, which
will be inserted anyway.
- ``fix-del`` - if a data inconsistency is discovered, try to
- correct it. If the correction is not successful, the lease will be
- rejected. This setting ensures the data's correctness, but some
+ correct it. If the correction is not successful, reject the lease.
+ This setting ensures the data's correctness, but some
incorrect data may be lost. Use with care.
- ``del`` - this is the strictest mode. If any inconsistency is
- detected, the lease is rejected. Use with care.
+ detected, reject the lease. Use with care.
This feature is currently implemented for the memfile backend.
per-host basis. The most obvious one is to reserve a specific, static
address for exclusive use by a given client (host); the returning client
will receive the same address from the server every time, and other
-clients will generally not receive that address. Note that there may be
-cases when a new reservation has been made for a client for an address
-currently in use by another client. We call this situation a "conflict."
-These conflicts get resolved automatically over time as described in
-subsequent sections. Once the conflict is resolved, the correct client will keep
-receiving the reserved configuration when it renews.
-
-Another example when host reservations are applicable is when a host has
+clients will generally not receive that address. Another situation when
+host reservations are applicable is when a host has
specific requirements, e.g. a printer that needs additional DHCP
options. Yet another possible use case is to define unique names for
hosts.
+Note that there may be
+cases when a new reservation has been made for a client for an address
+currently in use by another client. We call this situation a "conflict."
+These conflicts get resolved automatically over time as described in
+subsequent sections. Once the conflict is resolved, the correct client will
+receive the reserved configuration when it renews.
+
Host reservations are defined as parameters for each subnet. Each host
must have its own unique identifier, such as the hardware/MAC
address. There is an optional ``reservations`` array in the ``subnet4``
point.
Making a reservation for a mobile host that may visit multiple subnets
-requires a separate host definition in each subnet it is expected to
+requires a separate host definition in each subnet that host is expected to
visit. It is not possible to define multiple host definitions with the
same hardware address in a single subnet. Multiple host definitions with
the same hardware address are valid if each is in a different subnet.
-Adding host reservation incurs a performance penalty. In principle, when
+Adding host reservations incurs a performance penalty. In principle, when
a server that does not support host reservation responds to a query, it
needs to check whether there is a lease for a given address being
considered for allocation or renewal. The server that does support host
address 192.0.2.10. A naive approach would to be immediately remove the
existing lease for Host A and create a new one for Host B. That would
not solve the problem, though, because as soon as Host B gets the
-address, it will detect that the address is already in use by Host A and
+address, it will detect that the address is already in use (by Host A) and
will send a DHCPDECLINE message. Therefore, in this situation, the
server has to temporarily assign a different address from the dynamic
pool (not matching what has been reserved) to Host B.
When Host A renews its address, the server will discover that the
address being renewed is now reserved for another host - Host B.
-Therefore the server will inform Host A that it is no longer allowed to
+The server will inform Host A that it is no longer allowed to
use it by sending a DHCPNAK message. The server will not remove the
lease, though, as there's a small chance that the DHCPNAK may be lost if
the network is lossy. If that happens, the client will not receive any
options follow the same rules as any other options. These can be
standard options (see :ref:`dhcp4-std-options`),
custom options (see :ref:`dhcp4-custom-options`),
-or vendor-specific options (see :ref:`dhcp4-vendor-opts`). The following example demonstrates how
-standard options can be defined.
+or vendor-specific options (see :ref:`dhcp4-vendor-opts`). The following
+example demonstrates how standard options can be defined.
::
The definitions of these classes are placed in the Kea configuration.
The following configuration snippet shows how to specify that a client
belongs to classes ``reserved-class1`` and ``reserved-class2``. Those
-classes are associated with specific options being sent to the clients
+classes are associated with specific options that are sent to the clients
which belong to them.
::
**Note**
- If you want to force the evaluation of a class expression after the
+ To force the evaluation of a class expression after the
host reservation lookup, for instance because of a dependency on
- "reserved-class1" from the previous example, you should add a
+ "reserved-class1" from the previous example, add a
"member('KNOWN')" statement in the expression.
.. _reservations4-mysql-pgsql-cql:
allocating or renewing a lease for the client. Allowed values are:
- ``all`` - enables both in-pool and out-of-pool host reservation
- types. This is the default value. This setting is the safest and the
- most flexible. As all checks are conducted, it is also the slowest.
- This does not check against global reservations.
+ types. This setting is the default value, and is the safest and
+ most flexible. However, as all checks are conducted, it is also the slowest.
+ It does not check against global reservations.
- ``out-of-pool`` - allows only out-of- pool host reservations. With
this setting in place, the server may assume that all host
reservations are for addresses that do not belong to the dynamic
pool. Therefore, it can skip the reservation checks when dealing with
in-pool addresses, thus improving performance. Do not use this mode
- if any of your reservations use in-pool addresses. Caution is advised
+ if any reservations use in-pool addresses. Caution is advised
when using this setting; Kea does not sanity-check the reservations
against ``reservation-mode`` and misconfiguration may cause problems.
- ``global`` - allows only global host reservations. With this setting
in place, the server searches for reservations for a client only
among the defined global reservations. If an address is specified,
- the server will skip the reservation checks done when dealing in
+ the server skips the reservation checks carried out when dealing in
other modes, thus improving performance. Caution is advised when
using this setting; Kea does not sanity-check the reservations when
``global`` and misconfiguration may cause problems.
identifier types as a parameter. Kea will check only those identifier
types enumerated in host-reservation-identifiers. From a performance
perspective, the number of identifier types should be kept to a minimum,
-ideally one. If your deployment uses several reservation types, please
+ideally one. If the deployment uses several reservation types, please
enumerate them from most- to least-frequently used, as this increases
the chances of Kea finding the reservation using the fewest queries. An
example of host reservation identifiers looks as follows:
global host reservations visits part of the network that is serviced by
192.0.5.0/24, it will get an IP address 192.0.2.100, a subnet 192.0.5.0
and a default router 192.0.5.1. Obviously, such a configuration is
-unusable, as the client won't be able to reach its default gateway.
+unusable, as the client will not be able to reach its default gateway.
To use global host reservations, a configuration similar to the
following can be used:
determine the point of attachment, or where the client is
connected to the network. Second, the subnet information is used to
group information pertaining to a specific location in the network. This
-approach works well in general cases, but there are scenarios where the
+approach works well in general, but there are scenarios where the
boundaries are blurred. Sometimes it is useful to have more than one
-logical IP subnet deployed on the same physical link. The need to
-understand that two or more subnets are used on the same link requires
+logical IP subnet deployed on the same physical link.
+Understanding that two or more subnets are used on the same link requires
additional logic in the DHCP server. This capability is called "shared
networks" in the Kea and ISC DHCP projects. (It is sometimes also called
"shared subnets"; in Microsoft's nomenclature it is called "multinet.")
devices behind them. It is a common practice to use different subnets
for cable modems to prevent users from tinkering with them. In this
case, the distinction is based on the type of device, rather than
-address-space exhaustion.
+on address-space exhaustion.
A client connected to a shared network may be assigned an address from
any of the pools defined within the subnets belonging to the shared
the server is unable to allocate an address from the selected subnet
(e.g., due to address-pool exhaustion), it will use another subnet from
the same shared network and will try to allocate an address from this subnet,
-etc. Therefore, in the typical case, the server will allocate all
+etc. Therefore, the server will typically allocate all
addresses available in a given subnet before it starts allocating
addresses from other subnets belonging to the same shared network.
However, in certain situations the client can be allocated an address
],
} ], // end of shared-networks
- // It is likely that in your network you will have a mix of regular,
+ // It is likely that in the network there will be a mix of regular,
// "plain" subnets and shared networks. It is perfectly valid to mix
// them in the same configuration file.
//
- // This is a regular subnet. It's not part of any shared network.
+ // This is a regular subnet. It is not part of any shared network.
"subnet4": [
{
"subnet": "192.0.3.0/24",
} // end of Dhcp4
}
-As you see in the example, it is possible to mix shared and regular
+As demonstrated in the example, it is possible to mix shared and regular
("plain") subnets. Each shared network must have a unique name. This is
similar to the ID for subnets, but gives administrators more
flexibility. It is used for logging, but also internally for identifying
only be defined when required by the deployment.
Shared networks provide an ability to specify many parameters in the
-shared network scope that will apply to all subnets within it. If
-necessary, you can specify a parameter in the shared network scope and
+shared network scope that apply to all subnets within it. If
+necessary, it is possible to specify a parameter in the shared network scope and
then override its value in the subnet scope. For example:
::
{
"name": "office-floor-2",
- // This tells Kea that the whole shared network is reachable over
+ // This tells Kea that the whole shared network is reachable over a
// local interface. This applies to all subnets in this network.
"interface": "eth0",
}
If the client belongs to the "b-devices" class (because it includes
-option 93 with a value of 0x0002), that doesn't guarantee that the
+option 93 with a value of 0x0002), that does not guarantee that the
subnet 10.0.0.0/24 will be used (or preferred) for this client. The
server can use either of the two subnets, because the subnet 192.0.2.0/26
is also allowed for this client. The client classification used in this
case should be perceived as a way to restrict access to certain subnets,
rather than a way to express subnet preference. For example, if the
-client doesn't belong to the "b-devices" class it may only use the
+client does not belong to the "b-devices" class it may only use the
subnet 192.0.2.0/26 and will never use the subnet 10.0.0.0/24.
A typical use case for client classification is in a cable network,
reservation. This is one of the reasons why defining a shared network
may impact performance. If there is a reservation for a client in any
subnet, that particular subnet will be picked for the client. Although
-it's technically not an error, it is considered a bad practice to define
+it is technically not an error, it is considered a bad practice to define
reservations for the same host in multiple subnets belonging to the same
shared network.
While not strictly mandatory, it is strongly recommended to use explicit
-"id" values for subnets if you plan to use database storage for host
+"id" values for subnets if database storage will be used for host
reservations. If an ID is not specified, the values for it are
autogenerated, i.e. Kea assigns increasing integer values starting from
1. Thus, the autogenerated IDs are not stable across configuration
declined-addresses in the calculation, and simply use
assigned-addresses/total-addresses. This would cause a bias towards
under-representing pool utilization. As this has a potential for major
-issues, we decided not to decrease assigned-addresses immediately after
+issues, ISC decided not to decrease assigned-addresses immediately after
receiving DHCPDECLINE, but to do it later when Kea recovers the address
back to the available pool.
| | | started their |
| | | configuration process |
| | | and their initial |
- | | | packets reached your |
+ | | | packets reached the |
| | | Kea server. |
+-----------------------------------------+-----------------------+-------------------------+
| pkt4-offer-received | integer | Number of DHCPOFFER |
| | | discovered that the |
| | | address is currently |
| | | used by an unknown |
- | | | device in your |
+ | | | device in the |
| | | network. |
+-----------------------------------------+-----------------------+-------------------------+
| pkt4-inform-received | integer | Number of DHCPINFORM |
| | | malformed or |
| | | truncated packet. |
| | | This may indicate |
- | | | problems in your |
+ | | | problems in the |
| | | network, faulty |
| | | clients, or a bug in |
| | | the server. |
}
The length of the path specified by the ``socket-name`` parameter is
-restricted by the maximum length for the UNIX socket name on your
+restricted by the maximum length for the UNIX socket name on the administrator's
operating system, i.e. the size of the ``sun_path`` field in the
``sockaddr_un`` structure, decreased by 1. This value varies on
different operating systems between 91 and 107 characters. Typical
different for each pool.
User contexts can store an arbitrary data file as long as it has valid JSON
-syntax and its top level element is a map (i.e. the data must be
+syntax and its top-level element is a map (i.e. the data must be
enclosed in curly brackets). However, some hook libraries may expect
specific formatting; please consult the specific hook library
documentation for details.
"user-context": { "color": "red" }
} ],
- // This is a subnet-specific user context. You can put whatever type
- // of information you want as long as it is a valid JSON.
+ // This is a subnet-specific user context. Any type
+ // of information can be entered here as long as it is valid JSON.
"user-context": {
"comment": "network on the second floor",
"last-modified": "2017-09-04 13:32",
- "description": "you can put here anything you like",
+ "description": "you can put anything you like here",
"phones": [ "x1234", "x2345" ],
"devices-registered": 42,
"billing": false
...
}
-Kea does not use that information; it simply stores it and makes it
+Kea does not interpret or use the user context information; it simply stores it and makes it
available to the hook libraries. It is up to each hook library to
extract that information and use it. The parser translates a "comment"
entry into a user context with the entry, which allows a comment to be
All supported parameters can be configured via the ``cb_cmds`` hooks library
described in the :ref:`cb-cmds-library` section. The general rule is that
the scalar global parameters are set using
-``remote-global-parameter4-set``; the shared network specific parameters
-are set using ``remote-network4-set``; and the subnet and pool
-level parameters are set using ``remote-subnet4-set``. Whenever
+``remote-global-parameter4-set``; the shared network-specific parameters
+are set using ``remote-network4-set``; and the subnet- and pool-level
+parameters are set using ``remote-subnet4-set``. Whenever
there is an exception to this general rule, it is highlighted in the
table. The non-scalar global parameters have dedicated commands; for example,
the global DHCPv4 options (``option-data``) are modified using
``remote-option4-global-set``.
-.. table:: List of DHCPv4 Parameters Supported by the Configuration
-Backend
+.. table:: List of DHCPv4 Parameters Supported by the Configuration Backend
+--------------------------+----------------------------+-------------+-------------+-------------+
| Parameter | Global | Shared | Subnet | Pool |
of a given parameter in a given scope is used, while all previous
instances are ignored. This is unlikely to cause any confusion as there
are no real-life reasons to keep multiple copies of the same parameter
-in your configuration file.
+in the configuration file.
The first few DHCPv6 configuration elements
define some global parameters. ``valid-lifetime`` defines how long the
"Dhcp6": { "lease-database": { "port" : 12345, ... }, ... }
-Should the database be located on a different system, you may need to
+Should the database be located on a different system, the administrator may need to
specify a longer interval for the connection timeout:
::
If the server is unable to reconnect to the database after making the
maximum number of attempts, the server will exit. A value of zero (the
default) disables automatic recovery and the server will exit
-immediately upon detecting a loss of connectivity (MySQL and Postgres
+immediately upon detecting a loss of connectivity (MySQL and PostgreSQL
only).
The number of milliseconds the server will wait between attempts to
"Dhcp6": { "hosts-database": { "reconnect-wait-time" : number-of-milliseconds, ... }, ... }
-The default value for MySQL and Postgres is 0, which disables automatic
+The default value for MySQL and PostgreSQL is 0, which disables automatic
recovery and causes the server to exit immediately upon detecting the
loss of connectivity. The default value for Cassandra is 2000 ms.
.. _dhcp6-address-config:
-Subnet and Address Pool
------------------------
+Configuration of IPv6 Address Pools
+-----------------------------------
The main role of a DHCPv6 server is address assignment. For this, the
server must be configured with at least one subnet and one pool of
----------------------------------
Subnets may also be configured to delegate prefixes, as defined in `RFC
-8415 <http://tools.ietf.org/html/rfc8415>`__, section 6.3. A subnet may
+8415 <https://tools.ietf.org/html/rfc8415>`__, section 6.3. A subnet may
have one or more prefix delegation pools. Each pool has a prefixed
address, which is specified as a prefix (``prefix``) and a prefix length
(``prefix-len``), as well as a delegated prefix length
For each delegated prefix, the delegating router may choose to exclude a
single prefix out of the delegated prefix as specified in `RFC
-6603 <http://tools.ietf.org/html/rfc6603>`__. The requesting router must
+6603 <https://tools.ietf.org/html/rfc6603>`__. The requesting router must
not assign the excluded prefix to any of its downstream interfaces, and
it is intended to be used on a link through which the delegating router
exchanges DHCPv6 messages with the requesting router. The configuration
can be omitted in some circumstances, as discussed in :ref:`dhcp6-option-data-defaults`.
Only one of name or code
is required; it is not necessary to specify both. Space has a default value
-of "dhcp6", so you can skip this as well if you define a regular (not
-encapsulated) DHCPv6 option. Finally, csv-format defaults to "true", so it
-too can be skipped, unless you want to specify the option value as
+of "dhcp6", so this can be skipped as well if a regular (not
+encapsulated) DHCPv6 option is defined. Finally, csv-format defaults to "true", so it
+too can be skipped, unless the option value is specified as
hexstring. Therefore, the above example can be simplified to:
::
:ref:`dhcp6-std-options-list`. "Name" and "Code" are the
values that should be used as a name/code in the option-data structures.
"Type" designates the format of the data; the meanings of the various
-types is given in :ref:`dhcp-types`.
+types are given in :ref:`dhcp-types`.
When a data field is a string and that string contains the comma (,;
U+002C) character, the comma must be escaped with two backslashes (\;
definition. In order to use such options, a server administrator must
create a definition as described in :ref:`dhcp6-custom-options` in the 'dhcp6' option space. This
definition should match the option format described in the relevant RFC,
-but the configuration mechanism would allow any option format as it
+but the configuration mechanism will allow any option format as it
currently has no means to validate it.
