From: Suzanne Goldlust Date: Fri, 21 Jun 2019 20:51:20 +0000 (-0400) Subject: Continuing conversion from docbook to sphinx: adding/fixing links, editing content... X-Git-Tag: Kea-1.6.1~10^2~95 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ce223933d8a7e3fdc49871ea7c719ee15dcf7fac;p=thirdparty%2Fkea.git Continuing conversion from docbook to sphinx: adding/fixing links, editing content/grammar as needed --- diff --git a/doc/guide/dhcp4-srv.rst b/doc/guide/dhcp4-srv.rst index a21a4d9880..2248daf707 100644 --- a/doc/guide/dhcp4-srv.rst +++ b/doc/guide/dhcp4-srv.rst @@ -172,7 +172,7 @@ the same parameter multiple times. If that happens, the last occurrence of a given parameter in a given scope is used, while all previous instances are ignored. This is unlikely to cause any confusion as there are no real-life reasons to keep multiple copies of the same parameter -in your configuration file. +in the configuration file. The first few DHCPv4 configuration elements define some global parameters. ``valid-lifetime`` defines how long the @@ -429,7 +429,7 @@ specified as well: "Dhcp4": { "lease-database": { "port" : 12345, ... }, ... } -Should the database be located on a different system, you may need to +Should the database be located on a different system, the administrator may need to specify a longer interval for the connection timeout: :: @@ -896,7 +896,7 @@ that link. To use a single address on such interface, the that the raw sockets will be used! The use of raw sockets to handle the traffic from the directly connected clients is currently supported on Linux and BSD systems only. If the raw sockets are not - supported on your particular OS, the server will issue a warning and + supported on the particular OS in use, the server will issue a warning and fall back to using IP/UDP sockets. In a typical environment, the DHCP server is expected to send back a @@ -1188,10 +1188,10 @@ Calculating the values is controlled by the following three parameters. In the event that both explicit values are specified and calculate-tee-times is true, the server will use the explicit values. - If you plan on having a mixture where some subnets or share-networks - will use explicit values and some will use calculated values you must + Administrators with a setup where some subnets or share-networks + will use explicit values and some will use calculated values must not define the explicit values at any level higher than where they - will be used. Inheriting them from too high of a scope, such as + will be used. Inheriting them from too high a scope, such as global, will cause them to have values at every level underneath (shared-networks and subnets), effectively disabling calculated values. @@ -1718,7 +1718,7 @@ currently has no means to validate it. | | values true or false. | +-----------------------------------+-------------------------------------------------------+ | empty | No value; data is carried in | - | | suboptions. | + | | sub-options. | +-----------------------------------+-------------------------------------------------------+ | fqdn | Fully qualified domain name (e.g. | | | www.example.com). | @@ -1799,9 +1799,9 @@ Custom DHCPv4 Options --------------------- Kea supports custom (non-standard) DHCPv4 options. Assume that we want -to define a new DHCPv4 option called "foo" which will have a code 222 +to define a new DHCPv4 option called "foo" which will have code 222 and will convey a single, unsigned, 32-bit integer value. We can define -such an option by using the following entry in the configuration file: +such an option by putting the following entry in the configuration file: :: @@ -1829,7 +1829,7 @@ record of data fields. The ``record-types`` value should be non-empty if ``type`` is set to "record"; otherwise it must be left blank. The latter parameter specifies the name of the option space being encapsulated by the particular option. If the particular option does not encapsulate any -option space, it should be left blank. Note that the ``option-def`` +option space, the parameter should be left blank. Note that the ``option-def`` configuration statement only defines the format of an option and does not set its value(s). @@ -1858,7 +1858,7 @@ global value that applies to all subnets. } New options can take more complex forms than simple use of primitives -(uint8, string, ipv4-address, etc); it is possible to define an option +(uint8, string, ipv4-address, etc.); it is possible to define an option comprising a number of existing primitives. For example, assume we want to define a new option that will consist of @@ -1888,7 +1888,7 @@ multiple values of different types. These types are given as a comma-separated list in the ``record-types`` field and should be ones from those listed in :ref:`dhcp-types`. -The values of the option are set as follows: +The values of the option are set in an ``option-data`` statement as follows: :: @@ -1979,7 +1979,7 @@ PXEClient vendor: } As the Vendor-Specific Information option (code 43) has vendor-specific -format, i.e. can carry either raw binary value or suboptions, this +format, i.e. can carry either raw binary value or sub-options, this mechanism is available for this option too. In the following example taken from a real configuration, two vendor @@ -2090,9 +2090,9 @@ DHCPv4 Vendor-Specific Options Currently there are two option spaces defined for the DHCPv4 daemon: "dhcp4" (for the top-level DHCPv4 options) and "vendor-encapsulated-options-space", which is empty by default but in -which options can be defined. Such options will be carried in the +which options can be defined. Those options are carried in the Vendor-Specific Information option (code 43). The following examples -show how to define an option "foo" in that space that has a code 1, and that +show how to define an option "foo" with code 1 that comprises an IPv4 address, an unsigned 16-bit integer, and a string. The "foo" option is conveyed in a Vendor-Specific Information option. @@ -2116,7 +2116,7 @@ The first step is to define the format of the option: } (Note that the option space is set to -"vendor-encapsulated-options-space".) Once the option format is defined, +``vendor-encapsulated-options-space``.) Once the option format is defined, the next step is to define actual values for that option: :: @@ -2168,7 +2168,7 @@ vendor-specific information option or vivso. The idea behind those options is that each vendor has its own unique set of options with their own custom formats. The vendor is identified by a 32-bit unsigned integer called enterprise-id or vendor-id. For example, vivso with vendor-id -4491 represents DOCSIS options, and you are likely to see many of them +4491 represents DOCSIS options, and they are often seen when dealing with cable modems. In Kea each vendor is represented by its own vendor space. Since there @@ -2250,10 +2250,10 @@ as docsis, identified by vendor option 4491) have a mechanism to request specific vendor options and Kea is able to honor those. Unfortunately, for many other vendors, such as Genexis (25167) as discussed above, Kea does not have such a mechanism, so it can't send any -suboptions on its own. To solve this issue, we came up with the concept of +sub-options on its own. To solve this issue, we came up with the concept of persistent options. Kea can be told to always send options, even if the client did not request them. This can be achieved by adding -"always-send": true to your option definition. Note that in this +``"always-send": true`` to the option definition. Note that in this particular case an option is defined in vendor space 25167. With the "always-send" enabled, the option will be sent every time there is a need to deal with vendor space 25167. @@ -2267,18 +2267,18 @@ Nested DHCPv4 Options (Custom Option Spaces) It is sometimes useful to define a completely new option space, such as when a user creates a new option in the standard option space -("dhcp4") and wants this option to convey suboptions. Since they are in -a separate space, suboption codes will have a separate numbering scheme +("dhcp4") and wants this option to convey sub-options. Since they are in +a separate space, sub-option codes will have a separate numbering scheme and may overlap with the codes of standard options. Note that the creation of a new option space is not required when -defining suboptions for a standard option, because it is created by -default if the standard option is meant to convey any suboptions (see +defining sub-options for a standard option, because one is created by +default if the standard option is meant to convey any sub-options (see :ref:`dhcp4-vendor-opts`). Assume that we want to have a DHCPv4 option called "container" with code -222 that conveys two suboptions with codes 1 and 2. First we need to -define the new suboptions: +222 that conveys two sub-options with codes 1 and 2. First we need to +define the new sub-options: :: @@ -2309,7 +2309,7 @@ define the new suboptions: Note that we have defined the options to belong to a new option space (in this case, "isc"). -The next step is to define a regular DHCPv4 option with our desired code +The next step is to define a regular DHCPv4 option with the desired code and specify that it should include options from the new option space: :: @@ -2330,10 +2330,10 @@ and specify that it should include options from the new option space: ... } -The name of the option space in which the suboptions are defined is set +The name of the option space in which the sub-options are defined is set in the ``encapsulate`` field. The ``type`` field is set to ``empty``, to indicate that this option does not carry any data other than -suboptions. +sub-options. Finally, we can set values for the new options: @@ -2363,12 +2363,12 @@ Finally, we can set values for the new options: } Note that it is possible to create an option which carries some data in -addition to the suboptions defined in the encapsulated option space. +addition to the sub-options defined in the encapsulated option space. For example, if the "container" option from the previous example were -required to carry a uint16 value as well as the suboptions, the +required to carry a uint16 value as well as the sub-options, the ``type`` value would have to be set to "uint16" in the option definition. (Such an option would then have the following data -structure: DHCP header, uint16 value, suboptions.) The value specified +structure: DHCP header, uint16 value, sub-options.) The value specified with the ``data`` parameter — which should be a valid integer enclosed in quotes, e.g. "123" — would then be assigned to the uint16 field in the "container" option. @@ -2379,7 +2379,7 @@ Unspecified Parameters for DHCPv4 Option Configuration ------------------------------------------------------ In many cases it is not required to specify all parameters for an option -configuration and the default values can be used. However, it is +configuration, and the default values can be used. However, it is important to understand the implications of not specifying some of them, as it may result in configuration errors. The list below explains the behavior of the server when a particular parameter is not explicitly @@ -2392,22 +2392,22 @@ specified: - ``code`` - the server requires either an option name or an option code to identify an option. This parameter may be left unspecified if the ``name`` parameter is specified. However, this also requires that the - particular option has its definition (it is either a standard option - or an administrator created a definition for the option using an + particular option have a definition (either as a standard option + or an administrator-created definition for the option using an 'option-def' structure), as the option definition associates an option with a particular name. It is possible to configure an option for which there is no definition (unspecified option format). Configuration of such options requires the use of the option code. - ``space`` - if the option space is unspecified it will default to - 'dhcp4', which is an option space holding the standard DHCPv4 + 'dhcp4', which is an option space holding standard DHCPv4 options. - ``data`` - if the option data is unspecified it defaults to an empty value. The empty value is mostly used for the options which have no payload (boolean options), but it is legal to specify empty values - for some options which carry variable-length data and which the - specification allows to have a length of 0. For such options, the + for some options which carry variable-length data and for which the + specification allows a length of 0. For such options, the data parameter may be omitted in the configuration. - ``csv-format`` - if this value is not specified, the server will @@ -2560,7 +2560,7 @@ example checks whether the client identifies itself as a PXE device with architecture EFI x86-64, and sets several fields if it does. See `Section 2.1 of RFC 4578 `__) or the -documentation of your client for specific values. +client documentation for specific values. :: @@ -2666,10 +2666,11 @@ Required Classification ~~~~~~~~~~~~~~~~~~~~~~~ In some cases it is useful to limit the scope of a class to a -shared network, subnet, or pool. There are two parameters for this, -which instruct the server to evaluate test expressions when required. +shared network, subnet, or pool. There are two parameters which are used +to limit the scope of the class by instructing the server to evaluate test +expressions when required. -The first one is the per-class ``only-if-required`` flag which is false +The first one is the per-class ``only-if-required`` flag, which is false by default. When it is set to ``true``, the test expression of the class is not evaluated at the reception of the incoming packet but later, and only if the class evaluation is required. @@ -2706,9 +2707,9 @@ specified subnet is used: } Required evaluation can be used to express complex dependencies like subnet membership. It can also be used to reverse the -precedence; if you set an option-data in a subnet, it takes precedence -over an option-data in a class. When you move the option-data to a -required class and require it in the subnet, a class evaluated earlier +precedence; if an option-data is set in a subnet, it takes precedence +over an option-data in a class. If the option-data is moved to a +required class and required in the subnet, a class evaluated earlier may take precedence. Required evaluation is also available at the shared-network and pool levels. @@ -2805,8 +2806,8 @@ control this communication: enable DDNS updates set this value to true. - ``server-ip`` - the IP address on which D2 listens for requests. The - default is the local loopback interface at address 127.0.0.1. You may - specify either an IPv4 or IPv6 address. + default is the local loopback interface at address 127.0.0.1. + Either an IPv4 or IPv6 address may be specified. - ``server-port`` - the port on which D2 listens for requests. The default value is 53001. @@ -2919,7 +2920,7 @@ the server should do the reverse updates. By default, kea-dhcp4 will honor the client's wishes and generate a DDNS request to the D2 server to update only reverse DNS data. The parameter ``override-client-update`` can be used to instruct the server to -override client delegation requests. When this parameter is true, +override client delegation requests. When this parameter is "true", kea-dhcp4 will disregard requests for client delegation and generate a DDNS request to update both forward and reverse DNS data. In this case, the N-S-O flags in the server's response to the client will be 0-1-1 @@ -2991,30 +2992,30 @@ entries are: 3. If the candidate name provided is empty, generate an FQDN using a configurable prefix and suffix. -4. If the client provided neither option, then take no DNS action. +4. If the client provides neither option, then take no DNS action. These rules can be amended by setting the ``replace-client-name`` parameter, which provides the following modes of behavior: -- ``never`` - Use the name the client sent. If the client sent no name, +- ``never`` - use the name the client sent. If the client sent no name, do not generate one. This is the default mode. -- ``always`` - Replace the name the client sent. If the client sent no +- ``always`` - replace the name the client sent. If the client sent no name, generate one for the client. -- ``when-present`` - Replace the name the client sent. If the client +- ``when-present`` - replace the name the client sent. If the client sent no name, do not generate one. -- ``when-not-present`` - Use the name the client sent. If the client +- ``when-not-present`` - use the name the client sent. If the client sent no name, generate one for the client. .. **Note** - Note that formerly, this parameter was a boolean and permitted only + Note that in early versions of Kea, this parameter was a boolean and permitted only values of ``true`` and ``false``. Boolean values have been deprecated - and are no longer accepted. If you are currently using booleans, you + and are no longer accepted. Administrators currently using booleans must replace them with the desired mode name. A value of ``true`` maps to ``"when-present"``, while ``false`` maps to ``"never"``. @@ -3048,7 +3049,7 @@ its value, simply set it to the desired string: The suffix used when generating an FQDN, or when qualifying a partial name, is specified by the ``qualifying-suffix`` parameter. This -parameter has no default value, thus it is mandatory when DDNS updates +parameter has no default value; thus, it is mandatory when DDNS updates are enabled. To set its value simply set it to the desired string: :: @@ -3068,7 +3069,7 @@ When generating a name, kea-dhcp4 will construct the name in the format: where address-text is simply the lease IP address converted to a hyphenated string. For example, if the lease address is 172.16.1.10, the qualifying suffix "example.com", and the default value is used for -``generated-prefix``, the generated FQDN would be: +``generated-prefix``, the generated FQDN is: myhost-172-16-1-10.example.com. @@ -3120,22 +3121,22 @@ qualifying suffix (if one is defined and needed). Name sanitizing is meant to catch the more common cases of invalid characters through a relatively simple character-replacement scheme. It is difficult to devise a scheme that works well in all cases, for - both Host Name and FQDN options. If you find you have clients that - are using odd corner cases of character combinations that cannot be - readily handled with this mechanism, you should consider writing a - hook that can carry out sufficiently complex logic to address your + both Host Name and FQDN options. Administrators who find they have clients + with odd corner cases of character combinations that cannot be + readily handled with this mechanism should consider writing a + hook that can carry out sufficiently complex logic to address their needs. - If your clients include domain names in the Host Name option and you - want these preserved, you will need to make sure that the dot, '.', + If clients include domain names in the Host Name option and the administrator + wants these preserved, they will need to make sure that the dot, '.', is considered a valid character by the hostname-char-set expression, such as this: "[^A-Za-z0-9.