.. _dhcp6-std-options-list:
.. table:: List of Standard DHCPv6 Options
- +-----------------+-----------------+-----------------+-----------------+
- | Name | Code | Type | Array? |
- +=================+=================+=================+=================+
- | preference | 7 | uint8 | false |
- +-----------------+-----------------+-----------------+-----------------+
- | unicast | 12 | ipv6-address | false |
- +-----------------+-----------------+-----------------+-----------------+
- | vendor-opts | 17 | uint32 | false |
- +-----------------+-----------------+-----------------+-----------------+
- | sip-server-dns | 21 | fqdn | true |
- +-----------------+-----------------+-----------------+-----------------+
- | sip-server-addr | 22 | ipv6-address | true |
- +-----------------+-----------------+-----------------+-----------------+
- | dns-servers | 23 | ipv6-address | true |
- +-----------------+-----------------+-----------------+-----------------+
- | domain-search | 24 | fqdn | true |
- +-----------------+-----------------+-----------------+-----------------+
- | nis-servers | 27 | ipv6-address | true |
- +-----------------+-----------------+-----------------+-----------------+
- | nisp-servers | 28 | ipv6-address | true |
- +-----------------+-----------------+-----------------+-----------------+
- | nis-domain-name | 29 | fqdn | true |
- +-----------------+-----------------+-----------------+-----------------+
- | nisp-domain-nam | 30 | fqdn | true |
- | e | | | |
- +-----------------+-----------------+-----------------+-----------------+
- | sntp-servers | 31 | ipv6-address | true |
- +-----------------+-----------------+-----------------+-----------------+
- | information-ref | 32 | uint32 | false |
- | resh-time | | | |
- +-----------------+-----------------+-----------------+-----------------+
- | bcmcs-server-dn | 33 | fqdn | true |
- | s | | | |
- +-----------------+-----------------+-----------------+-----------------+
- | bcmcs-server-ad | 34 | ipv6-address | true |
- | dr | | | |
- +-----------------+-----------------+-----------------+-----------------+
- | geoconf-civic | 36 | record (uint8, | false |
- | | | uint16, binary) | |
- +-----------------+-----------------+-----------------+-----------------+
- | remote-id | 37 | record (uint32, | false |
- | | | binary) | |
- +-----------------+-----------------+-----------------+-----------------+
- | subscriber-id | 38 | binary | false |
- +-----------------+-----------------+-----------------+-----------------+
- | client-fqdn | 39 | record (uint8, | false |
- | | | fqdn) | |
- +-----------------+-----------------+-----------------+-----------------+
- | pana-agent | 40 | ipv6-address | true |
- +-----------------+-----------------+-----------------+-----------------+
- | new-posix-timez | 41 | string | false |
- | one | | | |
- +-----------------+-----------------+-----------------+-----------------+
- | new-tzdb-timezo | 42 | string | false |
- | ne | | | |
- +-----------------+-----------------+-----------------+-----------------+
- | ero | 43 | uint16 | true |
- +-----------------+-----------------+-----------------+-----------------+
- | lq-query (1) | 44 | record (uint8, | false |
- | | | ipv6-address) | |
- +-----------------+-----------------+-----------------+-----------------+
- | client-data (1) | 45 | empty | false |
- +-----------------+-----------------+-----------------+-----------------+
- | clt-time (1) | 46 | uint32 | false |
- +-----------------+-----------------+-----------------+-----------------+
- | lq-relay-data | 47 | record | false |
- | (1) | | (ipv6-address, | |
- | | | binary) | |
- +-----------------+-----------------+-----------------+-----------------+
- | lq-client-link | 48 | ipv6-address | true |
- | (1) | | | |
- +-----------------+-----------------+-----------------+-----------------+
- | v6-lost | 51 | fqdn | false |
- +-----------------+-----------------+-----------------+-----------------+
- | capwap-ac-v6 | 52 | ipv6-address | true |
- +-----------------+-----------------+-----------------+-----------------+
- | relay-id | 53 | binary | false |
- +-----------------+-----------------+-----------------+-----------------+
- | v6-access-domai | 57 | fqdn | false |
- | n | | | |
- +-----------------+-----------------+-----------------+-----------------+
- | sip-ua-cs-list | 58 | fqdn | true |
- +-----------------+-----------------+-----------------+-----------------+
- | bootfile-url | 59 | string | false |
- +-----------------+-----------------+-----------------+-----------------+
- | bootfile-param | 60 | tuple | true |
- +-----------------+-----------------+-----------------+-----------------+
- | client-arch-typ | 61 | uint16 | true |
- | e | | | |
- +-----------------+-----------------+-----------------+-----------------+
- | nii | 62 | record (uint8, | false |
- | | | uint8, uint8) | |
- +-----------------+-----------------+-----------------+-----------------+
- | aftr-name | 64 | fqdn | false |
- +-----------------+-----------------+-----------------+-----------------+
- | erp-local-domai | 65 | fqdn | false |
- | n-name | | | |
- +-----------------+-----------------+-----------------+-----------------+
- | rsoo | 66 | empty | false |
- +-----------------+-----------------+-----------------+-----------------+
- | pd-exclude | 67 | binary | false |
- +-----------------+-----------------+-----------------+-----------------+
- | rdnss-selection | 74 | record | true |
- | | | (ipv6-address, | |
- | | | uint8, fqdn) | |
- +-----------------+-----------------+-----------------+-----------------+
- | client-linklaye | 79 | binary | false |
- | r-addr | | | |
- +-----------------+-----------------+-----------------+-----------------+
- | link-address | 80 | ipv6-address | false |
- +-----------------+-----------------+-----------------+-----------------+
- | solmax-rt | 82 | uint32 | false |
- +-----------------+-----------------+-----------------+-----------------+
- | inf-max-rt | 83 | uint32 | false |
- +-----------------+-----------------+-----------------+-----------------+
- | dhcp4o6-server- | 88 | ipv6-address | true |
- | addr | | | |
- +-----------------+-----------------+-----------------+-----------------+
- | s46-rule | 89 | record (uint8, | false |
- | | | uint8, uint8, | |
- | | | ipv4-address, | |
- | | | ipv6-prefix) | |
- +-----------------+-----------------+-----------------+-----------------+
- | s46-br | 90 | ipv6-address | false |
- +-----------------+-----------------+-----------------+-----------------+
- | s46-dmr | 91 | ipv6-prefix | false |
- +-----------------+-----------------+-----------------+-----------------+
- | s46-v4v6bind | 92 | record | false |
- | | | (ipv4-address, | |
- | | | ipv6-prefix) | |
- +-----------------+-----------------+-----------------+-----------------+
- | s46-portparams | 93 | record(uint8, | false |
- | | | psid) | |
- +-----------------+-----------------+-----------------+-----------------+
- | s46-cont-mape | 94 | empty | false |
- +-----------------+-----------------+-----------------+-----------------+
- | s46-cont-mapt | 95 | empty | false |
- +-----------------+-----------------+-----------------+-----------------+
- | s46-cont-lw | 96 | empty | false |
- +-----------------+-----------------+-----------------+-----------------+
- | v6-captive-port | 103 | string | false |
- | al | | | |
- +-----------------+-----------------+-----------------+-----------------+
- | ipv6-address-an | 143 | ipv6-address | true |
- | dsf | | | |
- +-----------------+-----------------+-----------------+-----------------+
+ +--------------------------+-----------------+-----------------+-----------------+
+ | Name | Code | Type | Array? |
+ +==========================+=================+=================+=================+
+ | preference | 7 | uint8 | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | unicast | 12 | ipv6-address | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | vendor-opts | 17 | uint32 | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | sip-server-dns | 21 | fqdn | true |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | sip-server-addr | 22 | ipv6-address | true |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | dns-servers | 23 | ipv6-address | true |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | domain-search | 24 | fqdn | true |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | nis-servers | 27 | ipv6-address | true |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | nisp-servers | 28 | ipv6-address | true |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | nis-domain-name | 29 | fqdn | true |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | nisp-domain-name | 30 | fqdn | true |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | sntp-servers | 31 | ipv6-address | true |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | information-refresh-time | 32 | uint32 | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | bcmcs-server-dns | 33 | fqdn | true |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | bcmcs-server-addr | 34 | ipv6-address | true |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | geoconf-civic | 36 | record (uint8, | false |
+ | | | uint16, binary) | |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | remote-id | 37 | record (uint32, | false |
+ | | | binary) | |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | subscriber-id | 38 | binary | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | client-fqdn | 39 | record (uint8, | false |
+ | | | fqdn) | |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | pana-agent | 40 | ipv6-address | true |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | new-posix-timezone | 41 | string | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | new-tzdb-timezone | 42 | string | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | ero | 43 | uint16 | true |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | lq-query (1) | 44 | record (uint8, | false |
+ | | | ipv6-address) | |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | client-data (1) | 45 | empty | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | clt-time (1) | 46 | uint32 | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | lq-relay-data (1) | 47 | record | false |
+ | | | (ipv6-address, | |
+ | | | binary) | |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | lq-client-link (1) | 48 | ipv6-address | true |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | v6-lost | 51 | fqdn | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | capwap-ac-v6 | 52 | ipv6-address | true |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | relay-id | 53 | binary | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | v6-access-domain | 57 | fqdn | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | sip-ua-cs-list | 58 | fqdn | true |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | bootfile-url | 59 | string | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | bootfile-param | 60 | tuple | true |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | client-arch-type | 61 | uint16 | true |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | nii | 62 | record (uint8, | false |
+ | | | uint8, uint8) | |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | aftr-name | 64 | fqdn | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | erp-local-domain-name | 65 | fqdn | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | rsoo | 66 | empty | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | pd-exclude | 67 | binary | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | rdnss-selection | 74 | record | true |
+ | | | (ipv6-address, | |
+ | | | uint8, fqdn) | |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | client-linklayer-addr | 79 | binary | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | link-address | 80 | ipv6-address | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | solmax-rt | 82 | uint32 | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | inf-max-rt | 83 | uint32 | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | dhcp4o6-server-addr | 88 | ipv6-address | true |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | s46-rule | 89 | record (uint8, | false |
+ | | | uint8, uint8, | |
+ | | | ipv4-address, | |
+ | | | ipv6-prefix) | |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | s46-br | 90 | ipv6-address | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | s46-dmr | 91 | ipv6-prefix | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | s46-v4v6bind | 92 | record | false |
+ | | | (ipv4-address, | |
+ | | | ipv6-prefix) | |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | s46-portparams | 93 | record(uint8, | false |
+ | | | psid) | |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | s46-cont-mape | 94 | empty | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | s46-cont-mapt | 95 | empty | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | s46-cont-lw | 96 | empty | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | v6-captive-portal | 103 | string | false |
+ +--------------------------+-----------------+-----------------+-----------------+
+ | ipv6-address-andsf | 143 | ipv6-address | true |
+ +--------------------------+-----------------+-----------------+-----------------+
Options marked with (1) have option definitions, but the logic behind
-them is not implemented. That means that technically Kea knows how to
+them is not implemented. That means that, technically, Kea knows how to
parse them in incoming messages or how to send them if configured to do
so, but not what to do with them. Since the related RFCs require certain
processing, the support for those options is non-functional. However, it
Softwire46 options are involved in IPv4 over IPv6 provisioning by means
of tunneling or translation as specified in `RFC
-7598 <http://tools.ietf.org/html/rfc7598>`__. The following sections
+7598 <https://tools.ietf.org/html/rfc7598>`__. The following sections
provide configuration examples of these options.
.. _s46-containers:
Softwire46 Container Options
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-S46 container options group rules and optional port parameters for a
+Softwire46 (S46) container options group rules and optional port parameters for a
specified domain. There are three container options specified in the
"dhcp6" (top-level) option space: the MAP-E Container option, the MAP-T
Container option, and the S46 Lightweight 4over6 Container option. These
-options only contain encapsulated options specified below; they do not
+options only contain the encapsulated options specified below; they do not
include any data fields.
To configure the server to send a specific container option along with
Container and S46 Lightweight 4over6 Container options, respectively.
All remaining Softwire options described below are included in one of
-the container options. Thus, they have to be included in appropriate
+the container options. Thus, they must be included in appropriate
option spaces by selecting a "space" name, which specifies in which
option they are supposed to be included.
The S46 Rule option conveys a number of parameters:
-- ``flags``, an unsigned 8-bit integer, with currently only the
+- ``flags`` - an unsigned 8-bit integer, with currently only the
most-significant bit specified. It denotes whether the rule can be
used for forwarding (128) or not (0).
-- ``ea-len``, an 8-bit-long Embedded Address length. Allowed values
+- ``ea-len`` - an 8-bit-long Embedded Address length. Allowed values
range from 0 to 48.
-- ``IPv4 prefix length``, 8 bits long; expresses the prefix length of
+- ``IPv4 prefix length`` - 8 bits long; expresses the prefix length of
the Rule IPv4 prefix specified in the ipv4-prefix field. Allowed
values range from 0 to 32.
-- ``IPv4 prefix``, a fixed-length 32-bit field that specifies the IPv4
- prefix for the S46 rule. The bits in the prefix after prefix4-len
- number of bits are reserved, and MUST be initialized to zero by the
- sender and ignored by the receiver.
+- ``IPv4 prefix`` - a fixed-length 32-bit field that specifies the IPv4
+ prefix for the S46 rule. The bits in the prefix after
+ a specific number of bits (defined in prefix4-len) are reserved, and MUST
+ be initialized to zero by the sender and ignored by the receiver.
-- ``IPv6 prefix``, in prefix/length notation that specifies the IPv6
+- ``IPv6 prefix`` - in prefix/length notation that specifies the IPv6
domain prefix for the S46 rule. The field is padded on the right with
zero bits up to the nearest octet boundary, when prefix6-len is not
evenly divisible by 8.
This option must not be included in other containers.
-S46 IPv4/IPv6 Address Binding option.
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+S46 IPv4/IPv6 Address Binding Option
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The S46 IPv4/IPv6 Address Binding option may be used to specify the full
or shared IPv4 address of the Customer Edge (CE). The IPv6 prefix field
Custom DHCPv6 Options
---------------------
-It is possible to define options in addition to the standard ones.
+Kea supports custom (non-standard) DHCPv6 options.
Assume that we want to define a new DHCPv6 option called "foo" which
will have code 100 and which will convey a single, unsigned, 32-bit
-integer value. We can define such an option by using the following
-commands:
+integer value. We can define such an option by putting the following entry
+in the configuration file:
::
...
}
-The "false" value of the ``array`` parameter determines that the option
+The ``false`` value of the ``array`` parameter determines that the option
does NOT comprise an array of "uint32" values but is, instead, a single
value. Two other parameters have been left blank: ``record-types`` and
``encapsulate``. The former specifies the comma-separated list of option
"record"; otherwise it must be left blank. The latter parameter
specifies the name of the option space being encapsulated by the
particular option. If the particular option does not encapsulate any
-option space, it should be left blank. Note that the above example only
-defines the format of the new option and does not set its value(s).
+option space, the parameter should be left blank. Note that the ``option-def``
+configuration statement only defines the format of the new option and does
+not set its value(s).
-Only the ``name``, ``code``, and ``type`` parameters are required; all
+The ``name``, ``code``, and ``type`` parameters are required; all
others are optional. The ``array`` default value is ``false``. The
``record-types`` and ``encapsulate`` default values are blank (i.e. "").
The default ``space`` is "dhcp6".
}
New options can take more complex forms than simple use of primitives
-(uint8, string, ipv6-address, etc); it is possible to define an option
+(uint8, string, ipv6-address, etc.); it is possible to define an option
comprising a number of existing primitives.
For example, assume we want to define a new option that will consist of
...
}
-The "type" is set to "record" to indicate that the option contains
+The ``type`` is set to "record" to indicate that the option contains
multiple values of different types. These types are given as a
comma-separated list in the ``record-types`` field and should be ones
-from those listed in `??? <#dhcp-types>`__.
+from those listed in :ref:`dhcp-types`.
-The values of the options are set in a ``option-data`` statement as
+The values of the options are set in an ``option-data`` statement as
follows:
::
}
``csv-format`` is set to ``true`` to indicate that the ``data`` field
-comprises a command-separated list of values. The values in ``data``
+comprises a comma-separated list of values. The values in ``data``
must correspond to the types set in the ``record-types`` field of the
option definition.
------------------------------
Currently there are two option spaces defined for the DHCPv6 daemon:
-"dhcp6" (for top-level DHCPv6 options) and "vendor-opts-space", which is
-empty by default, but in which options can be defined. Those options are
+"dhcp6" (for the top-level DHCPv6 options) and "vendor-opts-space", which is
+empty by default but in which options can be defined. Those options are
carried in the Vendor-Specific Information option (code 17). The
following examples show how to define an option "foo" with code 1 that
consists of an IPv6 address, an unsigned 16-bit integer, and a string.
which comprises a single uint32 value that is set to "12345". The
sub-option "foo" follows the data field holding this value.
+The first step is to define the format of the option:
+
::
"Dhcp6": {
Nested DHCPv6 Options (Custom Option Spaces)
--------------------------------------------
-It is sometimes useful to define completely new option spaces. This is
-the case when a user wants their new option to convey sub-options that
+It is sometimes useful to define completely new option spaces, such as
+when a user creates a new option to convey sub-options that
use a separate numbering scheme, for example sub-options with codes 1
and 2. Those option codes conflict with standard DHCPv6 options, so a
separate option space must be defined.
Note that the creation of a new option space is not required when
-defining sub-options for a standard option, because it is created by
+defining sub-options for a standard option, because one is created by
default if the standard option is meant to convey any sub-options (see
-`DHCPv6 Vendor-Specific Options <#dhcp6-vendor-opts>`__).
+:ref:`dhcp6-vendor-opts`).
Assume that we want to have a DHCPv6 option called "container" with code
102 that conveys two sub-options with codes 1 and 2. First we need to
Note that we have defined the options to belong to a new option space
(in this case, "isc").
-The next step is to define a regular DHCPv6 option and specify that it
-should include options from the new option space:
+The next step is to define a regular DHCPv6 option with the desired code
+and specify that it should include options from the new option space:
::
------------------------------------------------------
In many cases it is not required to specify all parameters for an option
-configuration and the default values can be used. However, it is
+configuration, and the default values can be used. However, it is
important to understand the implications of not specifying some of them,
as it may result in configuration errors. The list below explains the
behavior of the server when a particular parameter is not explicitly
specified:
-- ``name`` - the server requires an option name or option code to
+- ``name`` - the server requires an option name or an option code to
identify an option. If this parameter is unspecified, the option code
must be specified.
-- ``code`` - the server requires an option name or option code to
+- ``code`` - the server requires either an option name or an option code to
identify an option. This parameter may be left unspecified if the
``name`` parameter is specified. However, this also requires that the
particular option have a definition (either as a standard option or
- ``data`` - if the option data is unspecified it defaults to an empty
value. The empty value is mostly used for the options which have no
payload (boolean options), but it is legal to specify empty values
- for some options which carry variable-length data and which the
+ for some options which carry variable-length data and for which the
specification allows a length of 0. For such options, the data
parameter may be omitted in the configuration.
-- ``csv-format`` - if this value is not specified the server will
+- ``csv-format`` - if this value is not specified, the server will
assume that the option data is specified as a list of comma-separated
values to be assigned to individual fields of the DHCP option.