-]". This will not affect dots in FQDN Option values. When scrubbing FQDNs, dots are treated as delimiters and used to separate the option value into individual domain labels that are scrubbed and then re-assembled. - If your clients are sending values that differ only by characters - considered as invalid by your hostname-char-set, be aware that + If clients are sending values that differ only by characters + considered as invalid by the hostname-char-set, be aware that scrubbing them will yield identical values. In such cases, DDNS conflict rules will permit only one of them to register the name. @@ -3407,8 +3408,8 @@ configuration of the DHCPv4 side (the DHCPv6 side is described in The ``dhcp4o6-port`` global parameter specifies the first of the two consecutive ports of the UDP sockets used for the communication between -the DHCPv6 and DHCPv4 servers (the DHCPv4 server is bound to ::1 on -``port`` + 1 and connected to ::1 on ``port``). +the DHCPv6 and DHCPv4 servers. The DHCPv4 server is bound to ::1 on +``port`` + 1 and connected to ::1 on ``port``. With DHCPv4-over-DHCPv6, the DHCPv4 server does not have access to several of the identifiers it would normally use to select a subnet. To @@ -3474,15 +3475,14 @@ An important aspect of a well-running DHCP system is an assurance that the data remain consistent. However, in some cases it may be convenient to tolerate certain inconsistent data. For example, a network administrator that temporarily removed a subnet from a configuration -wouldn't want all the leases associated with it to disappear from the -lease database. Kea has a mechanism to better control sanity checks such +would not want all the leases associated with it to disappear from the +lease database. Kea has a mechanism to control sanity checks such as this. Kea supports a configuration scope called ``sanity-checks``. It currently allows only a single parameter, called ``lease-checks``, which -governs the verification that is done when a new lease is loaded from a -lease file. With the sanity-checks mechanism, it is possible to tell Kea -to try to correct inconsistent data. +governs the verification carried out when a new lease is loaded from a +lease file. This mechanism permits Kea to attempt to correct inconsistent data. Every subnet has a subnet-id value; this is how Kea internally identifies subnets. Each lease has a subnet-id parameter as well, which @@ -3511,12 +3511,12 @@ There are five levels which are supported: will be inserted anyway. - ``fix-del`` - if a data inconsistency is discovered, try to - correct it. If the correction is not successful, the lease will be - rejected. This setting ensures the data's correctness, but some + correct it. If the correction is not successful, reject the lease. + This setting ensures the data's correctness, but some incorrect data may be lost. Use with care. - ``del`` - this is the strictest mode. If any inconsistency is - detected, the lease is rejected. Use with care. + detected, reject the lease. Use with care. This feature is currently implemented for the memfile backend. @@ -3540,18 +3540,19 @@ There are many cases where it is useful to provide a configuration on a per-host basis. The most obvious one is to reserve a specific, static address for exclusive use by a given client (host); the returning client will receive the same address from the server every time, and other -clients will generally not receive that address. Note that there may be -cases when a new reservation has been made for a client for an address -currently in use by another client. We call this situation a "conflict." -These conflicts get resolved automatically over time as described in -subsequent sections. Once the conflict is resolved, the correct client will keep -receiving the reserved configuration when it renews. - -Another example when host reservations are applicable is when a host has +clients will generally not receive that address. Another situation when +host reservations are applicable is when a host has specific requirements, e.g. a printer that needs additional DHCP options. Yet another possible use case is to define unique names for hosts. +Note that there may be +cases when a new reservation has been made for a client for an address +currently in use by another client. We call this situation a "conflict." +These conflicts get resolved automatically over time as described in +subsequent sections. Once the conflict is resolved, the correct client will +receive the reserved configuration when it renews. + Host reservations are defined as parameters for each subnet. Each host must have its own unique identifier, such as the hardware/MAC address. There is an optional ``reservations`` array in the ``subnet4`` @@ -3612,12 +3613,12 @@ deployments it is recommended to use as few types as possible point. Making a reservation for a mobile host that may visit multiple subnets -requires a separate host definition in each subnet it is expected to +requires a separate host definition in each subnet that host is expected to visit. It is not possible to define multiple host definitions with the same hardware address in a single subnet. Multiple host definitions with the same hardware address are valid if each is in a different subnet. -Adding host reservation incurs a performance penalty. In principle, when +Adding host reservations incurs a performance penalty. In principle, when a server that does not support host reservation responds to a query, it needs to check whether there is a lease for a given address being considered for allocation or renewal. The server that does support host @@ -3675,14 +3676,14 @@ requests an address, the server is not able to assign the reserved address 192.0.2.10. A naive approach would to be immediately remove the existing lease for Host A and create a new one for Host B. That would not solve the problem, though, because as soon as Host B gets the -address, it will detect that the address is already in use by Host A and +address, it will detect that the address is already in use (by Host A) and will send a DHCPDECLINE message. Therefore, in this situation, the server has to temporarily assign a different address from the dynamic pool (not matching what has been reserved) to Host B. When Host A renews its address, the server will discover that the address being renewed is now reserved for another host - Host B. -Therefore the server will inform Host A that it is no longer allowed to +The server will inform Host A that it is no longer allowed to use it by sending a DHCPNAK message. The server will not remove the lease, though, as there's a small chance that the DHCPNAK may be lost if the network is lossy. If that happens, the client will not receive any @@ -3805,8 +3806,8 @@ Kea offers the ability to specify options on a per-host basis. These options follow the same rules as any other options. These can be standard options (see :ref:`dhcp4-std-options`), custom options (see :ref:`dhcp4-custom-options`), -or vendor-specific options (see :ref:`dhcp4-vendor-opts`). The following example demonstrates how -standard options can be defined. +or vendor-specific options (see :ref:`dhcp4-vendor-opts`). The following +example demonstrates how standard options can be defined. :: @@ -3902,7 +3903,7 @@ mechanisms also allow for the static assignment of classes to clients. The definitions of these classes are placed in the Kea configuration. The following configuration snippet shows how to specify that a client belongs to classes ``reserved-class1`` and ``reserved-class2``. Those -classes are associated with specific options being sent to the clients +classes are associated with specific options that are sent to the clients which belong to them. :: @@ -3949,9 +3950,9 @@ indirectly) and not only-if-required is evaluated. **Note** - If you want to force the evaluation of a class expression after the + To force the evaluation of a class expression after the host reservation lookup, for instance because of a dependency on - "reserved-class1" from the previous example, you should add a + "reserved-class1" from the previous example, add a "member('KNOWN')" statement in the expression. .. _reservations4-mysql-pgsql-cql: @@ -3999,23 +4000,23 @@ different constraints for the checks to be performed by the server when allocating or renewing a lease for the client. Allowed values are: - ``all`` - enables both in-pool and out-of-pool host reservation - types. This is the default value. This setting is the safest and the - most flexible. As all checks are conducted, it is also the slowest. - This does not check against global reservations. + types. This setting is the default value, and is the safest and + most flexible. However, as all checks are conducted, it is also the slowest. + It does not check against global reservations. - ``out-of-pool`` - allows only out-of- pool host reservations. With this setting in place, the server may assume that all host reservations are for addresses that do not belong to the dynamic pool. Therefore, it can skip the reservation checks when dealing with in-pool addresses, thus improving performance. Do not use this mode - if any of your reservations use in-pool addresses. Caution is advised + if any reservations use in-pool addresses. Caution is advised when using this setting; Kea does not sanity-check the reservations against ``reservation-mode`` and misconfiguration may cause problems. - ``global`` - allows only global host reservations. With this setting in place, the server searches for reservations for a client only among the defined global reservations. If an address is specified, - the server will skip the reservation checks done when dealing in + the server skips the reservation checks carried out when dealing in other modes, thus improving performance. Caution is advised when using this setting; Kea does not sanity-check the reservations when ``global`` and misconfiguration may cause problems. @@ -4088,7 +4089,7 @@ To address this problem, a parameter called identifier types as a parameter. Kea will check only those identifier types enumerated in host-reservation-identifiers. From a performance perspective, the number of identifier types should be kept to a minimum, -ideally one. If your deployment uses several reservation types, please +ideally one. If the deployment uses several reservation types, please enumerate them from most- to least-frequently used, as this increases the chances of Kea finding the reservation using the fewest queries. An example of host reservation identifiers looks as follows: @@ -4133,7 +4134,7 @@ If global reservations are used in both subnets and a device matching global host reservations visits part of the network that is serviced by 192.0.5.0/24, it will get an IP address 192.0.2.100, a subnet 192.0.5.0 and a default router 192.0.5.1. Obviously, such a configuration is -unusable, as the client won't be able to reach its default gateway. +unusable, as the client will not be able to reach its default gateway. To use global host reservations, a configuration similar to the following can be used: @@ -4192,10 +4193,10 @@ DHCP servers use subnet information in two ways. First, it is used to determine the point of attachment, or where the client is connected to the network. Second, the subnet information is used to group information pertaining to a specific location in the network. This -approach works well in general cases, but there are scenarios where the +approach works well in general, but there are scenarios where the boundaries are blurred. Sometimes it is useful to have more than one -logical IP subnet deployed on the same physical link. The need to -understand that two or more subnets are used on the same link requires +logical IP subnet deployed on the same physical link. +Understanding that two or more subnets are used on the same link requires additional logic in the DHCP server. This capability is called "shared networks" in the Kea and ISC DHCP projects. (It is sometimes also called "shared subnets"; in Microsoft's nomenclature it is called "multinet.") @@ -4215,7 +4216,7 @@ types of devices in cable networks: cable modems and the end-user devices behind them. It is a common practice to use different subnets for cable modems to prevent users from tinkering with them. In this case, the distinction is based on the type of device, rather than -address-space exhaustion. +on address-space exhaustion. A client connected to a shared network may be assigned an address from any of the pools defined within the subnets belonging to the shared @@ -4224,7 +4225,7 @@ a shared network and tries to allocate an address from this subnet. If the server is unable to allocate an address from the selected subnet (e.g., due to address-pool exhaustion), it will use another subnet from the same shared network and will try to allocate an address from this subnet, -etc. Therefore, in the typical case, the server will allocate all +etc. Therefore, the server will typically allocate all addresses available in a given subnet before it starts allocating addresses from other subnets belonging to the same shared network. However, in certain situations the client can be allocated an address @@ -4271,11 +4272,11 @@ introduced: ], } ], // end of shared-networks - // It is likely that in your network you will have a mix of regular, + // It is likely that in the network there will be a mix of regular, // "plain" subnets and shared networks. It is perfectly valid to mix // them in the same configuration file. // - // This is a regular subnet. It's not part of any shared network. + // This is a regular subnet. It is not part of any shared network. "subnet4": [ { "subnet": "192.0.3.0/24", @@ -4287,7 +4288,7 @@ introduced: } // end of Dhcp4 } -As you see in the example, it is possible to mix shared and regular +As demonstrated in the example, it is possible to mix shared and regular ("plain") subnets. Each shared network must have a unique name. This is similar to the ID for subnets, but gives administrators more flexibility. It is used for logging, but also internally for identifying @@ -4302,8 +4303,8 @@ To avoid unnecessary performance degradation, the shared subnets should only be defined when required by the deployment. Shared networks provide an ability to specify many parameters in the -shared network scope that will apply to all subnets within it. If -necessary, you can specify a parameter in the shared network scope and +shared network scope that apply to all subnets within it. If +necessary, it is possible to specify a parameter in the shared network scope and then override its value in the subnet scope. For example: :: @@ -4388,7 +4389,7 @@ convenient to specify it once at the shared network level. { "name": "office-floor-2", - // This tells Kea that the whole shared network is reachable over + // This tells Kea that the whole shared network is reachable over a // local interface. This applies to all subnets in this network. "interface": "eth0", @@ -4497,13 +4498,13 @@ following example: } If the client belongs to the "b-devices" class (because it includes -option 93 with a value of 0x0002), that doesn't guarantee that the +option 93 with a value of 0x0002), that does not guarantee that the subnet 10.0.0.0/24 will be used (or preferred) for this client. The server can use either of the two subnets, because the subnet 192.0.2.0/26 is also allowed for this client. The client classification used in this case should be perceived as a way to restrict access to certain subnets, rather than a way to express subnet preference. For example, if the -client doesn't belong to the "b-devices" class it may only use the +client does not belong to the "b-devices" class it may only use the subnet 192.0.2.0/26 and will never use the subnet 10.0.0.0/24. A typical use case for client classification is in a cable network, @@ -4615,12 +4616,12 @@ selected subnet, Kea looks through all subnets in a shared network for a reservation. This is one of the reasons why defining a shared network may impact performance. If there is a reservation for a client in any subnet, that particular subnet will be picked for the client. Although -it's technically not an error, it is considered a bad practice to define +it is technically not an error, it is considered a bad practice to define reservations for the same host in multiple subnets belonging to the same shared network. While not strictly mandatory, it is strongly recommended to use explicit -"id" values for subnets if you plan to use database storage for host +"id" values for subnets if database storage will be used for host reservations. If an ID is not specified, the values for it are autogenerated, i.e. Kea assigns increasing integer values starting from 1. Thus, the autogenerated IDs are not stable across configuration @@ -4862,7 +4863,7 @@ is to monitor pool utilization. Most people would forget to include declined-addresses in the calculation, and simply use assigned-addresses/total-addresses. This would cause a bias towards under-representing pool utilization. As this has a potential for major -issues, we decided not to decrease assigned-addresses immediately after +issues, ISC decided not to decrease assigned-addresses immediately after receiving DHCPDECLINE, but to do it later when Kea recovers the address back to the available pool. @@ -4902,7 +4903,7 @@ The DHCPv4 server supports the following statistics: | | | started their | | | | configuration process | | | | and their initial | - | | | packets reached your | + | | | packets reached the | | | | Kea server. | +-----------------------------------------+-----------------------+-------------------------+ | pkt4-offer-received | integer | Number of DHCPOFFER | @@ -5006,7 +5007,7 @@ The DHCPv4 server supports the following statistics: | | | discovered that the | | | | address is currently | | | | used by an unknown | - | | | device in your | + | | | device in the | | | | network. | +-----------------------------------------+-----------------------+-------------------------+ | pkt4-inform-received | integer | Number of DHCPINFORM | @@ -5111,7 +5112,7 @@ The DHCPv4 server supports the following statistics: | | | malformed or | | | | truncated packet. | | | | This may indicate | - | | | problems in your | + | | | problems in the | | | | network, faulty | | | | clients, or a bug in | | | | the server. | @@ -5316,7 +5317,7 @@ in the configuration file can be used: } The length of the path specified by the ``socket-name`` parameter is -restricted by the maximum length for the UNIX socket name on your +restricted by the maximum length for the UNIX socket name on the administrator's operating system, i.e. the size of the ``sun_path`` field in the ``sockaddr_un`` structure, decreased by 1. This value varies on different operating systems between 91 and 107 characters. Typical @@ -5367,7 +5368,7 @@ However, sometimes there is a need to specify parameters that are different for each pool. User contexts can store an arbitrary data file as long as it has valid JSON -syntax and its top level element is a map (i.e. the data must be +syntax and its top-level element is a map (i.e. the data must be enclosed in curly brackets). However, some hook libraries may expect specific formatting; please consult the specific hook library documentation for details. @@ -5398,12 +5399,12 @@ of LED devices could be configured in the following way: "user-context": { "color": "red" } } ], - // This is a subnet-specific user context. You can put whatever type - // of information you want as long as it is a valid JSON. + // This is a subnet-specific user context. Any type + // of information can be entered here as long as it is valid JSON. "user-context": { "comment": "network on the second floor", "last-modified": "2017-09-04 13:32", - "description": "you can put here anything you like", + "description": "you can put anything you like here", "phones": [ "x1234", "x2345" ], "devices-registered": 42, "billing": false @@ -5414,7 +5415,7 @@ of LED devices could be configured in the following way: ... } -Kea does not use that information; it simply stores it and makes it +Kea does not interpret or use the user context information; it simply stores it and makes it available to the hook libraries. It is up to each hook library to extract that information and use it. The parser translates a "comment" entry into a user context with the entry, which allows a comment to be @@ -5532,16 +5533,15 @@ configurable via the Configuration Backend. All supported parameters can be configured via the ``cb_cmds`` hooks library described in the :ref:`cb-cmds-library` section. The general rule is that the scalar global parameters are set using -``remote-global-parameter4-set``; the shared network specific parameters -are set using ``remote-network4-set``; and the subnet and pool -level parameters are set using ``remote-subnet4-set``. Whenever +``remote-global-parameter4-set``; the shared network-specific parameters +are set using ``remote-network4-set``; and the subnet- and pool-level +parameters are set using ``remote-subnet4-set``. Whenever there is an exception to this general rule, it is highlighted in the table. The non-scalar global parameters have dedicated commands; for example, the global DHCPv4 options (``option-data``) are modified using ``remote-option4-global-set``. -.. table:: List of DHCPv4 Parameters Supported by the Configuration -Backend +.. table:: List of DHCPv4 Parameters Supported by the Configuration Backend +--------------------------+----------------------------+-------------+-------------+-------------+ | Parameter | Global | Shared | Subnet | Pool | diff --git a/doc/guide/dhcp6-srv.rst b/doc/guide/dhcp6-srv.rst index 7576586b23..9ac5d2b448 100644 --- a/doc/guide/dhcp6-srv.rst +++ b/doc/guide/dhcp6-srv.rst @@ -173,7 +173,7 @@ the same parameter multiple times. If that happens, the last occurrence of a given parameter in a given scope is used, while all previous instances are ignored. This is unlikely to cause any confusion as there are no real-life reasons to keep multiple copies of the same parameter -in your configuration file. +in the configuration file. The first few DHCPv6 configuration elements define some global parameters. ``valid-lifetime`` defines how long the @@ -427,7 +427,7 @@ specified as well: "Dhcp6": { "lease-database": { "port" : 12345, ... }, ... } -Should the database be located on a different system, you may need to +Should the database be located on a different system, the administrator may need to specify a longer interval for the connection timeout: :: @@ -449,7 +449,7 @@ specified: If the server is unable to reconnect to the database after making the maximum number of attempts, the server will exit. A value of zero (the default) disables automatic recovery and the server will exit -immediately upon detecting a loss of connectivity (MySQL and Postgres +immediately upon detecting a loss of connectivity (MySQL and PostgreSQL only). The number of milliseconds the server will wait between attempts to @@ -622,7 +622,7 @@ be specified: "Dhcp6": { "hosts-database": { "reconnect-wait-time" : number-of-milliseconds, ... }, ... } -The default value for MySQL and Postgres is 0, which disables automatic +The default value for MySQL and PostgreSQL is 0, which disables automatic recovery and causes the server to exit immediately upon detecting the loss of connectivity. The default value for Cassandra is 2000 ms. @@ -875,8 +875,8 @@ communicate over uncommon addresses if so desired. .. _dhcp6-address-config: -Subnet and Address Pool ------------------------ +Configuration of IPv6 Address Pools +----------------------------------- The main role of a DHCPv6 server is address assignment. For this, the server must be configured with at least one subnet and one pool of @@ -981,7 +981,7 @@ Subnet and Prefix Delegation Pools ---------------------------------- Subnets may also be configured to delegate prefixes, as defined in `RFC -8415 `__, section 6.3. A subnet may +8415 `__, section 6.3. A subnet may have one or more prefix delegation pools. Each pool has a prefixed address, which is specified as a prefix (``prefix``) and a prefix length (``prefix-len``), as well as a delegated prefix length @@ -1019,7 +1019,7 @@ Prefix Exclude Option For each delegated prefix, the delegating router may choose to exclude a single prefix out of the delegated prefix as specified in `RFC -6603 `__. The requesting router must +6603 `__. The requesting router must not assign the excluded prefix to any of its downstream interfaces, and it is intended to be used on a link through which the delegating router exchanges DHCPv6 messages with the requesting router. The configuration @@ -1138,9 +1138,9 @@ Most of the parameters in the "option-data" structure are optional and can be omitted in some circumstances, as discussed in :ref:`dhcp6-option-data-defaults`. Only one of name or code is required; it is not necessary to specify both. Space has a default value -of "dhcp6", so you can skip this as well if you define a regular (not -encapsulated) DHCPv6 option. Finally, csv-format defaults to "true", so it -too can be skipped, unless you want to specify the option value as +of "dhcp6", so this can be skipped as well if a regular (not +encapsulated) DHCPv6 option is defined. Finally, csv-format defaults to "true", so it +too can be skipped, unless the option value is specified as hexstring. Therefore, the above example can be simplified to: :: @@ -1290,7 +1290,7 @@ The currently supported standard DHCPv6 options are listed in :ref:`dhcp6-std-options-list`. "Name" and "Code" are the values that should be used as a name/code in the option-data structures. "Type" designates the format of the data; the meanings of the various -types is given in :ref:`dhcp-types`. +types are given in :ref:`dhcp-types`. When a data field is a string and that string contains the comma (,; U+002C) character, the comma must be escaped with two backslashes (\; @@ -1336,162 +1336,148 @@ for standard options for which Kea currently does not provide a definition. In order to use such options, a server administrator must create a definition as described in :ref:`dhcp6-custom-options` in the 'dhcp6' option space. This definition should match the option format described in the relevant RFC, -but the configuration mechanism would allow any option format as it +but the configuration mechanism will allow any option format as it currently has no means to validate it. .. _dhcp6-std-options-list: .. table:: List of Standard DHCPv6 Options - +-----------------+-----------------+-----------------+-----------------+ - | Name | Code | Type | Array? | - +=================+=================+=================+=================+ - | preference | 7 | uint8 | false | - +-----------------+-----------------+-----------------+-----------------+ - | unicast | 12 | ipv6-address | false | - +-----------------+-----------------+-----------------+-----------------+ - | vendor-opts | 17 | uint32 | false | - +-----------------+-----------------+-----------------+-----------------+ - | sip-server-dns | 21 | fqdn | true | - +-----------------+-----------------+-----------------+-----------------+ - | sip-server-addr | 22 | ipv6-address | true | - +-----------------+-----------------+-----------------+-----------------+ - | dns-servers | 23 | ipv6-address | true | - +-----------------+-----------------+-----------------+-----------------+ - | domain-search | 24 | fqdn | true | - +-----------------+-----------------+-----------------+-----------------+ - | nis-servers | 27 | ipv6-address | true | - +-----------------+-----------------+-----------------+-----------------+ - | nisp-servers | 28 | ipv6-address | true | - +-----------------+-----------------+-----------------+-----------------+ - | nis-domain-name | 29 | fqdn | true | - +-----------------+-----------------+-----------------+-----------------+ - | nisp-domain-nam | 30 | fqdn | true | - | e | | | | - +-----------------+-----------------+-----------------+-----------------+ - | sntp-servers | 31 | ipv6-address | true | - +-----------------+-----------------+-----------------+-----------------+ - | information-ref | 32 | uint32 | false | - | resh-time | | | | - +-----------------+-----------------+-----------------+-----------------+ - | bcmcs-server-dn | 33 | fqdn | true | - | s | | | | - +-----------------+-----------------+-----------------+-----------------+ - | bcmcs-server-ad | 34 | ipv6-address | true | - | dr | | | | - +-----------------+-----------------+-----------------+-----------------+ - | geoconf-civic | 36 | record (uint8, | false | - | | | uint16, binary) | | - +-----------------+-----------------+-----------------+-----------------+ - | remote-id | 37 | record (uint32, | false | - | | | binary) | | - +-----------------+-----------------+-----------------+-----------------+ - | subscriber-id | 38 | binary | false | - +-----------------+-----------------+-----------------+-----------------+ - | client-fqdn | 39 | record (uint8, | false | - | | | fqdn) | | - +-----------------+-----------------+-----------------+-----------------+ - | pana-agent | 40 | ipv6-address | true | - +-----------------+-----------------+-----------------+-----------------+ - | new-posix-timez | 41 | string | false | - | one | | | | - +-----------------+-----------------+-----------------+-----------------+ - | new-tzdb-timezo | 42 | string | false | - | ne | | | | - +-----------------+-----------------+-----------------+-----------------+ - | ero | 43 | uint16 | true | - +-----------------+-----------------+-----------------+-----------------+ - | lq-query (1) | 44 | record (uint8, | false | - | | | ipv6-address) | | - +-----------------+-----------------+-----------------+-----------------+ - | client-data (1) | 45 | empty | false | - +-----------------+-----------------+-----------------+-----------------+ - | clt-time (1) | 46 | uint32 | false | - +-----------------+-----------------+-----------------+-----------------+ - | lq-relay-data | 47 | record | false | - | (1) | | (ipv6-address, | | - | | | binary) | | - +-----------------+-----------------+-----------------+-----------------+ - | lq-client-link | 48 | ipv6-address | true | - | (1) | | | | - +-----------------+-----------------+-----------------+-----------------+ - | v6-lost | 51 | fqdn | false | - +-----------------+-----------------+-----------------+-----------------+ - | capwap-ac-v6 | 52 | ipv6-address | true | - +-----------------+-----------------+-----------------+-----------------+ - | relay-id | 53 | binary | false | - +-----------------+-----------------+-----------------+-----------------+ - | v6-access-domai | 57 | fqdn | false | - | n | | | | - +-----------------+-----------------+-----------------+-----------------+ - | sip-ua-cs-list | 58 | fqdn | true | - +-----------------+-----------------+-----------------+-----------------+ - | bootfile-url | 59 | string | false | - +-----------------+-----------------+-----------------+-----------------+ - | bootfile-param | 60 | tuple | true | - +-----------------+-----------------+-----------------+-----------------+ - | client-arch-typ | 61 | uint16 | true | - | e | | | | - +-----------------+-----------------+-----------------+-----------------+ - | nii | 62 | record (uint8, | false | - | | | uint8, uint8) | | - +-----------------+-----------------+-----------------+-----------------+ - | aftr-name | 64 | fqdn | false | - +-----------------+-----------------+-----------------+-----------------+ - | erp-local-domai | 65 | fqdn | false | - | n-name | | | | - +-----------------+-----------------+-----------------+-----------------+ - | rsoo | 66 | empty | false | - +-----------------+-----------------+-----------------+-----------------+ - | pd-exclude | 67 | binary | false | - +-----------------+-----------------+-----------------+-----------------+ - | rdnss-selection | 74 | record | true | - | | | (ipv6-address, | | - | | | uint8, fqdn) | | - +-----------------+-----------------+-----------------+-----------------+ - | client-linklaye | 79 | binary | false | - | r-addr | | | | - +-----------------+-----------------+-----------------+-----------------+ - | link-address | 80 | ipv6-address | false | - +-----------------+-----------------+-----------------+-----------------+ - | solmax-rt | 82 | uint32 | false | - +-----------------+-----------------+-----------------+-----------------+ - | inf-max-rt | 83 | uint32 | false | - +-----------------+-----------------+-----------------+-----------------+ - | dhcp4o6-server- | 88 | ipv6-address | true | - | addr | | | | - +-----------------+-----------------+-----------------+-----------------+ - | s46-rule | 89 | record (uint8, | false | - | | | uint8, uint8, | | - | | | ipv4-address, | | - | | | ipv6-prefix) | | - +-----------------+-----------------+-----------------+-----------------+ - | s46-br | 90 | ipv6-address | false | - +-----------------+-----------------+-----------------+-----------------+ - | s46-dmr | 91 | ipv6-prefix | false | - +-----------------+-----------------+-----------------+-----------------+ - | s46-v4v6bind | 92 | record | false | - | | | (ipv4-address, | | - | | | ipv6-prefix) | | - +-----------------+-----------------+-----------------+-----------------+ - | s46-portparams | 93 | record(uint8, | false | - | | | psid) | | - +-----------------+-----------------+-----------------+-----------------+ - | s46-cont-mape | 94 | empty | false | - +-----------------+-----------------+-----------------+-----------------+ - | s46-cont-mapt | 95 | empty | false | - +-----------------+-----------------+-----------------+-----------------+ - | s46-cont-lw | 96 | empty | false | - +-----------------+-----------------+-----------------+-----------------+ - | v6-captive-port | 103 | string | false | - | al | | | | - +-----------------+-----------------+-----------------+-----------------+ - | ipv6-address-an | 143 | ipv6-address | true | - | dsf | | | | - +-----------------+-----------------+-----------------+-----------------+ + +--------------------------+-----------------+-----------------+-----------------+ + | Name | Code | Type | Array? | + +==========================+=================+=================+=================+ + | preference | 7 | uint8 | false | + +--------------------------+-----------------+-----------------+-----------------+ + | unicast | 12 | ipv6-address | false | + +--------------------------+-----------------+-----------------+-----------------+ + | vendor-opts | 17 | uint32 | false | + +--------------------------+-----------------+-----------------+-----------------+ + | sip-server-dns | 21 | fqdn | true | + +--------------------------+-----------------+-----------------+-----------------+ + | sip-server-addr | 22 | ipv6-address | true | + +--------------------------+-----------------+-----------------+-----------------+ + | dns-servers | 23 | ipv6-address | true | + +--------------------------+-----------------+-----------------+-----------------+ + | domain-search | 24 | fqdn | true | + +--------------------------+-----------------+-----------------+-----------------+ + | nis-servers | 27 | ipv6-address | true | + +--------------------------+-----------------+-----------------+-----------------+ + | nisp-servers | 28 | ipv6-address | true | + +--------------------------+-----------------+-----------------+-----------------+ + | nis-domain-name | 29 | fqdn | true | + +--------------------------+-----------------+-----------------+-----------------+ + | nisp-domain-name | 30 | fqdn | true | + +--------------------------+-----------------+-----------------+-----------------+ + | sntp-servers | 31 | ipv6-address | true | + +--------------------------+-----------------+-----------------+-----------------+ + | information-refresh-time | 32 | uint32 | false | + +--------------------------+-----------------+-----------------+-----------------+ + | bcmcs-server-dns | 33 | fqdn | true | + +--------------------------+-----------------+-----------------+-----------------+ + | bcmcs-server-addr | 34 | ipv6-address | true | + +--------------------------+-----------------+-----------------+-----------------+ + | geoconf-civic | 36 | record (uint8, | false | + | | | uint16, binary) | | + +--------------------------+-----------------+-----------------+-----------------+ + | remote-id | 37 | record (uint32, | false | + | | | binary) | | + +--------------------------+-----------------+-----------------+-----------------+ + | subscriber-id | 38 | binary | false | + +--------------------------+-----------------+-----------------+-----------------+ + | client-fqdn | 39 | record (uint8, | false | + | | | fqdn) | | + +--------------------------+-----------------+-----------------+-----------------+ + | pana-agent | 40 | ipv6-address | true | + +--------------------------+-----------------+-----------------+-----------------+ + | new-posix-timezone | 41 | string | false | + +--------------------------+-----------------+-----------------+-----------------+ + | new-tzdb-timezone | 42 | string | false | + +--------------------------+-----------------+-----------------+-----------------+ + | ero | 43 | uint16 | true | + +--------------------------+-----------------+-----------------+-----------------+ + | lq-query (1) | 44 | record (uint8, | false | + | | | ipv6-address) | | + +--------------------------+-----------------+-----------------+-----------------+ + | client-data (1) | 45 | empty | false | + +--------------------------+-----------------+-----------------+-----------------+ + | clt-time (1) | 46 | uint32 | false | + +--------------------------+-----------------+-----------------+-----------------+ + | lq-relay-data (1) | 47 | record | false | + | | | (ipv6-address, | | + | | | binary) | | + +--------------------------+-----------------+-----------------+-----------------+ + | lq-client-link (1) | 48 | ipv6-address | true | + +--------------------------+-----------------+-----------------+-----------------+ + | v6-lost | 51 | fqdn | false | + +--------------------------+-----------------+-----------------+-----------------+ + | capwap-ac-v6 | 52 | ipv6-address | true | + +--------------------------+-----------------+-----------------+-----------------+ + | relay-id | 53 | binary | false | + +--------------------------+-----------------+-----------------+-----------------+ + | v6-access-domain | 57 | fqdn | false | + +--------------------------+-----------------+-----------------+-----------------+ + | sip-ua-cs-list | 58 | fqdn | true | + +--------------------------+-----------------+-----------------+-----------------+ + | bootfile-url | 59 | string | false | + +--------------------------+-----------------+-----------------+-----------------+ + | bootfile-param | 60 | tuple | true | + +--------------------------+-----------------+-----------------+-----------------+ + | client-arch-type | 61 | uint16 | true | + +--------------------------+-----------------+-----------------+-----------------+ + | nii | 62 | record (uint8, | false | + | | | uint8, uint8) | | + +--------------------------+-----------------+-----------------+-----------------+ + | aftr-name | 64 | fqdn | false | + +--------------------------+-----------------+-----------------+-----------------+ + | erp-local-domain-name | 65 | fqdn | false | + +--------------------------+-----------------+-----------------+-----------------+ + | rsoo | 66 | empty | false | + +--------------------------+-----------------+-----------------+-----------------+ + | pd-exclude | 67 | binary | false | + +--------------------------+-----------------+-----------------+-----------------+ + | rdnss-selection | 74 | record | true | + | | | (ipv6-address, | | + | | | uint8, fqdn) | | + +--------------------------+-----------------+-----------------+-----------------+ + | client-linklayer-addr | 79 | binary | false | + +--------------------------+-----------------+-----------------+-----------------+ + | link-address | 80 | ipv6-address | false | + +--------------------------+-----------------+-----------------+-----------------+ + | solmax-rt | 82 | uint32 | false | + +--------------------------+-----------------+-----------------+-----------------+ + | inf-max-rt | 83 | uint32 | false | + +--------------------------+-----------------+-----------------+-----------------+ + | dhcp4o6-server-addr | 88 | ipv6-address | true | + +--------------------------+-----------------+-----------------+-----------------+ + | s46-rule | 89 | record (uint8, | false | + | | | uint8, uint8, | | + | | | ipv4-address, | | + | | | ipv6-prefix) | | + +--------------------------+-----------------+-----------------+-----------------+ + | s46-br | 90 | ipv6-address | false | + +--------------------------+-----------------+-----------------+-----------------+ + | s46-dmr | 91 | ipv6-prefix | false | + +--------------------------+-----------------+-----------------+-----------------+ + | s46-v4v6bind | 92 | record | false | + | | | (ipv4-address, | | + | | | ipv6-prefix) | | + +--------------------------+-----------------+-----------------+-----------------+ + | s46-portparams | 93 | record(uint8, | false | + | | | psid) | | + +--------------------------+-----------------+-----------------+-----------------+ + | s46-cont-mape | 94 | empty | false | + +--------------------------+-----------------+-----------------+-----------------+ + | s46-cont-mapt | 95 | empty | false | + +--------------------------+-----------------+-----------------+-----------------+ + | s46-cont-lw | 96 | empty | false | + +--------------------------+-----------------+-----------------+-----------------+ + | v6-captive-portal | 103 | string | false | + +--------------------------+-----------------+-----------------+-----------------+ + | ipv6-address-andsf | 143 | ipv6-address | true | + +--------------------------+-----------------+-----------------+-----------------+ Options marked with (1) have option definitions, but the logic behind -them is not implemented. That means that technically Kea knows how to +them is not implemented. That means that, technically, Kea knows how to parse them in incoming messages or how to send them if configured to do so, but not what to do with them. Since the related RFCs require certain processing, the support for those options is non-functional. However, it @@ -1505,7 +1491,7 @@ Common Softwire46 Options Softwire46 options are involved in IPv4 over IPv6 provisioning by means of tunneling or translation as specified in `RFC -7598 `__. The following sections +7598 `__. The following sections provide configuration examples of these options. .. _s46-containers: @@ -1513,11 +1499,11 @@ provide configuration examples of these options. Softwire46 Container Options ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -S46 container options group rules and optional port parameters for a +Softwire46 (S46) container options group rules and optional port parameters for a specified domain. There are three container options specified in the "dhcp6" (top-level) option space: the MAP-E Container option, the MAP-T Container option, and the S46 Lightweight 4over6 Container option. These -options only contain encapsulated options specified below; they do not +options only contain the encapsulated options specified below; they do not include any data fields. To configure the server to send a specific container option along with @@ -1540,7 +1526,7 @@ option to the client. Use "s46-cont-mapt" or "s46-cont-lw" for the MAP-T Container and S46 Lightweight 4over6 Container options, respectively. All remaining Softwire options described below are included in one of -the container options. Thus, they have to be included in appropriate +the container options. Thus, they must be included in appropriate option spaces by selecting a "space" name, which specifies in which option they are supposed to be included. @@ -1562,23 +1548,23 @@ Another possible "space" value is "s46-cont-mapt-options". The S46 Rule option conveys a number of parameters: -- ``flags``, an unsigned 8-bit integer, with currently only the +- ``flags`` - an unsigned 8-bit integer, with currently only the most-significant bit specified. It denotes whether the rule can be used for forwarding (128) or not (0). -- ``ea-len``, an 8-bit-long Embedded Address length. Allowed values +- ``ea-len`` - an 8-bit-long Embedded Address length. Allowed values range from 0 to 48. -- ``IPv4 prefix length``, 8 bits long; expresses the prefix length of +- ``IPv4 prefix length`` - 8 bits long; expresses the prefix length of the Rule IPv4 prefix specified in the ipv4-prefix field. Allowed values range from 0 to 32. -- ``IPv4 prefix``, a fixed-length 32-bit field that specifies the IPv4 - prefix for the S46 rule. The bits in the prefix after prefix4-len - number of bits are reserved, and MUST be initialized to zero by the - sender and ignored by the receiver. +- ``IPv4 prefix`` - a fixed-length 32-bit field that specifies the IPv4 + prefix for the S46 rule. The bits in the prefix after + a specific number of bits (defined in prefix4-len) are reserved, and MUST + be initialized to zero by the sender and ignored by the receiver. -- ``IPv6 prefix``, in prefix/length notation that specifies the IPv6 +- ``IPv6 prefix`` - in prefix/length notation that specifies the IPv6 domain prefix for the S46 rule. The field is padded on the right with zero bits up to the nearest octet boundary, when prefix6-len is not evenly divisible by 8. @@ -1617,8 +1603,8 @@ permitted in the MAP-E and S46 Lightweight 4over6 Container options. This option must not be included in other containers. -S46 IPv4/IPv6 Address Binding option. -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +S46 IPv4/IPv6 Address Binding Option +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The S46 IPv4/IPv6 Address Binding option may be used to specify the full or shared IPv4 address of the Customer Edge (CE). The IPv6 prefix field @@ -1662,11 +1648,11 @@ Parameters option. Custom DHCPv6 Options --------------------- -It is possible to define options in addition to the standard ones. +Kea supports custom (non-standard) DHCPv6 options. Assume that we want to define a new DHCPv6 option called "foo" which will have code 100 and which will convey a single, unsigned, 32-bit -integer value. We can define such an option by using the following -commands: +integer value. We can define such an option by putting the following entry +in the configuration file: :: @@ -1685,7 +1671,7 @@ commands: ... } -The "false" value of the ``array`` parameter determines that the option +The ``false`` value of the ``array`` parameter determines that the option does NOT comprise an array of "uint32" values but is, instead, a single value. Two other parameters have been left blank: ``record-types`` and ``encapsulate``. The former specifies the comma-separated list of option @@ -1694,10 +1680,11 @@ data fields, if the option comprises a record of data fields. The "record"; otherwise it must be left blank. The latter parameter specifies the name of the option space being encapsulated by the particular option. If the particular option does not encapsulate any -option space, it should be left blank. Note that the above example only -defines the format of the new option and does not set its value(s). +option space, the parameter should be left blank. Note that the ``option-def`` +configuration statement only defines the format of the new option and does +not set its value(s). -Only the ``name``, ``code``, and ``type`` parameters are required; all +The ``name``, ``code``, and ``type`` parameters are required; all others are optional. The ``array`` default value is ``false``. The ``record-types`` and ``encapsulate`` default values are blank (i.e. ""). The default ``space`` is "dhcp6". @@ -1722,7 +1709,7 @@ global value that applies to all subnets. } New options can take more complex forms than simple use of primitives -(uint8, string, ipv6-address, etc); it is possible to define an option +(uint8, string, ipv6-address, etc.); it is possible to define an option comprising a number of existing primitives. For example, assume we want to define a new option that will consist of @@ -1747,12 +1734,12 @@ defined in the following way: ... } -The "type" is set to "record" to indicate that the option contains +The ``type`` is set to "record" to indicate that the option contains multiple values of different types. These types are given as a comma-separated list in the ``record-types`` field and should be ones -from those listed in `??? <#dhcp-types>`__. +from those listed in :ref:`dhcp-types`. -The values of the options are set in a ``option-data`` statement as +The values of the options are set in an ``option-data`` statement as follows: :: @@ -1771,7 +1758,7 @@ follows: } ``csv-format`` is set to ``true`` to indicate that the ``data`` field -comprises a command-separated list of values. The values in ``data`` +comprises a comma-separated