Controlling the Values Sent for T1 and T2 Times
-----------------------------------------------
-According to
-RFC 8415, section 21.4
-, the recommended T1 and T2 values are 50% and 80% of the preferred
-lease time, repsectively. Kea can be configured to send values that are
+According to RFC 8415, section 21.4, the recommended T1 and T2 values
+are 50% and 80% of the preferred
+lease time, respectively. Kea can be configured to send values that are
specified explicitly or that are calculated as percentages of the
-preferred lease time. The server's behavior is governed by combination
+preferred lease time. The server's behavior is governed by a combination
of configuration parameters, two of which have already been mentioned.
To send specific, fixed values use the following two parameters:
- ``rebind-timer`` - specifies the value of T2 in seconds.
-You may specify any value for T2 greater than or equal to zero. When
+Any value greater than or equal to zero may be specified for T2. When
specifying T1 it must be less than T2. This flexibility is allowed to
-support a use case where admins want to suppress client renewals and
-rebinds by deferring them beyond the life span of the lease. This should
+support a use case where administrators want to suppress client renewals and
+rebinds by deferring them beyond the lifespan of the lease. This should
cause the lease to expire, rather than get renewed by clients. If T1 is
-specified as larger than T2, it will be set to zero in the outbound IA.
+specified as larger than T2, T1 will be set to zero in the outbound IA.
-In great majority of cases the values should follow this rule: T1 < T2 <
+In the great majority of cases the values should follow this rule: T1 < T2 <
preferred lifetime < valid lifetime. Alternatively, both T1 and T2
values can be configured to 0, which is a signal to DHCPv6 clients that
they may renew at their own discretion. However, there are known broken
-client implementations out there that will start renewing immediately.
-If you plan to use T1=T2=0 values, please test first and make sure your
-clients behave rationally.
-
-In some rare cases there may be a need to disable client's ability to
-renew addresses. This is undesired from protocol perspective and should
-be avoided if possible. However, if you want to do this, you can
-configure your T1 and T2 values to be equal or greater to your valid
-lifetime. Be advised that this will cause your clients to ocasionally
+client implementations in use that will start renewing immediately.
+Administrators who plan to use T1=T2=0 values should test first and make sure
+their clients behave rationally.
+
+In some rare cases there may be a need to disable a client's ability to
+renew addresses. This is undesired from a protocol perspective and should
+be avoided if possible. However, if necessary, administrators can
+configure the T1 and T2 values to be equal or greater to the valid
+lifetime. Be advised that this will cause clients to occasionally
lose their addresses, which is generally perceived as poor service.
However, there may be some rare business cases when this is desired
-(e.g. when you want to break long lasting connections on purpose).
+(e.g. when it is desirable to intentionally break long-lasting connections).
-Calculating the values is controlled by the following three parameters.
+Calculation of the values is controlled by the following three parameters:
- ``calculate-tee-times`` - when true, T1 and T2 will be calculated as
percentages of the valid lease time. It defaults to true.
In the event that both explicit values are specified and
calculate-tee-times is true, the server will use the explicit values.
- If you plan on having a mixture where some subnets or share-networks
- will use explicit values and some will use calculated values you must
+ Administrators with a setup where some subnets or share-networks
+ will use explicit values and some will use calculated values must
not define the explicit values at any level higher than where they
- will be used. Inheriting them from too high of a scope, such as
+ will be used. Inheriting them from too high a scope, such as
global, will cause them to have values at every level underneath
(shared-networks and subnets), effectively disabling calculated
values.
In IPv4, the server can determine which of the configured subnets are
local, as there is a reasonable expectation that the server will have a
-(global) IPv4 address configured on the interface, and it can use that
-information to detect whether a subnet is local. That assumption is not
+(global) IPv4 address configured on the interface. That assumption is not
true in IPv6; the DHCPv6 server must be able to operate while only using
link-local addresses. Therefore, an optional ``interface`` parameter is
available within a subnet definition to designate that a given subnet is
local, i.e. reachable directly over the specified interface. For
-example, the server that is intended to serve a local subnet over eth0
+example, a server that is intended to serve a local subnet over eth0
may be configured as follows:
::
------------
The Rapid Commit option, described in `RFC
-8415 <http://tools.ietf.org/html/rfc8415>`__, is supported by the Kea
+8415 <https://tools.ietf.org/html/rfc8415>`__, is supported by the Kea
DHCPv6 server. However, support is disabled by default. It can be
enabled on a per-subnet basis using the ``rapid-commit`` parameter as
shown below:
...
}
-This setting only affects the subnet for which the ``rapid-commit`` is
+This setting only affects the subnet for which ``rapid-commit`` is
set to ``true``. For clients connected to other subnets, the server will
ignore the Rapid Commit option sent by the client and will follow the
4-way exchange procedure, i.e. respond with an Advertise for a Solicit
Relay-Supplied Options
----------------------
-`RFC 6422 <http://tools.ietf.org/html/rfc6422>`__ defines a mechanism
+`RFC 6422 <https://tools.ietf.org/html/rfc6422>`__ defines a mechanism
called Relay-Supplied DHCP Options. In certain cases relay agents are
the only entities that may have specific information, and they can
insert options when relaying messages from the client to the server. The
takes precedence. Second, the option must be RSOO-enabled. (RSOO is the
"Relay Supplied Options option.") IANA maintains a list of RSOO-enabled
options
-`here <http://www.iana.org/assignments/dhcpv6-parameters/dhcpv6-parameters.xhtml#options-relay-supplied>`__.
+`here <https://www.iana.org/assignments/dhcpv6-parameters/dhcpv6-parameters.xhtml#options-relay-supplied>`__.
However, there may be cases when system administrators want to echo
other options. Kea can be instructed to treat other options as
RSOO-enabled. For example, to mark options 110, 120, and 130 as
As of February 2019, only option 65 is RSOO-enabled by IANA. This option
will always be treated as such, so there is no need to explicitly mark
it. Also, when enabling standard options, it is possible to use their
-names, rather than option code, e.g. use ``dns-servers`` instead of
-``23``. See `table_title <#dhcp6-std-options-list>`__ for the names. In
-certain cases it could also work for custom options, but due to the
+names rather than their option code, e.g. use ``dns-servers`` instead of
+``23``. See ref:`dhcp6-std-options-list` for the names. In
+certain cases this may also work for custom options, but due to the
nature of the parser code this may be unreliable and should be avoided.
.. _dhcp6-client-classifier:
-------------------------------
The DHCPv6 server includes support for client classification. For a
-deeper discussion of the classification process see `??? <#classify>`__.
+deeper discussion of the classification process see :ref:`classify`.
In certain cases it is useful to configure the server to differentiate
between DHCP client types and treat them accordingly. Client
classification can be used to modify the behavior of almost any part of
-the DHCP message processing. In the current release of Kea, there are
+the DHCP message processing. Kea currently offers
three mechanisms that take advantage of client classification in DHCPv6:
subnet selection, address pool selection, and DHCP options assignment.
devices behind the modem, which should get a lease from subnet B. That
segregation is essential to prevent overly curious users from playing
with their cable modems. For details on how to set up class restrictions
-on subnets, see `??? <#classification-subnets>`__.
+on subnets, see :ref:`classification-subnets`.
When subnets belong to a shared network, the classification applies to
-subnet selection but not to pools, e.g., a pool in a subnet limited to a
+subnet selection but not to pools; that is, a pool in a subnet limited to a
particular class can still be used by clients which do not belong to the
class, if the pool they are expected to use is exhausted. So the limit
on access based on class information is also available at the
-address/prefix pool level; see `??? <#classification-pools>`__, within a
+address/prefix pool level; see :ref:`classification-pools`, within a
subnet. This is useful when segregating clients belonging to the same
subnet into different address ranges.
In a similar way, a pool can be constrained to serve only known clients,
i.e. clients which have a reservation, using the built-in "KNOWN" or
-"UNKNOWN" classes. One can assign addresses to registered clients
+"UNKNOWN" classes. Addresses can be assigned to registered clients
without giving a different address per reservation, for instance when
there are not enough available addresses. The determination whether
there is a reservation for a given client is made after a subnet is
-selected, so it is not possible to use KNOWN/UNKNOWN classes to select a
+selected, so it is not possible to use "KNOWN"/"UNKNOWN" classes to select a
shared network or a subnet.
The process of classification is conducted in five steps. The first step
is to assess an incoming packet and assign it to zero or more classes.
-Next, a subnet is chosen, possibly based on the class information. After
-that, class expressions are evaluated depending on the built-in
+The second step is to choose a subnet, possibly based on the class information.
+The next step is to evaluate class expressions depending on the built-in
"KNOWN"/"UNKNOWN" classes after host reservation lookup, using them for
pool/pd-pool selection and assigning classes from host reservations. The
list of required classes is then built and each class of the list has
its expression evaluated; when it returns "true" the packet is added as
-a member of the class. Finally, options are assigned, again possibly
+a member of the class. The last step is to assign options, again possibly
based on the class information. More complete and detailed information
-is available in `??? <#classify>`__.
+is available in :ref:`classify`.
There are two main methods of classification. The first is automatic and
relies on examining the values in the vendor class options or the
and a subnet using that class. This configuration defines the class
named "Client_enterprise". It is comprised of all clients whose client
identifiers start with the given hex string (which would indicate a DUID
-based on an enterprise id of 0xAABBCCDD). They will be given an address
+based on an enterprise id of 0xAABBCCDD). Members of this class will be given an address
from 2001:db8:1::0 to 2001:db8:1::FFFF and the addresses of their DNS
servers set to 2001:db8:0::1 and 2001:db8:2::1.
~~~~~~~~~~~~~~~~~~~~~~~
In some cases it is useful to limit the scope of a class to a
-shared-network, subnet, or pool. There are two parameters which are used
-to limit the scope of the class by instructing the server to perform
-evaluation of test expressions when required.
+shared network, subnet, or pool. There are two parameters which are used
+to limit the scope of the class by instructing the server to evaluate
+test expressions when required.
-The first one is the per-class ``only-if-required`` flag which is false
+The first one is the per-class ``only-if-required`` flag, which is false
by default. When it is set to ``true``, the test expression of the class
is not evaluated at the reception of the incoming packet but later, and
only if the class evaluation is required.
...
}
-Required evaluation can be used to express complex dependencies, for
-example, subnet membership. It can also be used to reverse the
-precedence; if you set an option-data in a subnet it takes precedence
-over an option-data in a class. When you move the option-data to a
-required class and require it in the subnet, a class evaluated earlier
+Required evaluation can be used to express complex dependencies like
+subnet membership. It can also be used to reverse the
+precedence; if an option-data is set in a subnet it takes precedence
+over an option-data in a class. When option-data is moved to a
+required class and required in the subnet, a class evaluated earlier
may take precedence.
Required evaluation is also available at shared-network and pool/pd-pool
levels. The order in which required classes are considered is:
-shared-network, subnet, and (pd-)pool, i.e. the opposite order that
+shared-network, subnet, and (pd-)pool, i.e. in the opposite order in which
option-data is processed.
.. _dhcp6-ddns-config:
3. The Fully Qualified Domain Name (FQDN), lease address, and DHCID
(information identifying the client associated with the FQDN)
-The parameters controlling the generation of NCRs for submission to D2
+The parameters for controlling the generation of NCRs for submission to D2
are contained in the ``dhcp-ddns`` section of the kea-dhcp6 server
configuration. The mandatory parameters for the DHCP DDNS configuration
are ``enable-updates``, which is unconditionally required, and
with it. kea-dhcp6 uses the following configuration parameters to
control this communication:
-- ``enable-updates`` - determines whether kea-dhcp6 will generate NCRs.
+- ``enable-updates`` - this determines whether kea-dhcp6 will generate NCRs.
If missing, this value is assumed to be false, so DDNS updates are
disabled. To enable DDNS updates set this value to true.
- ``server-ip`` - IP address on which D2 listens for requests. The
- default is the local loopback interface at address 127.0.0.1. You may
- specify either an IPv4 or IPv6 address.
+ default is the local loopback interface at address 127.0.0.1.
+ Either an IPv4 or IPv6 address may be specified.
- ``server-port`` - port on which D2 listens for requests. The default
value is 53001.
-- ``sender-ip`` - IP address which kea-dhcp6 uses to send requests to
+- ``sender-ip`` - the IP address which kea-dhcp6 uses to send requests to
D2. The default value is blank, which instructs kea-dhcp6 to select a
suitable address.
-- ``sender-port`` - port which kea-dhcp6 uses to send requests to D2.
+- ``sender-port`` - the port which kea-dhcp6 uses to send requests to D2.
The default value of 0 instructs kea-dhcp6 to select a suitable port.
-- ``max-queue-size`` - maximum number of requests allowed to queue
+- ``max-queue-size`` - the maximum number of requests allowed to queue
waiting to be sent to D2. This value guards against requests
accumulating uncontrollably if they are being generated faster than
they can be delivered. If the number of requests queued for
transmission reaches this value, DDNS updating will be turned off
until the queue backlog has been sufficiently reduced. The intent is
- to allow kea-dhcp6 to continue lease operations without running the
+ to allow the kea-dhcp6 server to continue lease operations without running the
risk that its memory usage grows without limit. The default value is
1024.
-- ``ncr-protocol`` - socket protocol to use when sending requests to
+- ``ncr-protocol`` - the socket protocol to use when sending requests to
D2. Currently only UDP is supported.
-- ``ncr-format`` - packet format to use when sending requests to D2.
+- ``ncr-format`` - the packet format to use when sending requests to D2.
Currently only JSON format is supported.
By default, kea-dhcp-ddns is assumed to be running on the same machine
as kea-dhcp6, and all of the default values mentioned above should be
sufficient. If, however, D2 has been configured to listen on a different
-address or port, these values must altered accordingly. For example, if
+address or port, these values must be altered accordingly. For example, if
D2 has been configured to listen on 2001:db8::5 port 900, the following
configuration is required:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
kea-dhcp6 follows the behavior prescribed for DHCP servers in `RFC
-4704 <http://tools.ietf.org/html/rfc4704>`__. It is important to keep in
+4704 <https://tools.ietf.org/html/rfc4704>`__. It is important to keep in
mind that kea-dhcp6 makes the initial decision of when and what to
update and forwards that information to D2 in the form of NCRs. Carrying
out the actual DNS updates and dealing with such things as conflict
resolution are within the purview of D2 itself
-(`??? <#dhcp-ddns-server>`__). This section describes when kea-dhcp6
+(see :ref:`dhcp-ddns-server`). This section describes when kea-dhcp6
will generate NCRs and the configuration parameters that can be used to
influence this decision. It assumes that the ``enable-updates``
parameter is true.
In general, kea-dhcp6 will generate DDNS update requests when:
-1. A new lease is granted in response to a DHCPREQUEST
+1. A new lease is granted in response to a DHCPREQUEST;
2. An existing lease is renewed but the FQDN associated with it has
- changed
+ changed; or
-3. An existing lease is released in response to a DHCPRELEASE
+3. An existing lease is released in response to a DHCPRELEASE.
In the second case, lease renewal, two DDNS requests will be issued: one
request to remove entries for the previous FQDN, and a second request to
add entries for the new FQDN. In the last case, a lease release, a
single DDNS request to remove its entries will be made.
-The decisions involved when granting a new lease the first case) are
+As for the first case, the decisions involved when granting a new lease are
more complex. When a new lease is granted, kea-dhcp6 will generate a
DDNS update request only if the DHCPREQUEST contains the FQDN option
(code 39). By default, kea-dhcp6 will respect the FQDN N and S flags
| | | request | |
+-----------------+-----------------+-----------------+-----------------+
-The first row in the table above represents "client delegation". Here
+The first row in the table above represents "client delegation." Here
the DHCP client states that it intends to do the forward DNS updates and
the server should do the reverse updates. By default, kea-dhcp6 will
honor the client's wishes and generate a DDNS request to D2 to update
only reverse DNS data. The parameter ``override-client-update`` can be
used to instruct the server to override client delegation requests. When
-this parameter is true, kea-dhcp6 will disregard requests for client
+this parameter is "true", kea-dhcp6 will disregard requests for client
delegation and generate a DDNS request to update both forward and
reverse DNS data. In this case, the N-S-O flags in the server's response
to the client will be 0-1-1 respectively.
(Note that the flag combination N=1, S=1 is prohibited according to `RFC
-4702 <http://tools.ietf.org/html/rfc4702>`__. If such a combination is
+4702 <https://tools.ietf.org/html/rfc4702>`__. If such a combination is
received from the client, the packet will be dropped by kea-dhcp6.)
To override client delegation, set the following values in the
``override-no-update``, can be used to instruct the server to disregard
the client's wishes. When this parameter is true, kea-dhcp6 will
generate DDNS update requests to kea-dhcp-ddns even if the client
-requests no updates be done. The N-S-O flags in the server's response to
+requests that no updates be done. The N-S-O flags in the server's response to
the client will be 0-1-1.
To override client delegation, issue the following commands:
3. If the candidate name provided is empty, generate an FQDN using a
configurable prefix and suffix.
-4. If the client provided neither option, then no DNS action will be
- taken.
+4. If the client provides neither option, then take no DNS action.
These rules can be amended by setting the ``replace-client-name``
parameter, which provides the following modes of behavior:
-- ``never`` - Use the name the client sent. If the client sent no name,
+- ``never`` - use the name the client sent. If the client sent no name,
do not generate one. This is the default mode.
-- ``always`` - Replace the name the client sent. If the client sent no
+- ``always`` - replace the name the client sent. If the client sent no
name, generate one for the client.
-- ``when-present`` - Replace the name the client sent. If the client
+- ``when-present`` - replace the name the client sent. If the client
sent no name, do not generate one.
-- ``when-not-present`` - Use the name the client sent. If the client
+- ``when-not-present`` - use the name the client sent. If the client
sent no name, generate one for the client.
..
**Note**
Note that in early versions of Kea, this parameter was a boolean and
- permitted only values of
- true
- and
- false
- . Boolean values have been deprecated and are no longer accepted. If
- you are currently using booleans, you must replace them with the
- desired mode name. A value of
- true
- maps to
- "when-present"
- , while
- false
- maps to
- "never"
- .
+ permitted only values of ``true`` and ``false``.
+ Boolean values have been deprecated and are no longer accepted.
+ Administrators currently using booleans must replace them with the
+ desired mode name. A value of ``true`` maps to ``"when-present"``, while
+ ``false`` maps to ``"never"``.
For example, to instruct kea-dhcp6 to always generate the FQDN for a
client, set the parameter ``replace-client-name`` to ``always`` as
The suffix used when generating an FQDN, or when qualifying a partial
name, is specified by the ``qualifying-suffix`` parameter. This
-parameter has no default value, thus it is mandatory when DDNS updates
+parameter has no default value; thus, it is mandatory when DDNS updates
are enabled. To set its value simply set it to the desired string:
::
where address-text is simply the lease IP address converted to a
hyphenated string. For example, if the lease address is 3001:1::70E, the
qualifying suffix "example.com", and the default value is used for
-``generated-prefix``, the generated FQDN would be:
+``generated-prefix``, the generated FQDN is:
myhost-3001-1--70E.example.com.
Sanitizing Client FQDN Names
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-It may be that some of your DHCP clients provide values in the name
-component of the FQDN option (Option code 39) that contain undesirable
+Some DHCP clients may provide values in the name
+component of the FQDN option (option code 39) that contain undesirable
characters. It is possible to configure kea-dhcp6 to sanitize these
values. The most typical use case is ensuring that only characters that
-are permitted by RFC 1035 be included: A-Z,a-z,0-9, and '-'. This may be
+are permitted by RFC 1035 be included: A-Z, a-z, 0-9, and '-'. This may be
accomplished with the following two parameters:
- ``hostname-char-set`` - a regular expression describing the invalid
...
}
-Thus, a client supplied value of "myhost-$[123.org" would become
+Thus, a client-supplied value of "myhost-$[123.org" would become
"myhost-xx123.org". Sanitizing is performed only on the portion of the
name supplied by the client, and it is performed before applying a
qualifying suffix (if one is defined and needed).
+
**Note**
The following are some considerations to keep in mind:
Name sanitizing is meant to catch the more common cases of invalid
characters through a relatively simple character-replacement scheme.
- It is difficult to devise a scheme that works well in all cases. If
- you find you have clients that are using odd corner cases of
+ It is difficult to devise a scheme that works well in all cases.
+ Administrators who find they have clients with odd corner cases of
character combinations that cannot be readily handled with this
- mechanism, you should consider writing a hook that can carry out
- sufficiently complex logic to address your needs.
+ mechanism should consider writing a hook that can carry out
+ sufficiently complex logic to address their needs.
- Do not include dots in your hostname-char-set expression. When
+ Do not include dots in the hostname-char-set expression. When
scrubbing FQDNs, dots are treated as delimiters and used to separate
the option value into individual domain labels that are scrubbed and
then re-assembled.
- If your clients are sending values that differ only by characters
- considered as invalid by your hostname-char-set, be aware that
+ If clients are sending values that differ only by characters
+ considered as invalid by the hostname-char-set, be aware that
scrubbing them will yield identical values. In such cases, DDNS
conflict rules will permit only one of them to register the name.
-------------------------------
The support of DHCPv4-over-DHCPv6 transport is described in `RFC
-7341 <http://tools.ietf.org/html/rfc7341>`__ and is implemented using
+7341 <https://tools.ietf.org/html/rfc7341>`__ and is implemented using
cooperating DHCPv4 and DHCPv6 servers. This section is about the
configuration of the DHCPv6 side (the DHCPv4 side is described in
-`??? <#dhcp4-dhcp4o6-config>`__).
+:ref:`dhcp4-dhcp4o6-config`).
**Note**
There is only one specific parameter for the DHCPv6 side:
``dhcp4o6-port``, which specifies the first of the two consecutive ports
of the UDP sockets used for the communication between the DHCPv6 and
-DHCPv4 servers (the DHCPv6 server is bound to ::1 on ``port`` and
-connected to ::1 on ``port`` + 1).
+DHCPv4 servers. The DHCPv6 server is bound to ::1 on ``port`` and
+connected to ::1 on ``port`` + 1.
Two other configuration entries are generally required: unicast traffic
-support (see `Unicast Traffic Support <#dhcp6-unicast>`__) and DHCP 4o6
+support (see :ref:`dhcp6-unicast`) and DHCP 4o6
server address option (name "dhcp4o6-server-addr", code 88).
The following configuration was used during some tests:
-----------------------
An important aspect of a well-running DHCP system is an assurance that
-the data remains consistent. However, in some cases it may be convenient
+the data remain consistent. However, in some cases it may be convenient
to tolerate certain inconsistent data. For example, a network
administrator that temporarily removed a subnet from a configuration
-wouldn't want all the leases associated with it disappear from the lease
+would not want all the leases associated with it to disappear from the lease
database. Kea has a mechanism to control sanity checks for situations
such as this.
Kea supports a configuration scope called ``sanity-checks``. It
-currently allows only a single parameter called ``lease-checks``, which
+currently allows only a single parameter, called ``lease-checks``, which
governs the verification carried out when a new lease is loaded from a
lease file. This mechanism permits Kea to attempt to correct
inconsistent data.
lease that matches it topologically.
Since delegated prefixes do not have to belong to a subnet in which
-they're offered, there is no way to implement such a mechanism for IPv6
+they are offered, there is no way to implement such a mechanism for IPv6
prefixes. As such, the mechanism works for IPv6 addresses only.
There are five levels which are supported:
-- ``none`` - do no special checks; accept the lease as is
+- ``none`` - do no special checks; accept the lease as is.
-- ``warn`` - if problems are detected, a warning will be displayed, but
- the lease data will be accepted anyway. This is the default value.
+- ``warn`` - if problems are detected display a warning, but
+ accept the lease data anyway. This is the default value.
-- ``fix`` - If data inconsistency is discovered, Kea will try to
+- ``fix`` - if a data inconsistency is discovered, try to
correct it. If the correction is not successful, the incorrect data
will be inserted anyway.
-- ``fix-del`` - If a data inconsistency is discovered, Kea will try to
- correct it. If the correction is not succesful, the lease will be
- rejected. This setting ensures the data's correctness, but some
+- ``fix-del`` - if a data inconsistency is discovered, try to
+ correct it. If the correction is not successful, reject the lease.
+ This setting ensures the data's correctness, but some
incorrect data may be lost. Use with care.
-- ``del`` - This is the strictest mode. If any inconsistency is
- detected, the lease is rejected. Use with care.
+- ``del`` - this is the strictest mode. If any inconsistency is
+ detected, reject the lease. Use with care.
This feature is currently implemented for the memfile backend.
There are many cases where it is useful to provide a configuration on a
per-host basis. The most obvious one is to reserve a specific, static
IPv6 address or/and prefix for exclusive use by a given client (host);
-the returning client will get the same address or/and prefix every time,
-and other clients will never get that address. Another example when host
+the returning client will receive the same address or/and prefix every time,
+and other clients will never get that address. Another situation when host
reservations are applicable is when a host has specific requirements,
e.g. a printer that needs additional DHCP options or a cable modem that
needs specific parameters. Yet another possible use case is to define
unique names for hosts.
Note that there may be cases when a new reservation has been made for a
-client for the address or prefix currently in use by another client. We
-call this situation a "conflict." The conflicts get resolved
+client for an address or prefix currently in use by another client. We
+call this situation a "conflict." These conflicts get resolved
automatically over time as described in subsequent sections. Once the
-conflict is resolved, the client will keep receiving the reserved
+conflict is resolved, the correct client will receive the reserved
configuration when it renews.
Host reservations are defined as parameters for each subnet. Each host
-must be identified by either DUID or its hardware/MAC address. See
-`MAC/Hardware Addresses in DHCPv6 <#mac-in-dhcpv6>`__ for details. There
-is an optional ``reservations`` array in the ``subnet6`` structure. Each
+must be identified by either DUID or its hardware/MAC address; see
+:ref:`mac-in-dhcpv6` for details. There
+is an optional ``reservations`` array in the ``subnet6`` structure; each
element in that array is a structure that holds information about a
single host. In particular, the structure has an identifier that
-uniquely identifies a host. In the DHCPv6 context, such an identifier is
-usually a DUID, but can also be a hardware or MAC address. One or more
+uniquely identifies a host. In the DHCPv6 context, the identifier is
+usually a DUID, but it can also be a hardware or MAC address. One or more
addresses or prefixes may also be specified, and it is possible to
specify a hostname and DHCPv6 options for a given host.
This example includes reservations for three different clients. The
first reservation is for the address 2001:db8:1::100 for a client using
DUID 01:02:03:04:05:0A:0B:0C:0D:0E. The second reservation is for two
-addresses 2001:db8:1::101 and 2001:db8:1::102, for a client using MAC
+addresses, 2001:db8:1::101 and 2001:db8:1::102, for a client using MAC
address 00:01:02:03:04:05. Lastly, address 2001:db8:1::103 and prefix
2001:db8:2:abcd::/64 are reserved for a client using DUID
01:02:03:04:05:06:07:08:09:0A. The last reservation also assigns a
leases dynamically.
Making a reservation for a mobile host that may visit multiple subnets
-requires a separate host definition in each subnet it is expected to
+requires a separate host definition in each subnet that host is expected to
visit. It is not possible to define multiple host definitions with the
same hardware address in a single subnet. Multiple host definitions with
the same hardware address are valid if each is in a different subnet.
The reservation for a given host should include only one identifier,
-either DUID or hardware address. Defining both for the same host is
+either DUID or hardware address; defining both for the same host is
considered a configuration error.
Adding host reservations incurs a performance penalty. In principle,
when a server that does not support host reservation responds to a
query, it needs to check whether there is a lease for a given address
-being considered for allocation or renewal. The server that also
-supports host reservation has to perform additional checks: not only
+being considered for allocation or renewal. The server that does
+support host reservation has to perform additional checks: not only
whether the address is currently used (i.e., if there is a lease for
it), but also whether the address could be used by someone else (i.e.,
if there is a reservation for it). That additional check incurs extra
delegation. Those dynamic parts are referred to as dynamic pools,
address and prefix pools, or simply pools. In principle, a host
reservation can reserve any address or prefix that belongs to the
-subnet. The reservations that specify addresses that belongs to
+subnet. The reservations that specify addresses that belong to
configured pools are called "in-pool reservations." In contrast, those
that do not belong to dynamic pools are called "out-of-pool
reservations." There is no formal difference in the reservation syntax
belong to any specific subnet. Kea will still match inbound client
packets to a subnet as before, but when the subnet's reservation mode is
set to ``"global"``, Kea will look for host reservations only among the
-global reservations defined. Typcially, such reservations would be used
+global reservations defined. Typically, such reservations would be used
to reserve hostnames for clients which may move from one subnet to
another.
**Note**
- You can reserve any ip-address or prefix in a global reservation.
- Just keep in mind that Kea will not do any sanity checking on the
- address or prefix and that for Kea 1.5.0, support for global
- reservations should be considered experimental.
+ Global reservations, while useful in certain circumstances, have aspects
+ that must be given due consideration when using them, please see
+ :ref:`reservation6-conflict` for more details.
.. _reservation6-conflict:
address 2001:db8::10. A naive approach would to be immediately remove
the lease for Host A and create a new one for Host B. That would not
solve the problem, though, because as soon as Host B gets the address,
-it will detect that the address is already in use by someone else (Host
+it will detect that the address is already in use (by Host
A) and will send a DHCPDECLINE message. Therefore, in this situation,
the server has to temporarily assign a different address from the
dynamic pool (not matching what has been reserved) to Host B.
When Host A renews its address, the server will discover that the
-address being renewed is now reserved for someone else (Host B).
-Therefore, the server will remove the lease for 2001:db8::10, select a
+address being renewed is now reserved for someone else - Host B.
+The server will remove the lease for 2001:db8::10, select a
new address, and create a new lease for it. It will send two addresses
in its response: the old address, with lifetime set to 0 to explicitly
indicate that it is no longer valid; and the new address, with a
-non-zero lifetime. When Host B renews its temporarily assigned address,
+non-zero lifetime. When Host B tries to renew its temporarily assigned address,
the server will detect that the existing lease does not match the
reservation, so it will release the current address Host B has and will
create a new lease matching the reservation. As before, the server will
reservation is made, the server will propose a different address.
This recovery mechanism allows the server to fully recover from a case
-where reservations conflict with existing leases. This procedure takes
-time and will roughly take as long as the value set for renew-timer. The
+where reservations conflict with existing leases; however, this procedure
+will take roughly take as long as the value set for renew-timer. The
best way to avoid such recovery is not to define new reservations that
conflict with existing leases. Another recommendation is to use
out-of-pool reservations. If the reserved address does not belong to a
-pool, there is no way that other clients can get this address.
+pool, there is no way that other clients can get it.
**Note**
The conflict-resolution mechanism does not work for global
- reservations. As of Kea 1.5.0, it is generally recommended not to use
- global reservations for addresses or prefixes. If you choose to use
- them anyway, you must manually ensure that the reserved values are
- not in the dynamic pools.
+ reservations. Although the global address reservations feature may be useful
+ in certain settings, it is generally recommended not to use
+ global reservations for addresses. Administrators who do choose
+ to use global reservations must manually ensure that the reserved
+ addresses are not in dynamic pools.
.. _reservation6-hostname:
Kea offers the ability to specify options on a per-host basis. These
options follow the same rules as any other options. These can be
-standard options (see `Standard DHCPv6 Options <#dhcp6-std-options>`__),
-custom options (see `Custom DHCPv6 Options <#dhcp6-custom-options>`__),
-or vendor-specific options (see `DHCPv6 Vendor-Specific
-Options <#dhcp6-vendor-opts>`__). The following example demonstrates how
-standard options can be defined.
+standard options (see :ref:`dhcp6-std-options`),
+custom options (see :ref:`dhcp6-custom-options`),
+or vendor-specific options (see :ref:`dhcp4-vendor-opts`). The following
+example demonstrates how standard options can be defined.
::
Options defined at host level have the highest priority. In other words,
if there are options defined with the same type on global, subnet,
-class, and host level, the host-specific values will be used.
+class, and host levels, the host-specific values will be used.
.. _reservation6-client-classes:
Reserving Client Classes in DHCPv6
----------------------------------
-`??? <#classification-using-expressions>`__ explains how to configure
+:ref:`classification-using-expressions` explains how to configure
the server to assign classes to a client, based on the content of the
options that this client sends to the server. Host reservations
mechanisms also allow for the static assignment of classes to clients.
The definitions of these classes are placed in the Kea configuration.
The following configuration snippet shows how to specify that the client
belongs to classes ``reserved-class1`` and ``reserved-class2``. Those
-classes are associated with specific options being sent to the clients
+classes are associated with specific options that are sent to the clients
which belong to them.
::
**Note**
- If you want to force the evaluation of a class expression after the
+ To force the evaluation of a class expression after the
host reservation lookup, for instance because of a dependency on
- "reserved-class1" from the previous example, you should add a
+ "reserved-class1" from the previous example, add a
"member('KNOWN')" statement in the expression.
.. _reservations6-mysql-pgsql-cql:
------------------------------------------------------------
It is possible to store host reservations in MySQL, PostgreSQL, or
-Cassandra. See `Hosts Storage <#hosts6-storage>`__ for information on
+Cassandra. See :ref:`hosts6-storage` for information on
how to configure Kea to use reservations stored in MySQL, PostgreSQL, or
Cassandra. Kea provides a dedicated hook for managing reservations in a
-database; section `??? <#host-cmds>`__ provides detailed information.
-The Kea wiki
-https://gitlab.isc.org/isc-projects/kea/wikis/designs/commands#23-host-reservations-hr-management
+database; section :ref:`host-cmds` provides detailed information.
+The `Kea wiki
+<https://gitlab.isc.org/isc-projects/kea/wikis/designs/commands#23-host-reservations-hr-management>`__
provides some examples of how to conduct common host reservations
operations.
.. _reservations6-tuning:
-Fine Tuning DHCPv6 Host Reservation
+Fine-Tuning DHCPv6 Host Reservation
-----------------------------------
The host reservation capability introduces additional restrictions for
flexible. However, as all checks are conducted, it is also the
slowest. It does not check against global reservations.
-- ``out-of-pool`` - allows only out of pool host reservations. With
+- ``out-of-pool`` - allows only out-of-pool host reservations. With
this setting in place, the server may assume that all host
reservations are for addresses that do not belong to the dynamic
pool. Therefore, it can skip the reservation checks when dealing with
in-pool addresses, thus improving performance. Do not use this mode
- if any of your reservations use in-pool addresses. Caution is advised
+ if any reservations use in-pool addresses. Caution is advised
when using this setting; Kea does not sanity-check the reservations
against ``reservation-mode`` and misconfiguration may cause problems.
- ``global`` - allows only global host reservations. With this setting
in place, the server searches for reservations for a client only
among the defined global reservations. If an address is specified,
- the server will skip the reservation checks carried out when dealing
+ the server skips the reservation checks carried out when dealing
in other modes, thus improving performance. Caution is advised when
using this setting; Kea does not sanity-check the reservations when
``global`` and misconfiguration may cause problems.
]
}
-For more details regarding global reservations, see `Global Reservations
-in DHCPv6 <#global-reservations6>`__.
+For more details regarding global reservations, see :ref:`global-reservations6`.
-Another aspect of the host reservations is the different types of
+Another aspect of host reservations is the different types of
identifiers. Kea currently supports two types of identifiers in DHCPv6:
hardware address and DUID. This is beneficial from a usability
perspective; however, there is one drawback. For each incoming packet
-Kea has to to extract each identifier type and then query the database
+Kea has to extract each identifier type and then query the database
to see if there is a reservation by this particular identifier. If
nothing is found, the next identifier is extracted and the next query is
issued. This process continues until either a reservation is found or
slower.
To address this problem, a parameter called
-``host-reservation-identifiers`` has been introduced. It takes a list of
+``host-reservation-identifiers`` is available. It takes a list of
identifier types as a parameter. Kea will check only those identifier
types enumerated in host-reservation-identifiers. From a performance
perspective, the number of identifier types should be kept to a minimum,
-ideally one. If your deployment uses several reservation types, please
+ideally one. If the deployment uses several reservation types, please
enumerate them from most- to least-frequently used, as this increases
the chances of Kea finding the reservation using the fewest queries. An
example of host reservation identifiers looks as follows:
visits part of the network that is covered by 2001:db8:ffff::/48, it
will get an IP address 2001:db8:ffff::1, which will be outside of the
prefix announced by its local router using Router Advertisements. Such a
-configuration would be unusable or, at the very least, riddled with
+configuration is unusable or, at the very least, riddled with
issues, such as downlink traffic not reaching the device.