list of values. The values in ``data`` must correspond to the types set in the ``record-types`` field of the option definition. @@ -1810,8 +1797,8 @@ DHCPv6 Vendor-Specific Options ------------------------------ Currently there are two option spaces defined for the DHCPv6 daemon: -"dhcp6" (for top-level DHCPv6 options) and "vendor-opts-space", which is -empty by default, but in which options can be defined. Those options are +"dhcp6" (for the top-level DHCPv6 options) and "vendor-opts-space", which is +empty by default but in which options can be defined. Those options are carried in the Vendor-Specific Information option (code 17). The following examples show how to define an option "foo" with code 1 that consists of an IPv6 address, an unsigned 16-bit integer, and a string. @@ -1819,6 +1806,8 @@ The "foo" option is conveyed in a Vendor-Specific Information option, which comprises a single uint32 value that is set to "12345". The sub-option "foo" follows the data field holding this value. +The first step is to define the format of the option: + :: "Dhcp6": { @@ -1890,16 +1879,16 @@ Alternatively, the option can be specified using its code. Nested DHCPv6 Options (Custom Option Spaces) -------------------------------------------- -It is sometimes useful to define completely new option spaces. This is -the case when a user wants their new option to convey sub-options that +It is sometimes useful to define completely new option spaces, such as +when a user creates a new option to convey sub-options that use a separate numbering scheme, for example sub-options with codes 1 and 2. Those option codes conflict with standard DHCPv6 options, so a separate option space must be defined. Note that the creation of a new option space is not required when -defining sub-options for a standard option, because it is created by +defining sub-options for a standard option, because one is created by default if the standard option is meant to convey any sub-options (see -`DHCPv6 Vendor-Specific Options <#dhcp6-vendor-opts>`__). +:ref:`dhcp6-vendor-opts`). Assume that we want to have a DHCPv6 option called "container" with code 102 that conveys two sub-options with codes 1 and 2. First we need to @@ -1934,8 +1923,8 @@ define the new sub-options: Note that we have defined the options to belong to a new option space (in this case, "isc"). -The next step is to define a regular DHCPv6 option and specify that it -should include options from the new option space: +The next step is to define a regular DHCPv6 option with the desired code +and specify that it should include options from the new option space: :: @@ -2003,17 +1992,17 @@ Unspecified Parameters for DHCPv6 Option Configuration ------------------------------------------------------ In many cases it is not required to specify all parameters for an option -configuration and the default values can be used. However, it is +configuration, and the default values can be used. However, it is important to understand the implications of not specifying some of them, as it may result in configuration errors. The list below explains the behavior of the server when a particular parameter is not explicitly specified: -- ``name`` - the server requires an option name or option code to +- ``name`` - the server requires an option name or an option code to identify an option. If this parameter is unspecified, the option code must be specified. -- ``code`` - the server requires an option name or option code to +- ``code`` - the server requires either an option name or an option code to identify an option. This parameter may be left unspecified if the ``name`` parameter is specified. However, this also requires that the particular option have a definition (either as a standard option or @@ -2029,11 +2018,11 @@ specified: - ``data`` - if the option data is unspecified it defaults to an empty value. The empty value is mostly used for the options which have no payload (boolean options), but it is legal to specify empty values - for some options which carry variable-length data and which the + for some options which carry variable-length data and for which the specification allows a length of 0. For such options, the data parameter may be omitted in the configuration. -- ``csv-format`` - if this value is not specified the server will +- ``csv-format`` - if this value is not specified, the server will assume that the option data is specified as a list of comma-separated values to be assigned to individual fields of the DHCP option. @@ -2042,12 +2031,11 @@ specified: Controlling the Values Sent for T1 and T2 Times ----------------------------------------------- -According to -RFC 8415, section 21.4 -, the recommended T1 and T2 values are 50% and 80% of the preferred -lease time, repsectively. Kea can be configured to send values that are +According to RFC 8415, section 21.4, the recommended T1 and T2 values +are 50% and 80% of the preferred +lease time, respectively. Kea can be configured to send values that are specified explicitly or that are calculated as percentages of the -preferred lease time. The server's behavior is governed by combination +preferred lease time. The server's behavior is governed by a combination of configuration parameters, two of which have already been mentioned. To send specific, fixed values use the following two parameters: @@ -2055,31 +2043,31 @@ To send specific, fixed values use the following two parameters: - ``rebind-timer`` - specifies the value of T2 in seconds. -You may specify any value for T2 greater than or equal to zero. When +Any value greater than or equal to zero may be specified for T2. When specifying T1 it must be less than T2. This flexibility is allowed to -support a use case where admins want to suppress client renewals and -rebinds by deferring them beyond the life span of the lease. This should +support a use case where administrators want to suppress client renewals and +rebinds by deferring them beyond the lifespan of the lease. This should cause the lease to expire, rather than get renewed by clients. If T1 is -specified as larger than T2, it will be set to zero in the outbound IA. +specified as larger than T2, T1 will be set to zero in the outbound IA. -In great majority of cases the values should follow this rule: T1 < T2 < +In the great majority of cases the values should follow this rule: T1 < T2 < preferred lifetime < valid lifetime. Alternatively, both T1 and T2 values can be configured to 0, which is a signal to DHCPv6 clients that they may renew at their own discretion. However, there are known broken -client implementations out there that will start renewing immediately. -If you plan to use T1=T2=0 values, please test first and make sure your -clients behave rationally. - -In some rare cases there may be a need to disable client's ability to -renew addresses. This is undesired from protocol perspective and should -be avoided if possible. However, if you want to do this, you can -configure your T1 and T2 values to be equal or greater to your valid -lifetime. Be advised that this will cause your clients to ocasionally +client implementations in use that will start renewing immediately. +Administrators who plan to use T1=T2=0 values should test first and make sure +their clients behave rationally. + +In some rare cases there may be a need to disable a client's ability to +renew addresses. This is undesired from a protocol perspective and should +be avoided if possible. However, if necessary, administrators can +configure the T1 and T2 values to be equal or greater to the valid +lifetime. Be advised that this will cause clients to occasionally lose their addresses, which is generally perceived as poor service. However, there may be some rare business cases when this is desired -(e.g. when you want to break long lasting connections on purpose). +(e.g. when it is desirable to intentionally break long-lasting connections). -Calculating the values is controlled by the following three parameters. +Calculation of the values is controlled by the following three parameters: - ``calculate-tee-times`` - when true, T1 and T2 will be calculated as percentages of the valid lease time. It defaults to true. @@ -2098,10 +2086,10 @@ Calculating the values is controlled by the following three parameters. In the event that both explicit values are specified and calculate-tee-times is true, the server will use the explicit values. - If you plan on having a mixture where some subnets or share-networks - will use explicit values and some will use calculated values you must + Administrators with a setup where some subnets or share-networks + will use explicit values and some will use calculated values must not define the explicit values at any level higher than where they - will be used. Inheriting them from too high of a scope, such as + will be used. Inheriting them from too high a scope, such as global, will cause them to have values at every level underneath (shared-networks and subnets), effectively disabling calculated values. @@ -2118,13 +2106,12 @@ appropriate subnet for a given request. In IPv4, the server can determine which of the configured subnets are local, as there is a reasonable expectation that the server will have a -(global) IPv4 address configured on the interface, and it can use that -information to detect whether a subnet is local. That assumption is not +(global) IPv4 address configured on the interface. That assumption is not true in IPv6; the DHCPv6 server must be able to operate while only using link-local addresses. Therefore, an optional ``interface`` parameter is available within a subnet definition to designate that a given subnet is local, i.e. reachable directly over the specified interface. For -example, the server that is intended to serve a local subnet over eth0 +example, a server that is intended to serve a local subnet over eth0 may be configured as follows: :: @@ -2150,7 +2137,7 @@ Rapid Commit ------------ The Rapid Commit option, described in `RFC -8415 `__, is supported by the Kea +8415 `__, is supported by the Kea DHCPv6 server. However, support is disabled by default. It can be enabled on a per-subnet basis using the ``rapid-commit`` parameter as shown below: @@ -2172,7 +2159,7 @@ shown below: ... } -This setting only affects the subnet for which the ``rapid-commit`` is +This setting only affects the subnet for which ``rapid-commit`` is set to ``true``. For clients connected to other subnets, the server will ignore the Rapid Commit option sent by the client and will follow the 4-way exchange procedure, i.e. respond with an Advertise for a Solicit @@ -2247,7 +2234,7 @@ with a value of "vlan123": Relay-Supplied Options ---------------------- -`RFC 6422 `__ defines a mechanism +`RFC 6422 `__ defines a mechanism called Relay-Supplied DHCP Options. In certain cases relay agents are the only entities that may have specific information, and they can insert options when relaying messages from the client to the server. The @@ -2260,7 +2247,7 @@ words, if both relay and server provide an option, the server always takes precedence. Second, the option must be RSOO-enabled. (RSOO is the "Relay Supplied Options option.") IANA maintains a list of RSOO-enabled options -`here `__. +`here `__. However, there may be cases when system administrators want to echo other options. Kea can be instructed to treat other options as RSOO-enabled. For example, to mark options 110, 120, and 130 as @@ -2276,9 +2263,9 @@ RSOO-enabled, the following syntax should be used: As of February 2019, only option 65 is RSOO-enabled by IANA. This option will always be treated as such, so there is no need to explicitly mark it. Also, when enabling standard options, it is possible to use their -names, rather than option code, e.g. use ``dns-servers`` instead of -``23``. See `table_title <#dhcp6-std-options-list>`__ for the names. In -certain cases it could also work for custom options, but due to the +names rather than their option code, e.g. use ``dns-servers`` instead of +``23``. See ref:`dhcp6-std-options-list` for the names. In +certain cases this may also work for custom options, but due to the nature of the parser code this may be unreliable and should be avoided. .. _dhcp6-client-classifier: @@ -2287,12 +2274,12 @@ Client Classification in DHCPv6 ------------------------------- The DHCPv6 server includes support for client classification. For a -deeper discussion of the classification process see `??? <#classify>`__. +deeper discussion of the classification process see :ref:`classify`. In certain cases it is useful to configure the server to differentiate between DHCP client types and treat them accordingly. Client classification can be used to modify the behavior of almost any part of -the DHCP message processing. In the current release of Kea, there are +the DHCP message processing. Kea currently offers three mechanisms that take advantage of client classification in DHCPv6: subnet selection, address pool selection, and DHCP options assignment. @@ -2305,37 +2292,37 @@ itself, which should be handed a lease from subnet A; and all other devices behind the modem, which should get a lease from subnet B. That segregation is essential to prevent overly curious users from playing with their cable modems. For details on how to set up class restrictions -on subnets, see `??? <#classification-subnets>`__. +on subnets, see :ref:`classification-subnets`. When subnets belong to a shared network, the classification applies to -subnet selection but not to pools, e.g., a pool in a subnet limited to a +subnet selection but not to pools; that is, a pool in a subnet limited to a particular class can still be used by clients which do not belong to the class, if the pool they are expected to use is exhausted. So the limit on access based on class information is also available at the -address/prefix pool level; see `??? <#classification-pools>`__, within a +address/prefix pool level; see :ref:`classification-pools`, within a subnet. This is useful when segregating clients belonging to the same subnet into different address ranges. In a similar way, a pool can be constrained to serve only known clients, i.e. clients which have a reservation, using the built-in "KNOWN" or -"UNKNOWN" classes. One can assign addresses to registered clients +"UNKNOWN" classes. Addresses can be assigned to registered clients without giving a different address per reservation, for instance when there are not enough available addresses. The determination whether there is a reservation for a given client is made after a subnet is -selected, so it is not possible to use KNOWN/UNKNOWN classes to select a +selected, so it is not possible to use "KNOWN"/"UNKNOWN" classes to select a shared network or a subnet. The process of classification is conducted in five steps. The first step is to assess an incoming packet and assign it to zero or more classes. -Next, a subnet is chosen, possibly based on the class information. After -that, class expressions are evaluated depending on the built-in +The second step is to choose a subnet, possibly based on the class information. +The next step is to evaluate class expressions depending on the built-in "KNOWN"/"UNKNOWN" classes after host reservation lookup, using them for pool/pd-pool selection and assigning classes from host reservations. The list of required classes is then built and each class of the list has its expression evaluated; when it returns "true" the packet is added as -a member of the class. Finally, options are assigned, again possibly +a member of the class. The last step is to assign options, again possibly based on the class information. More complete and detailed information -is available in `??? <#classify>`__. +is available in :ref:`classify`. There are two main methods of classification. The first is automatic and relies on examining the values in the vendor class options or the @@ -2357,7 +2344,7 @@ The following example shows how to configure a class using an expression and a subnet using that class. This configuration defines the class named "Client_enterprise". It is comprised of all clients whose client identifiers start with the given hex string (which would indicate a DUID -based on an enterprise id of 0xAABBCCDD). They will be given an address +based on an enterprise id of 0xAABBCCDD). Members of this class will be given an address from 2001:db8:1::0 to 2001:db8:1::FFFF and the addresses of their DNS servers set to 2001:db8:0::1 and 2001:db8:2::1. @@ -2419,11 +2406,11 @@ Required Classification ~~~~~~~~~~~~~~~~~~~~~~~ In some cases it is useful to limit the scope of a class to a -shared-network, subnet, or pool. There are two parameters which are used -to limit the scope of the class by instructing the server to perform -evaluation of test expressions when required. +shared network, subnet, or pool. There are two parameters which are used +to limit the scope of the class by instructing the server to evaluate +test expressions when required. -The first one is the per-class ``only-if-required`` flag which is false +The first one is