To use global host reservations, a configuration similar to the
"hw-address": "01:02:03:04:05:06",
"hostname": "hw-host-fixed",
- // Use of IP address is global reservation is risky. If used outside of
+ // Use of IP address in global reservation is risky. If used outside of
// matching subnet, such as 3001::/64, it will result in a broken
- // configuration being handled to the client.
+ // configuration being handed to the client.
"ip-address": "2001:db8:ff::77"
},
{
=========================
DHCP servers use subnet information in two ways. First, it is used to
-determine the point of attachment, or simply put, where the client is
+determine the point of attachment, or where the client is
connected to the network. Second, the subnet information is used to
group information pertaining to a specific location in the network. This
-approach works well in general cases, but there are scenarios where the
+approach works well in general, but there are scenarios where the
boundaries are blurred. Sometimes it is useful to have more than one
-logical IP subnet being deployed on the same physical link. The need to
-understand that two or more subnets are used on the same link requires
+logical IP subnet being deployed on the same physical link.
+Understanding that two or more subnets are used on the same link requires
additional logic in the DHCP server. This capability is called "shared
-networks" in Kea and ISC DHCP configurations. It is sometimes also
-called "shared subnets." In Microsoft's nomenclature it is called
-"multinet."
+networks" in the Kea and ISC DHCP projects. (It is sometimes also
+called "shared subnets"; in Microsoft's nomenclature it is called
+"multinet.")
-There are many use cases where the feature is useful. The most common
-example in the IPv4 case is when the server is running out of available
+There are many use cases where the feature is useful; the most common
+example in IPv4 is when the server is running out of available
addresses in a subnet. This is less common in IPv6, but shared networks
are still useful in IPv6. One of the use cases is an exhaustion of IPv6-
-delegated prefixes within a subnet. Another IPv6-specific example is an
+delegated prefixes within a subnet; another is an
experiment with an addressing scheme. With the advent of IPv6 deployment
and a vast address space, many organizations split the address space
into subnets, deploy it, and then after a while discover that they want
to split it differently. In the transition period, they want both old
-and new addressing to be available. Thus the need for more than one
+and new addressing to be available; thus the need for more than one
subnet on the same physical link.
Finally, the case of cable networks is directly applicable in IPv6.
end-user devices behind them. It is a common practice to use different
subnets for cable modems to prevent users from tinkering with them. In
this case, the distinction is based on the type of device, rather than
-address-space exhaustion.
+on address-space exhaustion.
A client connected to a shared network may be assigned a lease (address
or prefix) from any of the pools defined within the subnets belonging to
belonging to a shared network and tries to allocate a lease from this
subnet. If the server is unable to allocate a lease from the selected
subnet (e.g., due to pools exhaustion), it will use another subnet from
-the same shared network and try to allocate a lease from this subnet,
-etc. Therefore, in the typical case, the server will allocate all leases
+the same shared network and will try to allocate a lease from this subnet,
+etc. Therefore, the server will typically allocate all leases
available in a given subnet before it starts allocating leases from
other subnets belonging to the same shared network. However, in certain
situations the client can be allocated a lease from the other subnets
-before the pools in the first subnet get exhausted, e.g. when the client
-provides a hint that belongs to another subnet or the client has
+before the pools in the first subnet get exhausted; this sometimes occurs
+when the client provides a hint that belongs to another subnet, or the client has
reservations in a subnet other than the default.
**Note**
// and it must be unique among all shared networks.
"name": "ipv6-lab-1",
- // The subnet selector can be specifed on the shared network level.
+ // The subnet selector can be specified on the shared network level.
// Subnets from this shared network will be selected for clients
// communicating via relay agent having the specified IP address.
"relay": {
]
} ], // end of shared-networks
- // It is likely that in your network you'll have a mix of regular,
+ // It is likely that in the network there will be a mix of regular,
// "plain" subnets and shared networks. It is perfectly valid to mix
- // them in the same config file.
+ // them in the same configuration file.
//
- // This is regular subnet. It's not part of any shared-network.
+ // This is a regular subnet. It is not part of any shared-network.
"subnet6": [
{
"subnet": "2001:db9::/48",
} // end of Dhcp6
}
-As you see in the example, it is possible to mix shared and regular
+As demonstrated in the example, it is possible to mix shared and regular
("plain") subnets. Each shared network must have a unique name. This is
similar to the ID for subnets, but gives administrators more
-flexibility. This is used for logging, but also internally for
+flexibility. It is used for logging, but also internally for
identifying shared networks.
In principle it makes sense to define only shared networks that consist
-of two or more subnets. However, for testing purposes it is allowed to
-define a shared network with just one subnet or even an empty one. This
+of two or more subnets. However, for testing purposes, an empty subnet
+or a network with just a single subnet is allowed. This
is not a recommended practice in production networks, as the shared
network logic requires additional processing and thus lowers the
server's performance. To avoid unnecessary performance degradation, the
shared subnets should only be defined when required by the deployment.
Shared networks provide an ability to specify many parameters in the
-shared network scope that will apply to all subnets within it. If
-necessary, you can specify a parameter in the shared network scope and
+shared network scope that apply to all subnets within it. If
+necessary, it is possible to specify a parameter in the shared network scope and
then override its value in the subnet scope. For example:
::
} ]
In this example, there is a dns-servers option defined that is available
-to clients in both subnets in this shared network. Also, a valid
+to clients in both subnets in this shared network. Also, the valid
lifetime is set to 10 minutes (600s). However, the first subnet
overrides some of the values (valid lifetime is 20 minutes, different IP
address for dns-servers), but also adds its own option (unicast
-address). Assuming a client asking for a server unicast and dns servers
+address). Assuming a client asking for a server unicast and dns-servers
options is assigned a lease from this subnet, it will get a lease for 20
minutes and dns-servers, and be allowed to use server unicast at address
2001:abcd::1. If the same client is assigned to the second subnet, it
Some parameters must be the same in all subnets in the same shared
network. This restriction applies to the ``interface`` and
``rapid-commit`` settings. The most convenient way is to define them on
-the shared network scope, but you may specify them for each subnet.
+the shared network scope, but they can be specified for each subnet.
However, care should be taken for each subnet to have the same value.
Local and Relayed Traffic in Shared Networks
{
"name": "office-floor-2",
- // This tells Kea that the whole shared networks is reachable over
+ // This tells Kea that the whole shared network is reachable over a
// local interface. This applies to all subnets in this network.
"interface": "eth0",
"subnet": "3ffe:abcd::/64",
"pools": [ { "pool": "3ffe:abcd::1 - 3ffe:abcd::ffff" } ]
- // Specifying a different interface name is configuration
+ // Specifying a different interface name is a configuration
// error:
// "interface": "eth1"
}
} ]
Somewhat similar to interface names, relay IP addresses can also be
-specified for the whole shared network. However, depending on your relay
+specified for the whole shared network. However, depending on the relay
configuration, it may use different IP addresses depending on which
subnet is being used. Thus there is no requirement to use the same IP
relay address for each subnet. Here's an example:
]
In this particular case the relay IP address specified at the network
-level doesn't have much sense, as it is overridden in both subnets, but
+level doesn't make much sense, as it is overridden in both subnets, but
it was left there as an example of how one could be defined at the
network level. Note that the relay agent IP address typically belongs to
the subnet it relays packets from, but this is not a strict requirement.
Sometimes it is desirable to segregate clients into specific subnets
based on certain properties. This mechanism is called client
-classification and is described in `??? <#classify>`__. Client
+classification and is described in :ref:`classify`. Client
classification can be applied to subnets belonging to shared networks in
the same way as it is used for subnets specified outside of shared
networks. It is important to understand how the server selects subnets
}
If the client belongs to the "b-devices" class (because it includes
-option 1234 with a value of 0x0002), that doesn't guarantee that the
+option 1234 with a value of 0x0002), that does not guarantee that the
subnet 2001:db8:3::/64 will be used (or preferred) for this client. The
-server can use either of the two subnets because the subnet
+server can use either of the two subnets, because the subnet
2001:db8:1::/64 is also allowed for this client. The client
classification used in this case should be perceived as a way to
restrict access to certain subnets, rather than a way to express subnet
-preference. For example, if the client doesn't belong to the "b-devices"
+preference. For example, if the client does not belong to the "b-devices"
class it may only use the subnet 2001:db8:1::/64 and will never use the
subnet 2001:db8:3::/64.
It is worth noting that Kea conducts additional checks when processing a
-packet if shared networks are defined. Instead of simply checking
+packet if shared networks are defined. First, instead of simply checking
whether there's a reservation for a given client in its initially
-selected subnet, it looks through all subnets in a shared network for a
+selected subnet, Kea looks through all subnets in a shared network for a
reservation. This is one of the reasons why defining a shared network
may impact performance. If there is a reservation for a client in any
subnet, that particular subnet will be picked for the client. Although
-it's technically not an error, it is considered a bad practice to define
+it is technically not an error, it is considered a bad practice to define
reservations for the same host in multiple subnets belonging to the same
shared network.
While not strictly mandatory, it is strongly recommended to use explicit
-"id" values for subnets if you plan to use database storage for host
-reservations. If ID is not specified, the values for it are
+"id" values for subnets if database storage will be used for host
+reservations. If an ID is not specified, the values for it are
autogenerated, i.e. it assigns increasing integer values starting from
1. Thus, the autogenerated IDs are not stable across configuration
changes.
The DHCPv6 protocol uses a "server identifier" (also known as a DUID) to
allow clients to discriminate between several servers present on the
-same link. `RFC 8415 <http://tools.ietf.org/html/rfc8415>`__ currently
+same link. `RFC 8415 <https://tools.ietf.org/html/rfc8415>`__ currently
defines four DUID types: DUID-LLT, DUID-EN, DUID-LL, and DUID-UUID.
The Kea DHCPv6 server generates a server identifier once, upon the first
restarts of the server and so is a stable identifier.
Kea follows the recommendation from `RFC
-8415 <http://tools.ietf.org/html/rfc8415>`__ to use DUID-LLT as the
-default server identifier. However, we have received reports that some
+8415 <https://tools.ietf.org/html/rfc8415>`__ to use DUID-LLT as the
+default server identifier. However, ISC has received reports that some
deployments require different DUID types, and there is a need to
-administratively select both DUID type and/or its contents.
+administratively select both the DUID type and/or its contents.
The server identifier can be configured using parameters within the
``server-id`` map element in the global scope of the Kea configuration
...
}
-Currently supported values for ``type`` parameter are: "LLT", "EN", and
+Currently supported values for the ``type`` parameter are: "LLT", "EN", and
"LL", for DUID-LLT, DUID-EN, and DUID-LL respectively.
-When a new DUID type is selected the server generates its value and
+When a new DUID type is selected, the server generates its value and
replaces any existing DUID in the file. The server then uses the new
server identifier in all future interactions with the clients.
identifier, this will be at the cost of an increased number of
renewals and multicast traffic due to a need to rebind. Therefore, it
is recommended that modification of the server identifier type and
- value is avoided if the server has already assigned leases and these
+ value be avoided if the server has already assigned leases and these
leases are still valid.
There are cases when an administrator needs to explicitly specify a DUID
- ``time`` is a 32-bit unsigned time value.
The hexadecimal representation of the DUID generated as a result of the
-configuration specified above will be:
+configuration specified above is:
::
A special value of 0 for "htype" and "time" is allowed, which indicates
that the server should use ANY value for these components. If the server
-already uses a DUID-LLT it will use the values from this DUID; if the
+already uses a DUID-LLT, it will use the values from this DUID; if the
server uses a DUID of a different type or doesn't yet use any DUID, it
will generate these values. Similarly, if the "identifier" is assigned
an empty string, the value of the identifier will be generated. Omitting
Typically DHCPv6 is used to assign both addresses and options. These
assignments (leases) have a state that changes over time, hence their
-name, stateful. DHCPv6 also supports a stateless mode, where clients
+description as stateful. DHCPv6 also supports a stateless mode, where clients
request configuration options only. This mode is considered lightweight
from the server perspective, as it does not require any state tracking,
and carries the stateless name.
The Kea server supports stateless mode. Clients can send
Information-Request messages and the server sends back answers with the
-requested options (providing the options are available in the server
-configuration). The server attempts to use per-subnet options first. If
-that fails - for whatever reason - it then tries to provide options
+requested options, providing the options are available in the server
+configuration. The server attempts to use per-subnet options first; if
+that fails for any reason, it then tries to provide options
defined in the global scope.
Stateless and stateful mode can be used together. No special
configuration directives are required to handle this; simply use the
configuration for stateful clients and the stateless clients will get
-just the options they requested.
+only the options they requested.
This usage of global options allows for an interesting case. It is
possible to run a server that provides only options and no addresses or
}
}
-This very simple configuration will provide DNS server information to
+This very simple configuration provides DNS server information to
all clients in the network, regardless of their location. Note the
-specification of the memfile lease database; this is needed as Kea
+specification of the Memfile lease database; this is needed as Kea
requires a lease database to be specified even if it is not used.
.. _dhcp6-rfc7550:
Support for RFC 7550 (now part of RFC 8415)
===========================================
-`RFC 7550 <http://tools.ietf.org/html/rfc7550>`__ introduced some
+`RFC 7550 <https://tools.ietf.org/html/rfc7550>`__ introduced some
changes to the previous DHCPv6 specifications, `RFC
-3315 <http://tools.ietf.org/html/rfc3315>`__ and `RFC
-3633 <http://tools.ietf.org/html/rfc3633>`__, to resolve a few issues
+3315 <https://tools.ietf.org/html/rfc3315>`__ and `RFC
+3633 <https://tools.ietf.org/html/rfc3633>`__, to resolve a few issues
with the coexistence of multiple stateful options in the messages sent
-between the clients and servers. Those changes were later included in
+between clients and servers. Those changes were later included in
the most recent DHCPv6 protocol specification, `RFC
-8415 <http://tools.ietf.org/html/rfc8415>`__, which obsoleted `RFC
-7550 <http://tools.ietf.org/html/rfc7550>`__. Kea supports `RFC
-8415 <http://tools.ietf.org/html/rfc8415>`__ along with these protocol
+8415 <https://tools.ietf.org/html/rfc8415>`__, which obsoleted `RFC
+7550 <https://tools.ietf.org/html/rfc7550>`__. Kea supports `RFC
+8415 <https://tools.ietf.org/html/rfc8415>`__ along with these protocol
changes, which are briefly described below.
When a client, such as a requesting router, requests an allocation of
disable this behavior.
The following are the other behaviors first introduced in `RFC
-7550 <http://tools.ietf.org/html/rfc7550>`__ (now part of `RFC
-8415 <http://tools.ietf.org/html/rfc8415>`__) and supported by the Kea
+7550 <https://tools.ietf.org/html/rfc7550>`__ (now part of `RFC
+8415 <https://tools.ietf.org/html/rfc8415>`__) and supported by the Kea
DHCPv6 server:
- Set T1/T2 timers to the same value for all stateful (IA_NA and IA_PD)
- options to facilitate renewal of all a client's leases at the same
- time (in a single message exchange),
+ options to facilitate renewal of all of a client's leases at the same
+ time (in a single message exchange).
- Place NoAddrsAvail and NoPrefixAvail status codes in the IA_NA and
IA_PD options in the Advertise message, rather than as the top-level
The relay must have an interface connected to the link on which the
clients are being configured. Typically the relay has a global IPv6
-address configured on the interface that belongs to the subnet from
+address configured on that interface, which belongs to the subnet from
which the server will assign addresses. Normally, the server is able to
use the IPv6 address inserted by the relay (in the link-addr field in
RELAY-FORW message) to select the appropriate subnet.
The following example assumes that there is a subnet 2001:db8:1::/64
that is accessible via a relay that uses 3000::1 as its IPv6 address.
The server is able to select this subnet for any incoming packets that
-come from a relay with an address in 2001:db8:1::/64 subnet. It also
+come from a relay that has an address in the 2001:db8:1::/64 subnet. It also
selects that subnet for a relay with address 3000::1.
::
Segregating IPv6 Clients in a Cable Network
===========================================
-In certain cases, it is useful to mix relay address information,
-introduced in `Using a Specific Relay Agent for a
-Subnet <#dhcp6-relay-override>`__, with client classification, explained
-in `??? <#classify>`__. One specific example is in a cable network,
-where typically modems get addresses from a different subnet than all
-devices connected behind them.
+In certain cases, it is useful to mix relay address information
+(introduced in :ref:`dhcp6-relay-override`), with client classification, explained
+in :ref:`classify`. One specific example is in a cable network,
+where modems typically get addresses from a different subnet than all
+the devices connected behind them.
Let us assume that there is one CMTS (Cable Modem Termination System)
with one CM MAC (a physical link that modems are connected to). We want
used and in what order. This configuration may be considered a fine
tuning of the DHCP deployment. In a typical deployment the default value
of ``"any"`` is sufficient and there is no need to select specific
-methods. Changing the value of this parameter is the most useful in
+methods. Changing the value of this parameter is most useful in
cases when an administrator wants to disable certain methods; for
example, if the administrator trusts the network infrastructure more
than the information provided by the clients themselves, they may prefer
-information provided by the relays over that provided by the clients.
+information provided by the relays over that provided by clients.
The configuration is controlled by the ``mac-sources`` parameter as
follows:
Supported methods are:
-- ``any`` - Not an actual method, just a keyword that instructs Kea to
+- ``any`` - not an actual method, just a keyword that instructs Kea to
try all other methods and use the first one that succeeds. This is
the default operation if no ``mac-sources`` are defined.
-- ``raw`` - In principle, a DHCPv6 server could use raw sockets to
+- ``raw`` - in principle, a DHCPv6 server could use raw sockets to
receive incoming traffic and extract MAC/hardware address
information. This is currently not implemented for DHCPv6 and this
value has no effect.
- ``duid`` - DHCPv6 uses DUID identifiers instead of MAC addresses.
There are currently four DUID types defined, and two of them
(DUID-LLT, which is the default, and DUID-LL) convey MAC address
- information. Although `RFC 8415 <>`__ forbids it, it is possible to
+ information. Although `RFC 8415 <https://tools.ietf.org/html/rfc8415>`__
+ forbids it, it is possible to
parse those DUIDs and extract necessary information from them. This
method is not completely reliable, as clients may use other DUID
types, namely DUID-EN or DUID-UUID.
-- ``ipv6-link-local`` - Another possible acquisition method comes from
+- ``ipv6-link-local`` - another possible acquisition method comes from
the source IPv6 address. In typical usage, clients are sending their
packets from IPv6 link-local addresses. There is a good chance that
those addresses are based on EUI-64, which contains a MAC address.
This method is not completely reliable, as clients may use other
link-local address types. In particular, privacy extensions, defined
- in `RFC 4941 <http://tools.ietf.org/html/rfc4941>`__, do not use MAC
+ in `RFC 4941 <https://tools.ietf.org/html/rfc4941>`__, do not use MAC
addresses. Also note that successful extraction requires that the
address's u-bit must be set to 1 and its g-bit set to 0, indicating
that it is an interface identifier as per `RFC 2373, section
- 2.5.1 <http://tools.ietf.org/html/rfc2373#section-2.5.1>`__.
+ 2.5.1 <https://tools.ietf.org/html/rfc2373#section-2.5.1>`__.
-- ``client-link-addr-option`` - One extension defined to alleviate
+- ``client-link-addr-option`` - one extension defined to alleviate
missing MAC issues is the client link-layer address option, defined
- in `RFC 6939 <http://tools.ietf.org/html/rfc6939>`__. This is an
+ in `RFC 6939 <https://tools.ietf.org/html/rfc6939>`__. This is an
option that is inserted by a relay and contains information about a
client's MAC address. This method requires a relay agent that
supports the option and is configured to insert it. This method is
specified as ``rfc6939``, which is an alias for
``client-link-addr-option``.
-- ``remote-id`` - `RFC 4649 <http://tools.ietf.org/html/rfc4649>`__
+- ``remote-id`` - `RFC 4649 <https://tools.ietf.org/html/rfc4649>`__
defines a remote-id option that is inserted by a relay agent.
Depending on the relay agent configuration, the inserted option may
convey the client's MAC address information. This parameter can also
- ``subscriber-id`` - Another option that is somewhat similar to the
previous one is subscriber-id, defined in `RFC
- 4580 <http://tools.ietf.org/html/rfc4580>`__. It, too, is inserted by
+ 4580 <https://tools.ietf.org/html/rfc4580>`__. It, too, is inserted by
a relay agent that is configured to insert it. This parameter can
also be specified as ``rfc4580``, which is an alias for
``subscriber-id``. This method is currently not implemented.
- ``docsis-cmts`` - Yet another possible source of MAC address
information are the DOCSIS options inserted by a CMTS that acts as a
DHCPv6 relay agent in cable networks. This method attempts to extract
- MAC address information from suboption 1026 (cm mac) of the
+ MAC address information from sub-option 1026 (cm mac) of the
vendor-specific option with vendor-id=4491. This vendor option is
extracted from the relay-forward message, not the original client's
message.
- ``docsis-modem`` - The final possible source of MAC address
information are the DOCSIS options inserted by the cable modem
itself. This method attempts to extract MAC address information from
- suboption 36 (device id) of the vendor-specific option with
+ sub-option 36 (device id) of the vendor-specific option with
vendor-id=4491. This vendor option is extracted from the original
client's message, not from any relay options.
-Empty mac-sources is not allowed. If you do not want to specify it,
-either simply omit the mac-sources definition or specify it with the
-"any" value which is the default.
+Empty mac-sources is not allowed. Administrators who do not want to specify it
+should either simply omit the mac-sources definition or specify it with the
+"any" value, which is the default.
.. _dhcp6-decline:
incoming DHCPDECLINE message has been sanitized and the server is about
to decline the lease. The declined-addresses statistic is increased
after the hook returns (both global and subnet-specific variants). (See
-`Statistics in the DHCPv6 Server <#dhcp6-stats>`__ and
-`??? <#hooks-libraries>`__ for more details on DHCPv6 statistics and Kea
-hook points.)
+:ref:`dhcp6-stats` and :ref:`hooks-libraries`
+for more details on DHCPv6 statistics and Kea hook points.)
Once the probation time elapses, the declined lease is recovered using
the standard expired-lease reclamation procedure, with several
declined-addresses in the calculation, and simply use
assigned-addresses/total-addresses. This would cause a bias towards
under-representing pool utilization. As this has a potential for major
-issues, we decided not to decrease assigned-addresses immediately after
+issues, ISC decided not to decrease assigned-addresses immediately after
receiving DHCPDECLINE, but to do it later when Kea recovers the address
back to the available pool.
**Note**
This section describes DHCPv6-specific statistics. For a general
- overview and usage of statistics, see `??? <#stats>`__.
+ overview and usage of statistics, see :ref:`stats`.
The DHCPv6 server supports the following statistics:
.. table:: DHCPv6 Statistics
- +-----------------------+-----------------------+-----------------------+
- | Statistic | Data Type | Description |
- +=======================+=======================+=======================+
- | pkt6-received | integer | Number of DHCPv6 |
- | | | packets received. |
- | | | This includes all |
- | | | packets: valid, |
- | | | bogus, corrupted, |
- | | | rejected, etc. This |
- | | | statistic is expected |
- | | | to grow rapidly. |
- +-----------------------+-----------------------+-----------------------+
- | pkt6-receive-drop | integer | Number of incoming |
- | | | packets that were |
- | | | dropped. The exact |
- | | | reason for dropping |
- | | | packets is logged, |
- | | | but the most common |
- | | | reasons may be: an |
- | | | unacceptable or not |
- | | | supported packet type |
- | | | is received, direct |
- | | | responses are |
- | | | forbidden, the |
- | | | server-id sent by the |
- | | | client does not match |
- | | | the server's |
- | | | server-id, or the |
- | | | packet is malformed. |
- +-----------------------+-----------------------+-----------------------+
- | pkt6-parse-failed | integer | Number of incoming |
- | | | packets that could |
- | | | not be parsed. A |
- | | | non-zero value of |
- | | | this statistic |
- | | | indicates that the |
- | | | server received a |
- | | | malformed or |
- | | | truncated packet. |
- | | | This may indicate |
- | | | problems in your |
- | | | network, faulty |
- | | | clients, faulty relay |
- | | | agents, or a bug in |
- | | | the server. |
- +-----------------------+-----------------------+-----------------------+
- | pkt6-solicit-received | integer | Number of SOLICIT |
- | | | packets received. |
- | | | This statistic is |
- | | | expected to grow; its |
- | | | increase means that |
- | | | clients that just |
- | | | booted started their |
- | | | configuration process |
- | | | and their initial |
- | | | packets reached your |
- | | | Kea server. |
- +-----------------------+-----------------------+-----------------------+
- | pkt6-advertise-receiv | integer | Number of ADVERTISE |
- | ed | | packets received. |
- | | | Advertise packets are |
- | | | sent by the server |
- | | | and the server is |
- | | | never expected to |
- | | | receive them. A |
- | | | non-zero value of |
- | | | this statistic |
- | | | indicates an error |
- | | | occurring in the |
- | | | network. One likely |
- | | | cause would be a |
- | | | misbehaving relay |
- | | | agent that |
- | | | incorrectly forwards |
- | | | ADVERTISE messages |
- | | | towards the server, |
- | | | rather than back to |
- | | | the clients. |
- +-----------------------+-----------------------+-----------------------+
- | pkt6-request-received | integer | Number of DHCPREQUEST |
- | | | packets received. |
- | | | This statistic is |
- | | | expected to grow. Its |
- | | | increase means that |
- | | | clients that just |
- | | | booted received the |
- | | | server's response |
- | | | (DHCPADVERTISE) and |
- | | | accepted it, and are |
- | | | now requesting an |
- | | | address |
- | | | (DHCPREQUEST). |
- +-----------------------+-----------------------+-----------------------+
- | pkt6-reply-received | integer | Number of REPLY |
- | | | packets received. |
- | | | This statistic is |
- | | | expected to remain |
- | | | zero at all times, as |
- | | | REPLY packets are |
- | | | sent by the server |
- | | | and the server is |
- | | | never expected to |
- | | | receive them. A |
- | | | non-zero value |
- | | | indicates an error. |
- | | | One likely cause |
- | | | would be a |
- | | | misbehaving relay |
- | | | agent that |
- | | | incorrectly forwards |
- | | | REPLY messages |
- | | | towards the server, |
- | | | rather than back to |
- | | | the clients. |
- +-----------------------+-----------------------+-----------------------+
- | pkt6-renew-received | integer | Number of RENEW |
- | | | packets received. |
- | | | This statistic is |
- | | | expected to grow; its |
- | | | increase means that |
- | | | clients received |
- | | | their addresses and |
- | | | prefixes and are |
- | | | trying to renew them. |
- +-----------------------+-----------------------+-----------------------+
- | pkt6-rebind-received | integer | Number of REBIND |
- | | | packets received. A |
- | | | non-zero value |
- | | | indicates that |
- | | | clients didn't |
- | | | receive responses to |
- | | | their RENEW messages |
- | | | (through the regular |
- | | | lease-renewal |
- | | | mechanism) and are |
- | | | attempting to find |
- | | | any server that is |
- | | | able to take over |
- | | | their leases. It may |
- | | | mean that some |
- | | | servers' REPLY |
- | | | messages never |
- | | | reached the clients. |
- +-----------------------+-----------------------+-----------------------+
- | pkt6-release-received | integer | Number of RELEASE |
- | | | packets received. |
- | | | This statistic is |
- | | | expected to grow when |
- | | | a device is being |
- | | | shut down in the |
- | | | network; it indicates |
- | | | that the address or |
- | | | prefix assigned is |
- | | | reported as no longer |
- | | | needed. Note that |
- | | | many devices, |
- | | | especially wireless, |
- | | | do not send RELEASE |
- | | | packets either |
- | | | because of design |
- | | | choice or due to the |
- | | | client moving out of |
- | | | range. |
- +-----------------------+-----------------------+-----------------------+
- | pkt6-decline-received | integer | Number of DECLINE |
- | | | packets received. |
- | | | This statistic is |
- | | | expected to remain |
- | | | close to zero. Its |
- | | | increase means that a |
- | | | client leased an |
- | | | address, but |
- | | | discovered that the |
- | | | address is currently |
- | | | used by an unknown |
- | | | device in your |
- | | | network. If this |
- | | | statistic is growing, |
- | | | it may indicate a |
- | | | misconfigured server |
- | | | or devices that have |
- | | | statically assigned |
- | | | conflicting |
- | | | addresses. |
- +-----------------------+-----------------------+-----------------------+
- | pkt6-infrequest-recei | integer | Number of |
- | ved | | INFORMATION-REQUEST |
- | | | packets received. |
- | | | This statistic is |
- | | | expected to grow if |
- | | | there are devices |
- | | | that are using |
- | | | stateless DHCPv6. |
- | | | INFORMATION-REQUEST |
- | | | messages are used by |
- | | | clients that request |
- | | | stateless |
- | | | configuration, i.e. |
- | | | options and |
- | | | parameters other than |
- | | | addresses or |
- | | | prefixes. |
- +-----------------------+-----------------------+-----------------------+
- | pkt6-dhcpv4-query-rec | integer | Number of |
- | eived | | DHCPv4-QUERY packets |
- | | | received. This |
- | | | statistic is expected |
- | | | to grow if there are |
- | | | devices that are |
- | | | using |
- | | | DHCPv4-over-DHCPv6. |
- | | | DHCPv4-QUERY messages |
- | | | are used by DHCPv4 |
- | | | clients on an |
- | | | IPv6-only line which |
- | | | encapsulates the |
- | | | requests over DHCPv6. |
- +-----------------------+-----------------------+-----------------------+
- | pkt6-dhcpv4-response- | integer | Number of |
- | received | | DHCPv4-RESPONSE |
- | | | packets received. |
- | | | This statistic is |
- | | | expected to remain |
- | | | zero at all times, as |
- | | | DHCPv4-RESPONSE |
- | | | packets are sent by |
- | | | the server and the |
- | | | server is never |
- | | | expected to receive |
- | | | them. A non-zero |
- | | | value indicates an |
- | | | error. One likely |
- | | | cause would be a |
- | | | misbehaving relay |
- | | | agent that |
- | | | incorrectly forwards |
- | | | DHCPv4-RESPONSE |
- | | | message towards the |
- | | | server rather than |
- | | | back to the clients. |
- +-----------------------+-----------------------+-----------------------+
- | pkt6-unknown-received | integer | Number of packets |
- | | | received of an |
- | | | unknown type. A |
- | | | non-zero value of |
- | | | this statistic |
- | | | indicates that the |
- | | | server received a |
- | | | packet that it wasn't |
- | | | able to recognize; |
- | | | either it had an |
- | | | unsupported type or |
- | | | was possibly |
- | | | malformed. |
- +-----------------------+-----------------------+-----------------------+
- | pkt6-sent | integer | Number of DHCPv6 |
- | | | packets sent. This |
- | | | statistic is expected |
- | | | to grow every time |
- | | | the server transmits |
- | | | a packet. In general, |
- | | | it should roughly |
- | | | match pkt6-received, |
- | | | as most incoming |
- | | | packets cause the |
- | | | server to respond. |
- | | | There are exceptions |
- | | | (e.g. server |
- | | | receiving a REQUEST |
- | | | with server-id |
- | | | matching other |
- | | | server), so do not |
- | | | worry if it is less |
- | | | than pkt6-received. |
- +-----------------------+-----------------------+-----------------------+
- | pkt6-advertise-sent | integer | Number of ADVERTISE |
- | | | packets sent. This |
- | | | statistic is expected |
- | | | to grow in most cases |
- | | | after a SOLICIT is |
- | | | processed. There are |
- | | | certain uncommon, but |
- | | | valid, cases where |
- | | | incoming SOLICIT |
- | | | packets are dropped, |
- | | | but in general this |
- | | | statistic is expected |
- | | | to be close to |
- | | | pkt6-solicit-received |
- | | | . |
- +-----------------------+-----------------------+-----------------------+
- | pkt6-reply-sent | integer | Number of REPLY |
- | | | packets sent. This |
- | | | statistic is expected |
- | | | to grow in most cases |
- | | | after a SOLICIT (with |
- | | | rapid-commit), |
- | | | REQUEST, RENEW, |
- | | | REBIND, RELEASE, |
- | | | DECLINE, or |
- | | | INFORMATION-REQUEST |
- | | | is processed. There |
- | | | are certain cases |
- | | | where there is no |
- | | | response. |
- +-----------------------+-----------------------+-----------------------+
- | pkt6-dhcpv4-response- | integer | Number of |
- | sent | | DHCPv4-RESPONSE |
- | | | packets sent. This |
- | | | statistic is expected |
- | | | to grow in most cases |
- | | | after a DHCPv4-QUERY |
- | | | is processed. There |
- | | | are certain cases |
- | | | where there is no |
- | | | response. |
- +-----------------------+-----------------------+-----------------------+
- | subnet[id].total-nas | integer | Total number of NA |
- | | | addresses available |
- | | | for DHCPv6 management |
- | | | for a given subnet; |
- | | | in other words, this |
- | | | is the sum of all |
- | | | addresses in all |
- | | | configured pools. |
- | | | This statistic |
- | | | changes only during |
- | | | configuration |
- | | | changes. Note that it |
- | | | does not take into |
- | | | account any addresses |
- | | | that may be reserved |
- | | | due to host |
- | | | reservation. The *id* |
- | | | is the subnet-id of a |
- | | | given subnet. This |
- | | | statistic is exposed |
- | | | for each subnet |
- | | | separately, and is |
- | | | reset during a |
- | | | reconfiguration |
- | | | event. |
- +-----------------------+-----------------------+-----------------------+
- | subnet[id].assigned-n | integer | Number of NA |
- | as | | addresses in a given |
- | | | subnet that are |
- | | | assigned. It |
- | | | increases every time |
- | | | a new lease is |
- | | | allocated (as a |
- | | | result of receiving a |
- | | | REQUEST message) and |
- | | | is decreased every |
- | | | time a lease is |
- | | | released (a RELEASE |
- | | | message is received) |
- | | | or expires. The *id* |
- | | | is the subnet-id of a |
- | | | given subnet. This |
- | | | statistic is exposed |
- | | | for each subnet |
- | | | separately, and is |
- | | | reset during a |
- | | | reconfiguration |
- | | | event. |
- +-----------------------+-----------------------+-----------------------+
- | subnet[id].total-pds | integer | Total number of PD |
- | | | prefixes available |
- | | | for DHCPv6 management |
- | | | for a given subnet; |
- | | | in other words, this |
- | | | is the sum of all |
- | | | prefixes in all |
- | | | configured pools. |
- | | | This statistic |
- | | | changes only during |
- | | | configuration |
- | | | changes. Note it does |
- | | | not take into account |
- | | | any prefixes that may |
- | | | be reserved due to |
- | | | host reservation. The |
- | | | *id* is the subnet-id |
- | | | of a given subnet. |
- | | | This statistic is |
- | | | exposed for each |
- | | | subnet separately, |
- | | | and is reset during a |
- | | | reconfiguration |
- | | | event. |
- +-----------------------+-----------------------+-----------------------+
- | subnet[id].assigned-p | integer | Number of PD prefixes |
- | ds | | in a given subnet |
- | | | that are assigned. It |
- | | | increases every time |
- | | | a new lease is |
- | | | allocated (as a |
- | | | result of receiving a |
- | | | REQUEST message) and |
- | | | is decreased every |
- | | | time a lease is |
- | | | released (a RELEASE |
- | | | message is received) |
- | | | or expires. The *id* |
- | | | is the subnet-id of a |
- | | | given subnet. This |
- | | | statistic is exposed |
- | | | for each subnet |
- | | | separately, and is |
- | | | reset during a |
- | | | reconfiguration |
- | | | event. |
- +-----------------------+-----------------------+-----------------------+
- | reclaimed-leases | integer | Number of expired |
- | | | leases that have been |
- | | | reclaimed since |
- | | | server startup. It is |
- | | | incremented each time |
- | | | an expired lease is |
- | | | reclaimed (counting |
- | | | both NA and PD |
- | | | reclamations) and is |
- | | | reset when the server |
- | | | is reconfigured. |
- +-----------------------+-----------------------+-----------------------+
- | subnet[id].reclaimed- | integer | Number of expired |
- | leases | | leases associated |
- | | | with a given subnet |
- | | | (*"id"* is the |
- | | | subnet-id) that have |
- | | | been reclaimed since |
- | | | server startup. It is |
- | | | incremented each time |
- | | | an expired lease is |
- | | | reclaimed (counting |
- | | | both NA and PD |
- | | | reclamations) and is |
- | | | reset when the server |
- | | | is reconfigured. |
- +-----------------------+-----------------------+-----------------------+
- | declined-addresses | integer | Number of IPv6 |
- | | | addresses that are |
- | | | currently declined; a |
- | | | count of the number |
- | | | of leases currently |
- | | | unavailable. Once a |
- | | | lease is recovered, |
- | | | this statistic will |
- | | | be decreased; |
- | | | ideally, this |
- | | | statistic should be |