the per-class ``only-if-required`` flag, which is false by default. When it is set to ``true``, the test expression of the class is not evaluated at the reception of the incoming packet but later, and only if the class evaluation is required. @@ -2463,16 +2450,16 @@ specified subnet is used: ... } -Required evaluation can be used to express complex dependencies, for -example, subnet membership. It can also be used to reverse the -precedence; if you set an option-data in a subnet it takes precedence -over an option-data in a class. When you move the option-data to a -required class and require it in the subnet, a class evaluated earlier +Required evaluation can be used to express complex dependencies like +subnet membership. It can also be used to reverse the +precedence; if an option-data is set in a subnet it takes precedence +over an option-data in a class. When option-data is moved to a +required class and required in the subnet, a class evaluated earlier may take precedence. Required evaluation is also available at shared-network and pool/pd-pool levels. The order in which required classes are considered is: -shared-network, subnet, and (pd-)pool, i.e. the opposite order that +shared-network, subnet, and (pd-)pool, i.e. in the opposite order in which option-data is processed. .. _dhcp6-ddns-config: @@ -2493,7 +2480,7 @@ NCR contains the following information: 3. The Fully Qualified Domain Name (FQDN), lease address, and DHCID (information identifying the client associated with the FQDN) -The parameters controlling the generation of NCRs for submission to D2 +The parameters for controlling the generation of NCRs for submission to D2 are contained in the ``dhcp-ddns`` section of the kea-dhcp6 server configuration. The mandatory parameters for the DHCP DDNS configuration are ``enable-updates``, which is unconditionally required, and @@ -2559,44 +2546,44 @@ For NCRs to reach the D2 server, kea-dhcp6 must be able to communicate with it. kea-dhcp6 uses the following configuration parameters to control this communication: -- ``enable-updates`` - determines whether kea-dhcp6 will generate NCRs. +- ``enable-updates`` - this determines whether kea-dhcp6 will generate NCRs. If missing, this value is assumed to be false, so DDNS updates are disabled. To enable DDNS updates set this value to true. - ``server-ip`` - IP address on which D2 listens for requests. The - default is the local loopback interface at address 127.0.0.1. You may - specify either an IPv4 or IPv6 address. + default is the local loopback interface at address 127.0.0.1. + Either an IPv4 or IPv6 address may be specified. - ``server-port`` - port on which D2 listens for requests. The default value is 53001. -- ``sender-ip`` - IP address which kea-dhcp6 uses to send requests to +- ``sender-ip`` - the IP address which kea-dhcp6 uses to send requests to D2. The default value is blank, which instructs kea-dhcp6 to select a suitable address. -- ``sender-port`` - port which kea-dhcp6 uses to send requests to D2. +- ``sender-port`` - the port which kea-dhcp6 uses to send requests to D2. The default value of 0 instructs kea-dhcp6 to select a suitable port. -- ``max-queue-size`` - maximum number of requests allowed to queue +- ``max-queue-size`` - the maximum number of requests allowed to queue waiting to be sent to D2. This value guards against requests accumulating uncontrollably if they are being generated faster than they can be delivered. If the number of requests queued for transmission reaches this value, DDNS updating will be turned off until the queue backlog has been sufficiently reduced. The intent is - to allow kea-dhcp6 to continue lease operations without running the + to allow the kea-dhcp6 server to continue lease operations without running the risk that its memory usage grows without limit. The default value is 1024. -- ``ncr-protocol`` - socket protocol to use when sending requests to +- ``ncr-protocol`` - the socket protocol to use when sending requests to D2. Currently only UDP is supported. -- ``ncr-format`` - packet format to use when sending requests to D2. +- ``ncr-format`` - the packet format to use when sending requests to D2. Currently only JSON format is supported. By default, kea-dhcp-ddns is assumed to be running on the same machine as kea-dhcp6, and all of the default values mentioned above should be sufficient. If, however, D2 has been configured to listen on a different -address or port, these values must altered accordingly. For example, if +address or port, these values must be altered accordingly. For example, if D2 has been configured to listen on 2001:db8::5 port 900, the following configuration is required: @@ -2617,12 +2604,12 @@ When Does the kea-dhcp6 Server Generate a DDNS Request? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ kea-dhcp6 follows the behavior prescribed for DHCP servers in `RFC -4704 `__. It is important to keep in +4704 `__. It is important to keep in mind that kea-dhcp6 makes the initial decision of when and what to update and forwards that information to D2 in the form of NCRs. Carrying out the actual DNS updates and dealing with such things as conflict resolution are within the purview of D2 itself -(`??? <#dhcp-ddns-server>`__). This section describes when kea-dhcp6 +(see :ref:`dhcp-ddns-server`). This section describes when kea-dhcp6 will generate NCRs and the configuration parameters that can be used to influence this decision. It assumes that the ``enable-updates`` parameter is true. @@ -2636,19 +2623,19 @@ parameter is true. In general, kea-dhcp6 will generate DDNS update requests when: -1. A new lease is granted in response to a DHCPREQUEST +1. A new lease is granted in response to a DHCPREQUEST; 2. An existing lease is renewed but the FQDN associated with it has - changed + changed; or -3. An existing lease is released in response to a DHCPRELEASE +3. An existing lease is released in response to a DHCPRELEASE. In the second case, lease renewal, two DDNS requests will be issued: one request to remove entries for the previous FQDN, and a second request to add entries for the new FQDN. In the last case, a lease release, a single DDNS request to remove its entries will be made. -The decisions involved when granting a new lease the first case) are +As for the first case, the decisions involved when granting a new lease are more complex. When a new lease is granted, kea-dhcp6 will generate a DDNS update request only if the DHCPREQUEST contains the FQDN option (code 39). By default, kea-dhcp6 will respect the FQDN N and S flags @@ -2677,19 +2664,19 @@ specified by the client as shown in the following table: | | | request | | +-----------------+-----------------+-----------------+-----------------+ -The first row in the table above represents "client delegation". Here +The first row in the table above represents "client delegation." Here the DHCP client states that it intends to do the forward DNS updates and the server should do the reverse updates. By default, kea-dhcp6 will honor the client's wishes and generate a DDNS request to D2 to update only reverse DNS data. The parameter ``override-client-update`` can be used to instruct the server to override client delegation requests. When -this parameter is true, kea-dhcp6 will disregard requests for client +this parameter is "true", kea-dhcp6 will disregard requests for client delegation and generate a DDNS request to update both forward and reverse DNS data. In this case, the N-S-O flags in the server's response to the client will be 0-1-1 respectively. (Note that the flag combination N=1, S=1 is prohibited according to `RFC -4702 `__. If such a combination is +4702 `__. If such a combination is received from the client, the packet will be dropped by kea-dhcp6.) To override client delegation, set the following values in the @@ -2710,7 +2697,7 @@ requests that no DNS updates be done. The parameter, ``override-no-update``, can be used to instruct the server to disregard the client's wishes. When this parameter is true, kea-dhcp6 will generate DDNS update requests to kea-dhcp-ddns even if the client -requests no updates be done. The N-S-O flags in the server's response to +requests that no updates be done. The N-S-O flags in the server's response to the client will be 0-1-1. To override client delegation, issue the following commands: @@ -2747,22 +2734,21 @@ entries are: 3. If the candidate name provided is empty, generate an FQDN using a configurable prefix and suffix. -4. If the client provided neither option, then no DNS action will be - taken. +4. If the client provides neither option, then take no DNS action. These rules can be amended by setting the ``replace-client-name`` parameter, which provides the following modes of behavior: -- ``never`` - Use the name the client sent. If the client sent no name, +- ``never`` - use the name the client sent. If the client sent no name, do not generate one. This is the default mode. -- ``always`` - Replace the name the client sent. If the client sent no +- ``always`` - replace the name the client sent. If the client sent no name, generate one for the client. -- ``when-present`` - Replace the name the client sent. If the client +- ``when-present`` - replace the name the client sent. If the client sent no name, do not generate one. -- ``when-not-present`` - Use the name the client sent. If the client +- ``when-not-present`` - use the name the client sent. If the client sent no name, generate one for the client. .. @@ -2770,21 +2756,11 @@ parameter, which provides the following modes of behavior: **Note** Note that in early versions of Kea, this parameter was a boolean and - permitted only values of - true - and - false - . Boolean values have been deprecated and are no longer accepted. If - you are currently using booleans, you must replace them with the - desired mode name. A value of - true - maps to - "when-present" - , while - false - maps to - "never" - . + permitted only values of ``true`` and ``false``. + Boolean values have been deprecated and are no longer accepted. + Administrators currently using booleans must replace them with the + desired mode name. A value of ``true`` maps to ``"when-present"``, while + ``false`` maps to ``"never"``. For example, to instruct kea-dhcp6 to always generate the FQDN for a client, set the parameter ``replace-client-name`` to ``always`` as @@ -2816,7 +2792,7 @@ its value, simply set it to the desired string: The suffix used when generating an FQDN, or when qualifying a partial name, is specified by the ``qualifying-suffix`` parameter. This -parameter has no default value, thus it is mandatory when DDNS updates +parameter has no default value; thus, it is mandatory when DDNS updates are enabled. To set its value simply set it to the desired string: :: @@ -2848,7 +2824,7 @@ the format: where address-text is simply the lease IP address converted to a hyphenated string. For example, if the lease address is 3001:1::70E, the qualifying suffix "example.com", and the default value is used for -``generated-prefix``, the generated FQDN would be: +``generated-prefix``, the generated FQDN is: myhost-3001-1--70E.example.com. @@ -2857,11 +2833,11 @@ myhost-3001-1--70E.example.com. Sanitizing Client FQDN Names ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -It may be that some of your DHCP clients provide values in the name -component of the FQDN option (Option code 39) that contain undesirable +Some DHCP clients may provide values in the name +component of the FQDN option (option code 39) that contain undesirable characters. It is possible to configure kea-dhcp6 to sanitize these values. The most typical use case is ensuring that only characters that -are permitted by RFC 1035 be included: A-Z,a-z,0-9, and '-'. This may be +are permitted by RFC 1035 be included: A-Z, a-z, 0-9, and '-'. This may be accomplished with the following two parameters: - ``hostname-char-set`` - a regular expression describing the invalid @@ -2889,28 +2865,29 @@ digit, hyphen, or dot with the letter 'x': ... } -Thus, a client supplied value of "myhost-$[123.org" would become +Thus, a client-supplied value of "myhost-$[123.org" would become "myhost-xx123.org". Sanitizing is performed only on the portion of the name supplied by the client, and it is performed before applying a qualifying suffix (if one is defined and needed). + **Note** The following are some considerations to keep in mind: Name sanitizing is meant to catch the more common cases of invalid characters through a relatively simple character-replacement scheme. - It is difficult to devise a scheme that works well in all cases. If - you find you have clients that are using odd corner cases of + It is difficult to devise a scheme that works well in all cases. + Administrators who find they have clients with odd corner cases of character combinations that cannot be readily handled with this - mechanism, you should consider writing a hook that can carry out - sufficiently complex logic to address your needs. + mechanism should consider writing a hook that can carry out + sufficiently complex logic to address their needs. - Do not include dots in your hostname-char-set expression. When + Do not include dots in the hostname-char-set expression. When scrubbing FQDNs, dots are treated as delimiters and used to separate the option value into individual domain labels that are scrubbed and then re-assembled. - If your clients are sending values that differ only by characters - considered as invalid by your hostname-char-set, be aware that + If clients are sending values that differ only by characters + considered as invalid by the hostname-char-set, be aware that scrubbing them will yield identical values. In such cases, DDNS conflict rules will permit only one of them to register the name. @@ -2927,10 +2904,10 @@ DHCPv4-over-DHCPv6: DHCPv6 Side ------------------------------- The support of DHCPv4-over-DHCPv6 transport is described in `RFC -7341 `__ and is implemented using +7341 `__ and is implemented using cooperating DHCPv4 and DHCPv6 servers. This section is about the configuration of the DHCPv6 side (the DHCPv4 side is described in -`??? <#dhcp4-dhcp4o6-config>`__). +:ref:`dhcp4-dhcp4o6-config`). **Note** @@ -2942,11 +2919,11 @@ configuration of the DHCPv6 side (the DHCPv4 side is described in There is only one specific parameter for the DHCPv6 side: ``dhcp4o6-port``, which specifies the first of the two consecutive ports of the UDP sockets used for the communication between the DHCPv6 and -DHCPv4 servers (the DHCPv6 server is bound to ::1 on ``port`` and -connected to ::1 on ``port`` + 1). +DHCPv4 servers. The DHCPv6 server is bound to ::1 on ``port`` and +connected to ::1 on ``port`` + 1. Two other configuration entries are generally required: unicast traffic -support (see `Unicast Traffic Support <#dhcp6-unicast>`__) and DHCP 4o6 +support (see :ref:`dhcp6-unicast`) and DHCP 4o6 server address option (name "dhcp4o6-server-addr", code 88). The following configuration was used during some tests: @@ -3013,15 +2990,15 @@ Sanity Checks in DHCPv6 ----------------------- An important aspect of a well-running DHCP system is an assurance that -the data remains consistent. However, in some cases it may be convenient +the data remain consistent. However, in some cases it may be convenient to tolerate certain inconsistent data. For example, a network administrator that temporarily removed a subnet from a configuration -wouldn't want all the leases associated with it disappear from the lease +would not want all the leases associated with it to disappear from the lease database. Kea has a mechanism to control sanity checks for situations such as this. Kea supports a configuration scope called ``sanity-checks``. It -currently allows only a single parameter called ``lease-checks``, which +currently allows only a single parameter, called ``lease-checks``, which governs the verification carried out when a new lease is loaded from a lease file. This mechanism permits Kea to attempt to correct inconsistent data. @@ -3040,27 +3017,27 @@ discarded, a warning is displayed, or a new subnet is selected for the lease that matches it topologically. Since delegated prefixes do not have to belong to a subnet in which -they're offered, there is no way to implement such a mechanism for IPv6 +they are offered, there is no way to implement such a mechanism for IPv6 prefixes. As such, the mechanism works for IPv6 addresses only. There are five levels which are supported: -- ``none`` - do no special checks; accept the lease as is +- ``none`` - do no special checks; accept the lease as is. -- ``warn`` - if problems are detected, a warning will be displayed, but - the lease data will be accepted anyway. This is the default value. +- ``warn`` - if problems are detected display a warning, but + accept the lease data anyway. This is the default value. -- ``fix`` - If data inconsistency is discovered, Kea will try to +- ``fix`` - if a data inconsistency is discovered, try to correct it. If the correction is not successful, the incorrect data will be inserted