- | | | zero. If this |
- | | | statistic is non-zero |
- | | | or increasing, a |
- | | | network administrator |
- | | | should investigate |
- | | | whether there is a |
- | | | misbehaving device in |
- | | | the network. This is |
- | | | a global statistic |
- | | | that covers all |
- | | | subnets. |
- +-----------------------+-----------------------+-----------------------+
- | subnet[id].declined-a | integer | Number of IPv6 |
- | ddresses | | addresses that are |
- | | | currently declined in |
- | | | a given subnet; a |
- | | | count of the number |
- | | | of leases currently |
- | | | unavailable. Once a |
- | | | lease is recovered, |
- | | | this statistic will |
- | | | be decreased; |
- | | | ideally, this |
- | | | statistic should be |
- | | | zero. If this |
- | | | statistic is non-zero |
- | | | or increasing, a |
- | | | network administrator |
- | | | should investigate |
- | | | whether there is a |
- | | | misbehaving device in |
- | | | the network. The *id* |
- | | | is the subnet-id of a |
- | | | given subnet. This |
- | | | statistic is exposed |
- | | | for each subnet |
- | | | separately. |
- +-----------------------+-----------------------+-----------------------+
- | reclaimed-declined-ad | integer | Number of IPv6 |
- | dresses | | addresses that were |
- | | | declined, but have |
- | | | now been recovered. |
- | | | Unlike |
- | | | declined-addresses, |
- | | | this statistic never |
- | | | decreases. It can be |
- | | | used as a long-term |
- | | | indicator of how many |
- | | | actual valid Declines |
- | | | were processed and |
- | | | recovered from. This |
- | | | is a global statistic |
- | | | that covers all |
- | | | subnets. |
- +-----------------------+-----------------------+-----------------------+
- | subnet[id].reclaimed- | integer | Number of IPv6 |
- | declined-addresses | | addresses that were |
- | | | declined, but have |
- | | | now been recovered. |
- | | | Unlike |
- | | | declined-addresses, |
- | | | this statistic never |
- | | | decreases. It can be |
- | | | used as a long-term |
- | | | indicator of how many |
- | | | actual valid Declines |
- | | | were processed and |
- | | | recovered from. The |
- | | | *id* is the subnet-id |
- | | | of a given subnet. |
- | | | This statistic is |
- | | | exposed for each |
- | | | subnet separately. |
- +-----------------------+-----------------------+-----------------------+
+ +-----------------------------------------+-----------------------+------------------------+
+ | Statistic | Data Type | Description |
+ +=========================================+=======================+========================+
+ | pkt6-received | integer | Number of DHCPv6 |
+ | | | packets received. |
+ | | | This includes all |
+ | | | packets: valid, |
+ | | | bogus, corrupted, |
+ | | | rejected, etc. This |
+ | | | statistic is expected |
+ | | | to grow rapidly. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | pkt6-receive-drop | integer | Number of incoming |
+ | | | packets that were |
+ | | | dropped. The exact |
+ | | | reason for dropping |
+ | | | packets is logged, |
+ | | | but the most common |
+ | | | reasons may be: an |
+ | | | unacceptable or not |
+ | | | supported packet type |
+ | | | is received, direct |
+ | | | responses are |
+ | | | forbidden, the |
+ | | | server-id sent by the |
+ | | | client does not match |
+ | | | the server's |
+ | | | server-id, or the |
+ | | | packet is malformed. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | pkt6-parse-failed | integer | Number of incoming |
+ | | | packets that could |
+ | | | not be parsed. A |
+ | | | non-zero value of |
+ | | | this statistic |
+ | | | indicates that the |
+ | | | server received a |
+ | | | malformed or |
+ | | | truncated packet. |
+ | | | This may indicate |
+ | | | problems in the |
+ | | | network, faulty |
+ | | | clients, faulty relay |
+ | | | agents, or a bug in |
+ | | | the server. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | pkt6-solicit-received | integer | Number of SOLICIT |
+ | | | packets received. |
+ | | | This statistic is |
+ | | | expected to grow; its |
+ | | | increase means that |
+ | | | clients that just |
+ | | | booted started their |
+ | | | configuration process |
+ | | | and their initial |
+ | | | packets reached the |
+ | | | Kea server. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | pkt6-advertise-received | integer | Number of ADVERTISE |
+ | | | packets received. |
+ | | | Advertise packets are |
+ | | | sent by the server |
+ | | | and the server is |
+ | | | never expected to |
+ | | | receive them. A |
+ | | | non-zero value of |
+ | | | this statistic |
+ | | | indicates an error |
+ | | | occurring in the |
+ | | | network. One likely |
+ | | | cause would be a |
+ | | | misbehaving relay |
+ | | | agent that |
+ | | | incorrectly forwards |
+ | | | ADVERTISE messages |
+ | | | towards the server, |
+ | | | rather than back to |
+ | | | the clients. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | pkt6-request-received | integer | Number of DHCPREQUEST |
+ | | | packets received. |
+ | | | This statistic is |
+ | | | expected to grow. Its |
+ | | | increase means that |
+ | | | clients that just |
+ | | | booted received the |
+ | | | server's response |
+ | | | (DHCPADVERTISE) and |
+ | | | accepted it, and are |
+ | | | now requesting an |
+ | | | address |
+ | | | (DHCPREQUEST). |
+ +-----------------------------------------+-----------------------+------------------------+
+ | pkt6-reply-received | integer | Number of REPLY |
+ | | | packets received. |
+ | | | This statistic is |
+ | | | expected to remain |
+ | | | zero at all times, as |
+ | | | REPLY packets are |
+ | | | sent by the server |
+ | | | and the server is |
+ | | | never expected to |
+ | | | receive them. A |
+ | | | non-zero value |
+ | | | indicates an error. |
+ | | | One likely cause |
+ | | | would be a |
+ | | | misbehaving relay |
+ | | | agent that |
+ | | | incorrectly forwards |
+ | | | REPLY messages |
+ | | | towards the server, |
+ | | | rather than back to |
+ | | | the clients. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | pkt6-renew-received | integer | Number of RENEW |
+ | | | packets received. |
+ | | | This statistic is |
+ | | | expected to grow; its |
+ | | | increase means that |
+ | | | clients received |
+ | | | their addresses and |
+ | | | prefixes and are |
+ | | | trying to renew them. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | pkt6-rebind-received | integer | Number of REBIND |
+ | | | packets received. A |
+ | | | non-zero value |
+ | | | indicates that |
+ | | | clients did not |
+ | | | receive responses to |
+ | | | their RENEW messages |
+ | | | (through the regular |
+ | | | lease-renewal |
+ | | | mechanism) and are |
+ | | | attempting to find |
+ | | | any server that is |
+ | | | able to take over |
+ | | | their leases. It may |
+ | | | mean that some |
+ | | | servers' REPLY |
+ | | | messages never |
+ | | | reached the clients. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | pkt6-release-received | integer | Number of RELEASE |
+ | | | packets received. |
+ | | | This statistic is |
+ | | | expected to grow when |
+ | | | a device is being |
+ | | | shut down in the |
+ | | | network; it indicates |
+ | | | that the address or |
+ | | | prefix assigned is |
+ | | | reported as no longer |
+ | | | needed. Note that |
+ | | | many devices, |
+ | | | especially wireless, |
+ | | | do not send RELEASE |
+ | | | packets either |
+ | | | because of design |
+ | | | choice or due to the |
+ | | | client moving out of |
+ | | | range. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | pkt6-decline-received | integer | Number of DECLINE |
+ | | | packets received. |
+ | | | This statistic is |
+ | | | expected to remain |
+ | | | close to zero. Its |
+ | | | increase means that a |
+ | | | client leased an |
+ | | | address, but |
+ | | | discovered that the |
+ | | | address is currently |
+ | | | used by an unknown |
+ | | | device in the |
+ | | | network. If this |
+ | | | statistic is growing, |
+ | | | it may indicate a |
+ | | | misconfigured server |
+ | | | or devices that have |
+ | | | statically assigned |
+ | | | conflicting |
+ | | | addresses. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | pkt6-infrequest-received | integer | Number of |
+ | | | INFORMATION-REQUEST |
+ | | | packets received. |
+ | | | This statistic is |
+ | | | expected to grow if |
+ | | | there are devices |
+ | | | that are using |
+ | | | stateless DHCPv6. |
+ | | | INFORMATION-REQUEST |
+ | | | messages are used by |
+ | | | clients that request |
+ | | | stateless |
+ | | | configuration, i.e. |
+ | | | options and |
+ | | | parameters other than |
+ | | | addresses or |
+ | | | prefixes. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | pkt6-dhcpv4-query-received | integer | Number of |
+ | | | DHCPv4-QUERY packets |
+ | | | received. This |
+ | | | statistic is expected |
+ | | | to grow if there are |
+ | | | devices that are |
+ | | | using |
+ | | | DHCPv4-over-DHCPv6. |
+ | | | DHCPv4-QUERY messages |
+ | | | are used by DHCPv4 |
+ | | | clients on an |
+ | | | IPv6-only line which |
+ | | | encapsulates the |
+ | | | requests over DHCPv6. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | pkt6-dhcpv4-response-received | integer | Number of |
+ | | | DHCPv4-RESPONSE |
+ | | | packets received. |
+ | | | This statistic is |
+ | | | expected to remain |
+ | | | zero at all times, as |
+ | | | DHCPv4-RESPONSE |
+ | | | packets are sent by |
+ | | | the server and the |
+ | | | server is never |
+ | | | expected to receive |
+ | | | them. A non-zero |
+ | | | value indicates an |
+ | | | error. One likely |
+ | | | cause would be a |
+ | | | misbehaving relay |
+ | | | agent that |
+ | | | incorrectly forwards |
+ | | | DHCPv4-RESPONSE |
+ | | | message towards the |
+ | | | server rather than |
+ | | | back to the clients. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | pkt6-unknown-received | integer | Number of packets |
+ | | | received of an |
+ | | | unknown type. A |
+ | | | non-zero value of |
+ | | | this statistic |
+ | | | indicates that the |
+ | | | server received a |
+ | | | packet that it wasn't |
+ | | | able to recognize; |
+ | | | either it had an |
+ | | | unsupported type or |
+ | | | was possibly |
+ | | | malformed. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | pkt6-sent | integer | Number of DHCPv6 |
+ | | | packets sent. This |
+ | | | statistic is expected |
+ | | | to grow every time |
+ | | | the server transmits |
+ | | | a packet. In general, |
+ | | | it should roughly |
+ | | | match pkt6-received, |
+ | | | as most incoming |
+ | | | packets cause the |
+ | | | server to respond. |
+ | | | There are exceptions |
+ | | | (e.g. server |
+ | | | receiving a REQUEST |
+ | | | with server-id |
+ | | | matching other |
+ | | | server), so do not |
+ | | | worry if it is less |
+ | | | than pkt6-received. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | pkt6-advertise-sent | integer | Number of ADVERTISE |
+ | | | packets sent. This |
+ | | | statistic is expected |
+ | | | to grow in most cases |
+ | | | after a SOLICIT is |
+ | | | processed. There are |
+ | | | certain uncommon, but |
+ | | | valid, cases where |
+ | | | incoming SOLICIT |
+ | | | packets are dropped, |
+ | | | but in general this |
+ | | | statistic is expected |
+ | | | to be close to |
+ | | | pkt6-solicit-received. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | pkt6-reply-sent | integer | Number of REPLY |
+ | | | packets sent. This |
+ | | | statistic is expected |
+ | | | to grow in most cases |
+ | | | after a SOLICIT (with |
+ | | | rapid-commit), |
+ | | | REQUEST, RENEW, |
+ | | | REBIND, RELEASE, |
+ | | | DECLINE, or |
+ | | | INFORMATION-REQUEST |
+ | | | is processed. There |
+ | | | are certain cases |
+ | | | where there is no |
+ | | | response. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | pkt6-dhcpv4-response-sent | integer | Number of |
+ | | | DHCPv4-RESPONSE |
+ | | | packets sent. This |
+ | | | statistic is expected |
+ | | | to grow in most cases |
+ | | | after a DHCPv4-QUERY |
+ | | | is processed. There |
+ | | | are certain cases |
+ | | | where there is no |
+ | | | response. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | subnet[id].total-nas | integer | Total number of NA |
+ | | | addresses available |
+ | | | for DHCPv6 management |
+ | | | for a given subnet; |
+ | | | in other words, this |
+ | | | is the sum of all |
+ | | | addresses in all |
+ | | | configured pools. |
+ | | | This statistic |
+ | | | changes only during |
+ | | | configuration |
+ | | | changes. Note that it |
+ | | | does not take into |
+ | | | account any addresses |
+ | | | that may be reserved |
+ | | | due to host |
+ | | | reservation. The *id* |
+ | | | is the subnet-id of a |
+ | | | given subnet. This |
+ | | | statistic is exposed |
+ | | | for each subnet |
+ | | | separately, and is |
+ | | | reset during a |
+ | | | reconfiguration |
+ | | | event. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | subnet[id].assigned-nas | integer | Number of NA |
+ | | | addresses in a given |
+ | | | subnet that are |
+ | | | assigned. It |
+ | | | increases every time |
+ | | | a new lease is |
+ | | | allocated (as a |
+ | | | result of receiving a |
+ | | | REQUEST message) and |
+ | | | is decreased every |
+ | | | time a lease is |
+ | | | released (a RELEASE |
+ | | | message is received) |
+ | | | or expires. The *id* |
+ | | | is the subnet-id of a |
+ | | | given subnet. This |
+ | | | statistic is exposed |
+ | | | for each subnet |
+ | | | separately, and is |
+ | | | reset during a |
+ | | | reconfiguration |
+ | | | event. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | subnet[id].total-pds | integer | Total number of PD |
+ | | | prefixes available |
+ | | | for DHCPv6 management |
+ | | | for a given subnet; |
+ | | | in other words, this |
+ | | | is the sum of all |
+ | | | prefixes in all |
+ | | | configured pools. |
+ | | | This statistic |
+ | | | changes only during |
+ | | | configuration |
+ | | | changes. Note it does |
+ | | | not take into account |
+ | | | any prefixes that may |
+ | | | be reserved due to |
+ | | | host reservation. The |
+ | | | *id* is the subnet-id |
+ | | | of a given subnet. |
+ | | | This statistic is |
+ | | | exposed for each |
+ | | | subnet separately, |
+ | | | and is reset during a |
+ | | | reconfiguration |
+ | | | event. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | subnet[id].assigned-pds | integer | Number of PD prefixes |
+ | | | in a given subnet |
+ | | | that are assigned. It |
+ | | | increases every time |
+ | | | a new lease is |
+ | | | allocated (as a |
+ | | | result of receiving a |
+ | | | REQUEST message) and |
+ | | | is decreased every |
+ | | | time a lease is |
+ | | | released (a RELEASE |
+ | | | message is received) |
+ | | | or expires. The *id* |
+ | | | is the subnet-id of a |
+ | | | given subnet. This |
+ | | | statistic is exposed |
+ | | | for each subnet |
+ | | | separately, and is |
+ | | | reset during a |
+ | | | reconfiguration |
+ | | | event. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | reclaimed-leases | integer | Number of expired |
+ | | | leases that have been |
+ | | | reclaimed since |
+ | | | server startup. It is |
+ | | | incremented each time |
+ | | | an expired lease is |
+ | | | reclaimed (counting |
+ | | | both NA and PD |
+ | | | reclamations) and is |
+ | | | reset when the server |
+ | | | is reconfigured. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | subnet[id].reclaimed-leases | integer | Number of expired |
+ | | | leases associated |
+ | | | with a given subnet |
+ | | | (*"id"* is the |
+ | | | subnet-id) that have |
+ | | | been reclaimed since |
+ | | | server startup. It is |
+ | | | incremented each time |
+ | | | an expired lease is |
+ | | | reclaimed (counting |
+ | | | both NA and PD |
+ | | | reclamations) and is |
+ | | | reset when the server |
+ | | | is reconfigured. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | declined-addresses | integer | Number of IPv6 |
+ | | | addresses that are |
+ | | | currently declined; a |
+ | | | count of the number |
+ | | | of leases currently |
+ | | | unavailable. Once a |
+ | | | lease is recovered, |
+ | | | this statistic will |
+ | | | be decreased; |
+ | | | ideally, this |
+ | | | statistic should be |
+ | | | zero. If this |
+ | | | statistic is non-zero |
+ | | | or increasing, a |
+ | | | network administrator |
+ | | | should investigate |
+ | | | whether there is a |
+ | | | misbehaving device in |
+ | | | the network. This is |
+ | | | a global statistic |
+ | | | that covers all |
+ | | | subnets. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | subnet[id].declined-addresses | integer | Number of IPv6 |
+ | | | addresses that are |
+ | | | currently declined in |
+ | | | a given subnet; a |
+ | | | count of the number |
+ | | | of leases currently |
+ | | | unavailable. Once a |
+ | | | lease is recovered, |
+ | | | this statistic will |
+ | | | be decreased; |
+ | | | ideally, this |
+ | | | statistic should be |
+ | | | zero. If this |
+ | | | statistic is non-zero |
+ | | | or increasing, a |
+ | | | network administrator |
+ | | | should investigate |
+ | | | whether there is a |
+ | | | misbehaving device in |
+ | | | the network. The *id* |
+ | | | is the subnet-id of a |
+ | | | given subnet. This |
+ | | | statistic is exposed |
+ | | | for each subnet |
+ | | | separately. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | reclaimed-declined-addresses | integer | Number of IPv6 |
+ | | | addresses that were |
+ | | | declined, but have |
+ | | | now been recovered. |
+ | | | Unlike |
+ | | | declined-addresses, |
+ | | | this statistic never |
+ | | | decreases. It can be |
+ | | | used as a long-term |
+ | | | indicator of how many |
+ | | | actual valid Declines |
+ | | | were processed and |
+ | | | recovered from. This |
+ | | | is a global statistic |
+ | | | that covers all |
+ | | | subnets. |
+ +-----------------------------------------+-----------------------+------------------------+
+ | subnet[id].reclaimed-declined-addresses | integer | Number of IPv6 |
+ | | | addresses that were |
+ | | | declined, but have |
+ | | | now been recovered. |
+ | | | Unlike |
+ | | | declined-addresses, |
+ | | | this statistic never |
+ | | | decreases. It can be |
+ | | | used as a long-term |
+ | | | indicator of how many |
+ | | | actual valid Declines |
+ | | | were processed and |
+ | | | recovered from. The |
+ | | | *id* is the subnet-id |
+ | | | of a given subnet. |
+ | | | This statistic is |
+ | | | exposed for each |
+ | | | subnet separately. |
+ +-----------------------------------------+-----------------------+------------------------+
.. _dhcp6-ctrl-channel:
The management API allows the issuing of specific management commands,
such as statistics retrieval, reconfiguration, or shutdown. For more
-details, see `??? <#ctrl-channel>`__. Currently, the only supported
+details, see :ref:`ctrl-channel`. Currently, the only supported
communication channel type is UNIX stream socket. By default there are
no sockets open; to instruct Kea to open a socket, the following entry
in the configuration file can be used:
}
The length of the path specified by the ``socket-name`` parameter is
-restricted by the maximum length for the UNIX socket name on your
+restricted by the maximum length for the UNIX socket name on the administrator's
operating system, i.e. the size of the ``sun_path`` field in the
``sockaddr_un`` structure, decreased by 1. This value varies on
different operating systems between 91 and 107 characters. Typical
Communication over the control channel is conducted using JSON
structures. See the
-`Control Channel section in the Kea Developer's Guide <Control Channel section in the Kea Developer's Guide>`__
+`Control Channel section in the Kea Developer's Guide
+<https://jenkins.isc.org/job/Kea_doc/doxygen/d2/d96/ctrlSocket.html>`__
for more details.
The DHCPv6 server supports the following operational commands:
- shutdown
- version-get
-as described in `??? <#commands-common>`__. In addition, it supports the
+as described in :ref:`commands-common`. In addition, it supports the
following statistics-related commands:
- statistic-get
- statistic-reset-all
- statistic-remove-all
-as described in `??? <#command-stats>`__.
+as described in :ref:`command-stats`.
.. _dhcp6-user-contexts:
User Contexts in IPv6
=====================
-Kea allows loading hook libraries that sometimes could benefit from
+Kea allows loading hook libraries that can sometimes benefit from
additional parameters. If such a parameter is specific to the whole
library, it is typically defined as a parameter for the hook library.
However, sometimes there is a need to specify parameters that are
different for each pool.
-User contexts can store arbitrary data as long as it has valid JSON
-syntax and its top level element is a map (i.e. the data must be
+User contexts can store an arbitrary data file as long as it has valid JSON
+syntax and its top-level element is a map (i.e. the data must be
enclosed in curly brackets). However, some hook libraries may expect
specific formatting; please consult the specific hook library
documentation for details.
User contexts can be specified at global scope, shared network, subnet,
pool, client class, option data, or definition level, and via host
-reservation. One other useful usage is the ability to store comments or
+reservation. One other useful feature is the ability to store comments or
descriptions.
Let's consider a lightweight 4over6 deployment as an example. It is an
prefixes, so it is reasonable to keep these parameters together with the
PD pool. On the other hand, lightweight 4over6 is not a commonly used
feature, so it is not a part of the base Kea code. The solution to this
-problem is to use user context. For each PD pool that is expected to be
+problem is to specify a user context. For each PD pool that is expected to be
used for lightweight 4over6, a user context with extra parameters is
-defined. Those extra parameters will be used by a hook library that
-would be loaded only when dynamic calculation of the lightweight 4over6
+defined. Those extra parameters will be used by a hook library
+and loaded only when dynamic calculation of the lightweight 4over6
option is actually needed. An example configuration looks as follows:
::
} ],
"subnet": "2001:db8::/32",
- // This is a subnet specific context. You can put any type of
- // information here as long as it is a valid JSON.
+ // This is a subnet-specific context. Any type of
+ // information can be entered here as long as it is valid JSON.
"user-context": {
"comment": "Those v4-v6 migration technologies are tricky.",
"experimental": true,
...
}
-Kea does not interpret or use the content of the user context; it simply
-stores it, making it available to the hook libraries. It is up to each
-hook library to extract the information and use it. The parser
+Kea does not interpret or use the user context information; it simply
+stores it and makes it available to the hook libraries. It is up to each
+hook library to extract that information and use it. The parser
translates a "comment" entry into a user context with the entry, which
allows a comment to be attached inside the configuration itself.
-For more background information, see `??? <#user-context>`__.
+For more background information, see :ref:`user-context`.
.. _dhcp6-std:
The following standards are currently supported:
- *Dynamic Host Configuration Protocol for IPv6*, `RFC
- 3315 <http://tools.ietf.org/html/rfc3315>`__: Supported messages are
+ 3315 <https://tools.ietf.org/html/rfc3315>`__: Supported messages are
SOLICIT, ADVERTISE, REQUEST, RELEASE, RENEW, REBIND,
INFORMATION-REQUEST, CONFIRM and REPLY.
- *IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP)
- version 6*, `RFC 3633 <http://tools.ietf.org/html/rfc3633>`__:
+ version 6*, `RFC 3633 <https://tools.ietf.org/html/rfc3633>`__:
Supported options are IA_PD and IA_PREFIX. Also supported is the
status code NoPrefixAvail.
- *DNS Configuration options for Dynamic Host Configuration Protocol
for IPv6 (DHCPv6)*, `RFC
- 3646 <http://tools.ietf.org/html/rfc3646>`__: Supported option is
+ 3646 <https://tools.ietf.org/html/rfc3646>`__: Supported option is
DNS_SERVERS.
- *The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Relay
Agent Remote-ID Option*, `RFC
- 4649 <http://tools.ietf.org/html/rfc4649>`__: REMOTE-ID option is
+ 4649 <https://tools.ietf.org/html/rfc4649>`__: REMOTE-ID option is
supported.
- *The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Client
Fully Qualified Domain Name (FQDN) Option*, `RFC
- 4704 <http://tools.ietf.org/html/rfc4704>`__: Supported option is
+ 4704 <https://tools.ietf.org/html/rfc4704>`__: Supported option is
CLIENT_FQDN.
- *Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Option for
- Dual-Stack Lite*, `RFC 6334 <http://tools.ietf.org/html/rfc6334>`__:
+ Dual-Stack Lite*, `RFC 6334 <https://tools.ietf.org/html/rfc6334>`__:
the AFTR-Name DHCPv6 Option is supported.
- *Relay-Supplied DHCP Options*, `RFC
- 6422 <http://tools.ietf.org/html/rfc6422>`__: Full functionality is
+ 6422 <https://tools.ietf.org/html/rfc6422>`__: Full functionality is
supported: OPTION_RSOO, ability of the server to echo back the
options, checks whether an option is RSOO-enabled, ability to mark
additional options as RSOO-enabled.
- *Prefix Exclude Option for DHCPv6-based Prefix Delegation*, `RFC
- 6603 <http://tools.ietf.org/html/rfc6603>`__: Prefix Exclude option
+ 6603 <https://tools.ietf.org/html/rfc6603>`__: Prefix Exclude option
is supported.
- *Client Link-Layer Address Option in DHCPv6*, `RFC
- 6939 <http://tools.ietf.org/html/rfc6939>`__: Supported option is
+ 6939 <https://tools.ietf.org/html/rfc6939>`__: Supported option is
client link-layer address option.
- *Issues and Recommendations with Multiple Stateful DHCPv6 Options*,
- `RFC 7550 <http://tools.ietf.org/html/rfc7550>`__: All
+ `RFC 7550 <https://tools.ietf.org/html/rfc7550>`__: All
recommendations related to the DHCPv6 server operation are supported.
- *DHCPv6 Options for Configuration of Softwire Address and Port-Mapped
- Clients*, `RFC 7598 <http://tools.ietf.org/html/rfc7598>`__: All
+ Clients*, `RFC 7598 <https://tools.ietf.org/html/rfc7598>`__: All
options indicated in this specification are supported by the DHCPv6
server.
- *Dynamic Host Configuration Protocol for IPv6 (DHCPv6)*, `RFC
- 8415 <http://tools.ietf.org/html/rfc8415>`__: New DHCPv6 protocol
+ 8415 <https://tools.ietf.org/html/rfc8415>`__: New DHCPv6 protocol
specification which obsoletes RFC 3315, RFC 3633, RFC 3736, RFC 4242,
RFC 7083, RFC 7283, and RFC 7550
- The server will allocate, renew, or rebind a maximum of one lease for
a particular IA option (IA_NA or IA_PD) sent by a client. `RFC
- 8415 <http://tools.ietf.org/html/rfc8415>`__ allows for multiple
+ 8415 <https://tools.ietf.org/html/rfc8415>`__ allows for multiple
addresses or prefixes to be allocated for a single IA.
- Temporary addresses are not supported.
Configuration Backend in DHCPv6
===============================
-In the `??? <#config-backend>`__ we have described the Configuration
-Backend feature, its applicability and limitations. This section focuses
+In the :ref:`config-backend` section we have described the Configuration
+Backend feature, its applicability, and its limitations. This section focuses
on the usage of the CB with the DHCPv6 server. It lists the supported
-parameters, describes limitations and gives examples of the DHCPv6
+parameters, describes limitations, and gives examples of the DHCPv6
server configuration to take advantage of the CB. Please also refer to
-the sibling section `??? <#dhcp4-cb>`__ for the DHCPv4 specific usage of
+the sibling section :ref:`dhcp4-cb` for the DHCPv4-specific usage of
the CB.
.. _dhcp6-cb-parameters:
The ultimate goal for the CB is to serve as a central configuration
repository for one or multiple Kea servers connected to the database. In
-the future it will be possible to store the most of the server's
-configuration in the database and reduce the configuration file to bare
-minimum, i.e. the only mandatory parameter will be the
-``config-control`` which includes the necessary information to connect
-to the database. In the Kea 1.6.0 release, however, only the subset of
+the future it will be possible to store most of the server's
+configuration in the database and reduce the configuration file to a bare
+minimum; the only mandatory parameter will be the
+``config-control``, which includes the necessary information to connect
+to the database. In the Kea 1.6.0 release, however, only a subset of
the DHCPv4 server parameters can be stored in the database. All other
parameters must be specified in the JSON configuration file, if
required.
-The following table lists DHCPv6 specific parameters supported by the
-Configuration Backend with an indication on which level of the hierarchy
-it is currently supported. The "n/a" is used in cases when the
-particular parameter is not applicable on the particular level of the
-hierarchy or in cases when the parameter is not supported by the server
-on this level of hierarchy. The "no" is used when the parameter is
-supported by the server on the particular level of hierarchy but is not
+The following table lists DHCPv6-specific parameters supported by the
+Configuration Backend, with an indication on which level of the hierarchy
+it is currently supported. "n/a" is used in cases when a
+particular parameter is not applicable on a particular level of the
+hierarchy, or in cases when the parameter is not supported by the server
+at this level of the hierarchy. "no" is used when the parameter is
+supported by the server on the given level of the hierarchy, but is not
configurable via the Configuration Backend.
All supported parameters can be configured via ``cb_cmds`` hooks library
-described in the `??? <#cb-cmds-library>`__. The general rule is that
+described in the :ref:`cb-cmds-library` section. The general rule is that
the scalar global parameters are set using the
-``remote-global-parameter6-set``. The shared network specific parameters
-are set using the ``remote-network6-set``. Finally, the subnet and pool
-level parameters are set using the ``remote-subnet6-set``. Whenever
-there is an exception from this general rule, it is highlighted in the
-table. The non-scalar global parameters have dedicated commands, e.g.
-modifying the global DHCPv6 options (``option-data``) is performed using
-the ``remote-option6-global-set``.
-
-.. table:: List of DHCPv6 Parameters Supported by the Configuration
-Backend
-
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | Parameter | Global | Shared | Subnet | Pool | Prefix |
- | | | Network | | | Delegatio |
- | | | | | | n |
- | | | | | | Pool |
- +===========+===========+===========+===========+===========+===========+
- | calculate | yes | yes | yes | n/a | n/a |
- | -tee-time | | | | | |
- | s | | | | | |
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | client-cl | n/a | yes | yes | no | no |
- | ass | | | | | |
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | decline-p | yes | n/a | n/a | n/a | n/a |
- | robation- | | | | | |
- | period | | | | | |
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | delegated | n/a | n/a | n/a | n/a | yes |
- | -len | | | | | |
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | dhcp4o6-p | yes | n/a | n/a | n/a | n/a |
- | ort | | | | | |
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | excluded- | n/a | n/a | n/a | n/a | no |
- | prefix | | | | | |
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | excluded- | n/a | n/a | n/a | n/a | no |
- | prefix-le | | | | | |
- | n | | | | | |
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | interface | n/a | yes | yes | n/a | n/a |
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | interface | n/a | yes | yes | n/a | n/a |
- | -id | | | | | |
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | option-da | yes (via | yes | yes | yes | yes |
- | ta | remote-op | | | | |
- | | tion6-glo | | | | |
- | | bal-set) | | | | |
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | option-de | yes (via | n/a | n/a | n/a | n/a |
- | f | remote-op | | | | |
- | | tion-def6 | | | | |
- | | -set) | | | | |
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | preferred | yes | yes | yes | n/a | n/a |
- | -lifetime | | | | | |
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | prefix | n/a | n/a | n/a | n/a | yes |
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | prefix-le | n/a | n/a | n/a | n/a | yes |
- | n | | | | | |
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | rapid-com | yes | yes | yes | n/a | n/a |
- | mit | | | | | |
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | rebind-ti | yes | yes | yes | n/a | n/a |
- | mer | | | | | |
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | relay | n/a | yes | yes | n/a | n/a |
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | renew-tim | yes | yes | yes | n/a | n/a |
- | er | | | | | |
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | require-c | n/a | yes | yes | no | no |
- | lient-cla | | | | | |
- | sses | | | | | |
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | reservati | yes | yes | yes | n/a | n/a |
- | on-mode | | | | | |
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | t1-percen | yes | yes | yes | n/a | n/a |
- | t | | | | | |
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | t2-percen | yes | yes | yes | n/a | n/a |
- | t | | | | | |
- +-----------+-----------+-----------+-----------+-----------+-----------+
- | valid-lif | yes | yes | yes | n/a | n/a |
- | etime | | | | | |
- +-----------+-----------+-----------+-----------+-----------+-----------+
+``remote-global-parameter6-set``; the shared network-specific parameters
+are set using ``remote-network6-set``; and the subnet- and pool-level
+parameters are set using ``remote-subnet6-set``. Whenever
+there is an exception to this general rule, it is highlighted in the
+table. The non-scalar global parameters have dedicated commands; for example,
+the global DHCPv6 options (``option-data``) are modified using
+``remote-option6-global-set``.
+
+.. table:: List of DHCPv6 Parameters Supported by the Configuration Backend
+
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | Parameter | Global | Shared | Subnet | Pool | Prefix |
+ | | | Network | | | Delegation |
+ | | | | | | Pool |
+ +==========================+============================+===========+===========+===========+============+
+ | calculate-tee-times | yes | yes | yes | n/a | n/a |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | client-class | n/a | yes | yes | no | no |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | decline-probation-period | yes | n/a | n/a | n/a | n/a |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | delegated-len | n/a | n/a | n/a | n/a | yes |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | dhcp4o6-port | yes | n/a | n/a | n/a | n/a |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | excluded-prefix | n/a | n/a | n/a | n/a | no |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | excluded-prefix-len | n/a | n/a | n/a | n/a | no |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | interface | n/a | yes | yes | n/a | n/a |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | interface-id | n/a | yes | yes | n/a | n/a |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | option-data | yes (via | yes | yes | yes | yes |
+ | | remote-option6-global-set) | | | | |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | option-def | yes (via | n/a | n/a | n/a | n/a |
+ | | remote-option-def6-set) | | | | |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | preferred-lifetime | yes | yes | yes | n/a | n/a |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | prefix | n/a | n/a | n/a | n/a | yes |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | prefix-len | n/a | n/a | n/a | n/a | yes |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | rapid-commit | yes | yes | yes | n/a | n/a |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | rebind-timer | yes | yes | yes | n/a | n/a |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | relay | n/a | yes | yes | n/a | n/a |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | renew-timer | yes | yes | yes | n/a | n/a |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | require-client-classes | n/a | yes | yes | no | no |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | reservation-mode | yes | yes | yes | n/a | n/a |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | t1-percent | yes | yes | yes | n/a | n/a |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | t2-percent | yes | yes | yes | n/a | n/a |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
+ | valid-lifetime | yes | yes | yes | n/a | n/a |
+ +--------------------------+----------------------------+-----------+-----------+-----------+------------+
.. _dhcp6-cb-json:
}
}
-The configuration structure is almost identical as for the DHCPv4 server
-(see `??? <#dhcp4-cb-json>`__ for the detailed description).
+The configuration structure is almost identical to that of the DHCPv4 server
+(see :ref:`dhcp4-cb-json` for the detailed description).
projects / thirdparty / kea.git / commitdiff