anyway. -- ``fix-del`` - If a data inconsistency is discovered, Kea will try to - correct it. If the correction is not succesful, the lease will be - rejected. This setting ensures the data's correctness, but some +- ``fix-del`` - if a data inconsistency is discovered, try to + correct it. If the correction is not successful, reject the lease. + This setting ensures the data's correctness, but some incorrect data may be lost. Use with care. -- ``del`` - This is the strictest mode. If any inconsistency is - detected, the lease is rejected. Use with care. +- ``del`` - this is the strictest mode. If any inconsistency is + detected, reject the lease. Use with care. This feature is currently implemented for the memfile backend. @@ -3083,28 +3060,28 @@ Host Reservation in DHCPv6 There are many cases where it is useful to provide a configuration on a per-host basis. The most obvious one is to reserve a specific, static IPv6 address or/and prefix for exclusive use by a given client (host); -the returning client will get the same address or/and prefix every time, -and other clients will never get that address. Another example when host +the returning client will receive the same address or/and prefix every time, +and other clients will never get that address. Another situation when host reservations are applicable is when a host has specific requirements, e.g. a printer that needs additional DHCP options or a cable modem that needs specific parameters. Yet another possible use case is to define unique names for hosts. Note that there may be cases when a new reservation has been made for a -client for the address or prefix currently in use by another client. We -call this situation a "conflict." The conflicts get resolved +client for an address or prefix currently in use by another client. We +call this situation a "conflict." These conflicts get resolved automatically over time as described in subsequent sections. Once the -conflict is resolved, the client will keep receiving the reserved +conflict is resolved, the correct client will receive the reserved configuration when it renews. Host reservations are defined as parameters for each subnet. Each host -must be identified by either DUID or its hardware/MAC address. See -`MAC/Hardware Addresses in DHCPv6 <#mac-in-dhcpv6>`__ for details. There -is an optional ``reservations`` array in the ``subnet6`` structure. Each +must be identified by either DUID or its hardware/MAC address; see +:ref:`mac-in-dhcpv6` for details. There +is an optional ``reservations`` array in the ``subnet6`` structure; each element in that array is a structure that holds information about a single host. In particular, the structure has an identifier that -uniquely identifies a host. In the DHCPv6 context, such an identifier is -usually a DUID, but can also be a hardware or MAC address. One or more +uniquely identifies a host. In the DHCPv6 context, the identifier is +usually a DUID, but it can also be a hardware or MAC address. One or more addresses or prefixes may also be specified, and it is possible to specify a hostname and DHCPv6 options for a given host. @@ -3146,7 +3123,7 @@ specific hosts: This example includes reservations for three different clients. The first reservation is for the address 2001:db8:1::100 for a client using DUID 01:02:03:04:05:0A:0B:0C:0D:0E. The second reservation is for two -addresses 2001:db8:1::101 and 2001:db8:1::102, for a client using MAC +addresses, 2001:db8:1::101 and 2001:db8:1::102, for a client using MAC address 00:01:02:03:04:05. Lastly, address 2001:db8:1::103 and prefix 2001:db8:2:abcd::/64 are reserved for a client using DUID 01:02:03:04:05:06:07:08:09:0A. The last reservation also assigns a @@ -3174,19 +3151,19 @@ be assigned to the client at that moment, the server will try to assign leases dynamically. Making a reservation for a mobile host that may visit multiple subnets -requires a separate host definition in each subnet it is expected to +requires a separate host definition in each subnet that host is expected to visit. It is not possible to define multiple host definitions with the same hardware address in a single subnet. Multiple host definitions with the same hardware address are valid if each is in a different subnet. The reservation for a given host should include only one identifier, -either DUID or hardware address. Defining both for the same host is +either DUID or hardware address; defining both for the same host is considered a configuration error. Adding host reservations incurs a performance penalty. In principle, when a server that does not support host reservation responds to a query, it needs to check whether there is a lease for a given address -being considered for allocation or renewal. The server that also -supports host reservation has to perform additional checks: not only +being considered for allocation or renewal. The server that does +support host reservation has to perform additional checks: not only whether the address is currently used (i.e., if there is a lease for it), but also whether the address could be used by someone else (i.e., if there is a reservation for it). That additional check incurs extra @@ -3203,7 +3180,7 @@ server. There may be an additional address space defined for prefix delegation. Those dynamic parts are referred to as dynamic pools, address and prefix pools, or simply pools. In principle, a host reservation can reserve any address or prefix that belongs to the -subnet. The reservations that specify addresses that belongs to +subnet. The reservations that specify addresses that belong to configured pools are called "in-pool reservations." In contrast, those that do not belong to dynamic pools are called "out-of-pool reservations." There is no formal difference in the reservation syntax @@ -3214,16 +3191,15 @@ specified at the global level within the configuration and that do not belong to any specific subnet. Kea will still match inbound client packets to a subnet as before, but when the subnet's reservation mode is set to ``"global"``, Kea will look for host reservations only among the -global reservations defined. Typcially, such reservations would be used +global reservations defined. Typically, such reservations would be used to reserve hostnames for clients which may move from one subnet to another. **Note** - You can reserve any ip-address or prefix in a global reservation. - Just keep in mind that Kea will not do any sanity checking on the - address or prefix and that for Kea 1.5.0, support for global - reservations should be considered experimental. + Global reservations, while useful in certain circumstances, have aspects + that must be given due consideration when using them, please see + :ref:`reservation6-conflict` for more details. .. _reservation6-conflict: @@ -3244,18 +3220,18 @@ requests an address, the server is not able to assign the reserved address 2001:db8::10. A naive approach would to be immediately remove the lease for Host A and create a new one for Host B. That would not solve the problem, though, because as soon as Host B gets the address, -it will detect that the address is already in use by someone else (Host +it will detect that the address is already in use (by Host A) and will send a DHCPDECLINE message. Therefore, in this situation, the server has to temporarily assign a different address from the dynamic pool (not matching what has been reserved) to Host B. When Host A renews its address, the server will discover that the -address being renewed is now reserved for someone else (Host B). -Therefore, the server will remove the lease for 2001:db8::10, select a +address being renewed is now reserved for someone else - Host B. +The server will remove the lease for 2001:db8::10, select a new address, and create a new lease for it. It will send two addresses in its response: the old address, with lifetime set to 0 to explicitly indicate that it is no longer valid; and the new address, with a -non-zero lifetime. When Host B renews its temporarily assigned address, +non-zero lifetime. When Host B tries to renew its temporarily assigned address, the server will detect that the existing lease does not match the reservation, so it will release the current address Host B has and will create a new lease matching the reservation. As before, the server will @@ -3267,20 +3243,21 @@ reserved address. If Host C requests the address 2001:db8::10 after the reservation is made, the server will propose a different address. This recovery mechanism allows the server to fully recover from a case -where reservations conflict with existing leases. This procedure takes -time and will roughly take as long as the value set for renew-timer. The +where reservations conflict with existing leases; however, this procedure +will take roughly take as long as the value set for renew-timer. The best way to avoid such recovery is not to define new reservations that conflict with existing leases. Another recommendation is to use out-of-pool reservations. If the reserved address does not belong to a -pool, there is no way that other clients can get this address. +pool, there is no way that other clients can get it. **Note** The conflict-resolution mechanism does not work for global - reservations. As of Kea 1.5.0, it is generally recommended not to use - global reservations for addresses or prefixes. If you choose to use - them anyway, you must manually ensure that the reserved values are - not in the dynamic pools. + reservations. Although the global address reservations feature may be useful + in certain settings, it is generally recommended not to use + global reservations for addresses. Administrators who do choose + to use global reservations must manually ensure that the reserved + addresses are not in dynamic pools. .. _reservation6-hostname: @@ -3356,11 +3333,10 @@ Including Specific DHCPv6 Options in Reservations Kea offers the ability to specify options on a per-host basis. These options follow the same rules as any other options. These can be -standard options (see `Standard DHCPv6 Options <#dhcp6-std-options>`__), -custom options (see `Custom DHCPv6 Options <#dhcp6-custom-options>`__), -or vendor-specific options (see `DHCPv6 Vendor-Specific -Options <#dhcp6-vendor-opts>`__). The following example demonstrates how -standard options can be defined. +standard options (see :ref:`dhcp6-std-options`), +custom options (see :ref:`dhcp6-custom-options`), +or vendor-specific options (see :ref:`dhcp4-vendor-opts`). The following +example demonstrates how standard options can be defined. :: @@ -3403,21 +3379,21 @@ Vendor-specific options can be reserved in a similar manner: Options defined at host level have the highest priority. In other words, if there are options defined with the same type on global, subnet, -class, and host level, the host-specific values will be used. +class, and host levels, the host-specific values will be used. .. _reservation6-client-classes: Reserving Client Classes in DHCPv6 ---------------------------------- -`??? <#classification-using-expressions>`__ explains how to configure +:ref:`classification-using-expressions` explains how to configure the server to assign classes to a client, based on the content of the options that this client sends to the server. Host reservations mechanisms also allow for the static assignment of classes to clients. The definitions of these classes are placed in the Kea configuration. The following configuration snippet shows how to specify that the client belongs to classes ``reserved-class1`` and ``reserved-class2``. Those -classes are associated with specific options being sent to the clients +classes are associated with specific options that are sent to the clients which belong to them. :: @@ -3463,9 +3439,9 @@ indirectly) and not only-if-required is evaluated. **Note** - If you want to force the evaluation of a class expression after the + To force the evaluation of a class expression after the host reservation lookup, for instance because of a dependency on - "reserved-class1" from the previous example, you should add a + "reserved-class1" from the previous example, add a "member('KNOWN')" statement in the expression. .. _reservations6-mysql-pgsql-cql: @@ -3474,12 +3450,12 @@ Storing Host Reservations in MySQL, PostgreSQL, or Cassandra ------------------------------------------------------------ It is possible to store host reservations in MySQL, PostgreSQL, or -Cassandra. See `Hosts Storage <#hosts6-storage>`__ for information on +Cassandra. See :ref:`hosts6-storage` for information on how to configure Kea to use reservations stored in MySQL, PostgreSQL, or Cassandra. Kea provides a dedicated hook for managing reservations in a -database; section `??? <#host-cmds>`__ provides detailed information. -The Kea wiki -https://gitlab.isc.org/isc-projects/kea/wikis/designs/commands#23-host-reservations-hr-management +database; section :ref:`host-cmds` provides detailed information. +The `Kea wiki +`__ provides some examples of how to conduct common host reservations operations. @@ -3490,7 +3466,7 @@ operations. .. _reservations6-tuning: -Fine Tuning DHCPv6 Host Reservation +Fine-Tuning DHCPv6 Host Reservation ----------------------------------- The host reservation capability introduces additional restrictions for @@ -3518,19 +3494,19 @@ allocating or renewing a lease for the client. Allowed values are: flexible. However, as all checks are conducted, it is also the slowest. It does not check against global reservations. -- ``out-of-pool`` - allows only out of pool host reservations. With +- ``out-of-pool`` - allows only out-of-pool host reservations. With this setting in place, the server may assume that all host reservations are for addresses that do not belong to the dynamic pool. Therefore, it can skip the reservation checks when dealing with in-pool addresses, thus improving performance. Do not use this mode - if any of your reservations use in-pool addresses. Caution is advised + if any reservations use in-pool addresses. Caution is advised when using this setting; Kea does not sanity-check the reservations against ``reservation-mode`` and misconfiguration may cause problems. - ``global`` - allows only global host reservations. With this setting in place, the server searches for reservations for a client only among the defined global reservations. If an address is specified, - the server will skip the reservation checks carried out when dealing + the server skips the reservation checks carried out when dealing in other modes, thus improving performance. Caution is advised when using this setting; Kea does not sanity-check the reservations when ``global`` and misconfiguration may cause problems. @@ -3585,14 +3561,13 @@ An example configuration using global reservations is shown below: ] } -For more details regarding global reservations, see `Global Reservations -in DHCPv6 <#global-reservations6>`__. +For more details regarding global reservations, see :ref:`global-reservations6`. -Another aspect of the host reservations is the different types of +Another aspect of host reservations is the different types of identifiers. Kea currently supports two types of identifiers in DHCPv6: hardware address and DUID. This is beneficial from a usability perspective; however, there is one drawback. For each incoming packet -Kea has to to extract each identifier type and then query the database +Kea has to extract each identifier type and then query the database to see if there is a reservation by this particular identifier. If nothing is found, the next identifier is extracted and the next query is issued. This process continues until either a reservation is found or @@ -3601,11 +3576,11 @@ number of supported identifier types, Kea would become slower and slower. To address this problem, a parameter called -``host-reservation-identifiers`` has been introduced. It takes a list of +``host-reservation-identifiers`` is available. It takes a list of identifier types as a parameter. Kea will check only those identifier types enumerated in host-reservation-identifiers. From a performance perspective, the number of identifier types should be kept to a minimum, -ideally one. If your deployment uses several reservation types, please +ideally one. If the deployment uses several reservation types, please enumerate them from most- to least-frequently used, as this increases the chances of Kea finding the reservation using the fewest queries. An example of host reservation identifiers looks as follows: @@ -3651,7 +3626,7 @@ used in both subnets and a device matching global host reservations visits part of the network that is covered by 2001:db8:ffff::/48, it will get an IP address 2001:db8:ffff::1, which will be outside of the prefix announced by its local router using Router Advertisements. Such a -configuration would be unusable or, at the very least, riddled with +configuration is unusable or, at the very least, riddled with issues, such as downlink traffic not reaching the device. To use global host reservations, a configuration similar to the @@ -3672,9 +3647,9 @@ following can be used: "hw-address": "01:02:03:04:05:06", "hostname": "hw-host-fixed", - // Use of IP address is global reservation is risky. If used outside of + // Use of IP address in global reservation is risky. If used outside of // matching subnet, such as 3001::/64, it will result in a broken - // configuration being handled to the client. + // configuration being handed to the client. "ip-address": "2001:db8:ff::77" }, { @@ -3700,28 +3675,28 @@ Shared Networks in DHCPv6 ========================= DHCP servers use subnet information in two ways. First, it is used to -determine the point of attachment, or simply put, where the client is +determine the point of attachment, or where the client is connected to the network. Second, the subnet information is used to group information pertaining to a specific location in the network. This -approach works well in general cases, but there are scenarios where the +approach works well in general, but there are scenarios where the boundaries are blurred. Sometimes it is useful to have more than one -logical IP subnet being deployed on the same physical link. The need to -understand that two or more subnets are used on the same link requires +logical IP subnet being deployed on the same physical link. +Understanding that two or more subnets are used on the same link requires additional logic in the DHCP server. This capability is called "shared -networks" in Kea and ISC DHCP configurations. It is sometimes also -called "shared subnets." In Microsoft's nomenclature it is called -"multinet." +networks" in the Kea and ISC DHCP projects. (It is sometimes also +called "shared subnets"; in Microsoft's nomenclature it is called +"multinet.") -There are many use cases where the feature is useful. The most common -example in the IPv4 case is when the server is running out of available +There are many use cases where the feature is useful; the most common +example in IPv4 is when the server is running out of available addresses in a subnet. This is less common in IPv6, but shared networks are still useful in IPv6. One of the use cases is an exhaustion of IPv6- -delegated prefixes within a subnet. Another IPv6-specific example is an +delegated prefixes within a subnet; another is an experiment with an addressing scheme. With the advent of IPv6 deployment and a vast address space, many organizations split the address space into subnets, deploy it, and then after a while discover that they want to split it differently. In the transition period, they want both old -and new addressing to be available. Thus the need for more than one +and new addressing to be available; thus the need for more than one subnet on the same physical link. Finally, the case of cable networks is directly applicable in IPv6. @@ -3729,7 +3704,7 @@ There are two types of devices in cable networks: cable modems and the end-user devices behind them. It is a common practice to use different subnets for cable modems to prevent users from tinkering with them. In this case, the distinction is based on the type of device, rather than -address-space exhaustion. +on address-space exhaustion. A client connected to a shared network may be assigned a lease (address or prefix) from any of the pools defined within the subnets belonging to @@ -3737,13 +3712,13 @@ the shared network. Internally, the server selects one of the subnets belonging to a shared network and tries to allocate a lease from this subnet. If the server is unable to allocate a lease from the selected subnet (e.g., due to pools exhaustion), it will use another subnet from -the same shared network and try to allocate a lease from this subnet, -etc. Therefore, in the typical case, the server will allocate all leases +the same shared network and will try to allocate a lease from this subnet, +etc. Therefore, the server will typically allocate all leases available in a given subnet before it starts allocating leases from other subnets belonging to the same shared network. However, in certain situations the client can be allocated a lease from the other subnets -before the pools in the first subnet get exhausted, e.g. when the client -provides a hint that belongs to another subnet or the client has +before the pools in the first subnet get exhausted; this sometimes occurs +when the client provides a hint that belongs to another subnet, or the client has reservations in a subnet other than the default. **Note** @@ -3765,7 +3740,7 @@ introduced: // and it must be unique among all shared networks. "name": "ipv6-lab-1", - // The subnet selector can be specifed on the shared network level. + // The subnet selector can be specified on the shared network level. // Subnets from this shared network will be selected for clients // communicating via relay agent having the specified IP address. "relay": { @@ -3786,11 +3761,11 @@ introduced: ] } ], // end of shared-networks - // It is likely that in your network you'll have a mix of regular, + // It is likely that in the network there will be a mix of regular, // "plain" subnets and shared networks. It is perfectly valid to mix - // them in the same config file. + // them in the same configuration file. // - // This is regular subnet. It's not part of any shared-network. + // This is a regular subnet. It is not part of any shared-network. "subnet6": [ { "subnet": "2001:db9::/48", @@ -3804,23 +3779,23 @@ introduced: } // end of Dhcp6 } -As you see in the example, it is possible to mix shared and regular +As demonstrated in the example, it is possible to mix shared and regular ("plain") subnets. Each shared network must have a unique name. This is similar to the ID for subnets, but gives administrators more -flexibility. This is used for logging, but also internally for +flexibility. It is used for logging, but also internally for identifying shared networks. In principle it makes sense to define only shared networks that consist -of two or more subnets. However, for testing purposes it is allowed to -define a shared network with just one subnet or even an empty one. This +of two or more subnets. However, for testing purposes, an empty subnet +or a network with just a single subnet is allowed. This is not a recommended practice in production networks, as the shared network logic requires additional processing and thus lowers the server's performance. To avoid unnecessary performance degradation, the shared subnets should only be defined when required by the deployment. Shared networks provide an ability to specify many parameters in the -shared network scope that will apply to all subnets within it. If -necessary, you can specify a parameter in the shared network scope and +shared network scope that apply to all subnets within it. If +necessary, it is possible to specify a parameter in the shared network scope and then override its value in the subnet scope. For example: :: @@ -3876,11 +3851,11 @@ then override its value in the subnet scope. For example: } ] In this example, there is a dns-servers option defined that is available -to clients in both subnets in this shared network. Also, a valid +to clients in both subnets in this shared network. Also, the valid lifetime is set to 10 minutes (600s). However, the first subnet overrides some of the values (valid lifetime is 20 minutes, different IP address for dns-servers), but also adds its own option (unicast -address). Assuming a client asking for a server unicast and dns servers +address). Assuming a client asking for a server unicast and dns-servers options is assigned a lease from this subnet, it will get a lease for 20 minutes and dns-servers, and be allowed to use server unicast at address 2001:abcd::1. If the same client is assigned to the second subnet, it @@ -3890,7 +3865,7 @@ no server unicast. Some parameters must be the same in all subnets in the same shared network. This restriction applies to the ``interface`` and ``rapid-commit`` settings. The most convenient way is to define them on -the shared network scope, but you may specify them for each subnet. +the shared network scope, but they can be specified for each subnet. However, care should be taken for each subnet to have the same value. Local and Relayed Traffic in Shared Networks @@ -3913,7 +3888,7 @@ convenient to specify it once at the shared network level. { "name": "office-floor-2", - // This tells Kea that the whole shared networks is reachable over + // This tells Kea that the whole shared network is reachable over a // local interface. This applies to all subnets in this network. "interface": "eth0", @@ -3927,7 +3902,7 @@ convenient to specify it once at the shared network level. "subnet": "3ffe:abcd::/64", "pools": [ { "pool": "3ffe:abcd::1 - 3ffe:abcd::ffff" } ] - // Specifying a different interface name is configuration + // Specifying a different interface name is a configuration // error: // "interface": "eth1" } @@ -3935,7 +3910,7 @@ convenient to specify it once at the shared network level. } ] Somewhat similar to interface names, relay IP addresses can also be -specified for the whole shared network. However, depending on your relay +specified for the whole shared network. However, depending on the relay configuration, it may use different IP addresses depending on which subnet is being used. Thus there is no requirement to use the same IP relay address for each subnet. Here's an example: @@ -3968,7 +3943,7 @@ relay address for each subnet. Here's an example: ] In this particular case the relay IP address specified at the network -level doesn't have much sense, as it is overridden in both subnets, but +level doesn't make much sense, as it is overridden in both subnets, but it was left there as an example of how one could be defined at the network level. Note that the relay agent IP address typically belongs to the subnet it relays packets from, but this is not a strict requirement. @@ -3979,7 +3954,7 @@ Client Classification in Shared Networks Sometimes it is desirable to segregate clients into specific subnets based on certain properties. This mechanism is called client -classification and is described in `??? <#classify>`__. Client +classification and is described in :ref:`classify`. Client classification can be applied to subnets belonging to shared networks in the same way as it is used for subnets specified outside of shared networks. It is important to understand how the server selects subnets @@ -4024,13 +3999,13 @@ following example: } If the client belongs to the "b-devices" class (because it includes -option 1234 with a value of 0x0002), that doesn't guarantee that the +option 1234 with a value of 0x0002), that does not guarantee that the subnet 2001:db8:3::/64 will be used (or preferred) for this client. The -server can use either of the two subnets because the subnet +server can use either of the two subnets, because the subnet 2001:db8:1::/64 is also allowed for this client. The client classification used in this case should be perceived as a way to restrict access to certain subnets, rather than a way to express subnet -preference. For example, if the client doesn't belong to the "b-devices" +preference. For example, if the client does not belong to the "b-devices" class it may only use the subnet 2001:db8:1::/64 and will never use the subnet 2001:db8:3::/64. @@ -4141,19 +4116,19 @@ similar to regular subnets: It is worth noting that Kea conducts additional checks when processing a -packet if shared networks are defined. Instead of simply checking +packet if shared networks are defined. First, instead of simply checking whether there's a reservation for a given client in its initially -selected subnet, it looks through all subnets in a shared network for a +selected subnet, Kea looks through all subnets in a shared network for a reservation. This is one of the reasons why defining a shared network may impact performance. If there is a reservation for a client in any subnet, that particular subnet will be picked for the client. Although -it's technically not an error, it is considered a bad practice to define +it is technically not an error, it is considered a bad practice to define reservations for the same host in multiple subnets belonging to the same shared network. While not strictly mandatory, it is strongly recommended to use explicit -"id" values for subnets if you plan to use database storage for host -reservations. If ID is not specified, the values for it are +"id" values for subnets if database storage will be used for host +reservations. If an ID is not specified, the values for it are autogenerated, i.e. it assigns increasing integer values starting from 1. Thus, the autogenerated IDs are not stable across configuration changes. @@ -4165,7 +4140,7 @@ Server Identifier in DHCPv6 The DHCPv6 protocol uses a "server identifier" (also known as a DUID) to allow clients to discriminate between several servers present on the -same link. `RFC 8415 `__ currently +same link. `RFC 8415 `__ currently defines four DUID types: DUID-LLT, DUID-EN, DUID-LL, and DUID-UUID. The Kea DHCPv6 server generates a server identifier once, upon the first @@ -4173,10 +4148,10 @@ startup, and stores it in a file. This identifier is not modified across restarts of the server and so is a stable identifier. Kea follows the recommendation from `RFC -8415 `__ to use DUID-LLT as the -default server identifier. However, we have received reports that some +8415 `__ to use DUID-LLT as the +default server identifier. However, ISC has received reports that some deployments require different DUID types, and there is a need to -administratively select both DUID type and/or its contents. +administratively select both the DUID type and/or its contents. The server identifier can be configured using parameters within the ``server-id`` map element in the global scope of the Kea configuration @@ -4192,10 +4167,10 @@ server identifier: ... } -Currently supported values for ``type`` parameter are: "LLT", "EN", and +Currently supported values for the ``type`` parameter are: "LLT", "EN", and "LL", for DUID-LLT, DUID-EN, and DUID-LL respectively. -When a new DUID type is selected the server generates its value and +When a new DUID type is selected, the server generates its value and replaces any existing DUID in the file. The server then uses the new server identifier in all future interactions with the clients. @@ -4214,7 +4189,7 @@ server identifier in all future interactions with the clients. identifier, this will be at the cost of an increased number of renewals and multicast traffic due to a need to rebind. Therefore, it is recommended that modification of the server identifier type and - value is avoided if the server has already assigned leases and these + value be avoided if the server has already assigned leases and these leases are still valid. There are cases when an administrator needs to explicitly specify a DUID @@ -4243,7 +4218,7 @@ where: - ``time`` is a 32-bit unsigned time value. The hexadecimal representation of the DUID generated as a result of the -configuration specified above will be: +configuration specified above is: :: @@ -4252,7 +4227,7 @@ configuration specified above will be: A special value of 0 for "htype" and "time" is allowed, which indicates that the server should use ANY value for these components. If the server -already uses a DUID-LLT it will use the values from this DUID; if the +already uses a DUID-LLT, it will use the values from this DUID; if the server uses a DUID of a different type or doesn't yet use any DUID, it will generate these values. Similarly, if the "identifier" is assigned an empty string, the value of the identifier will be generated. Omitting @@ -4395,22 +4370,22 @@ Stateless DHCPv6 (Information-Request Message) Typically DHCPv6 is used to assign both addresses and options. These assignments (leases) have a state that changes over time, hence their -name, stateful. DHCPv6 also supports a stateless mode, where clients +description as stateful. DHCPv6 also supports a stateless mode, where clients request configuration options only. This mode is considered lightweight from the server perspective, as it does not require any state tracking, and carries the stateless name. The Kea server supports stateless mode. Clients can send Information-Request messages and the server sends back answers with the -requested options (providing the options are available in the server -configuration). The server attempts to use per-subnet options first. If -that fails - for whatever reason - it then tries to provide options +requested options, providing the options are available in the server +configuration. The server attempts to use per-subnet options first; if +that fails for any reason, it then tries to provide options defined in the global scope. Stateless and stateful mode can be used together. No special configuration directives are required to handle this; simply use the configuration for stateful clients and the stateless clients will get -just the options they requested. +only the options they requested. This usage of global options allows for an interesting case. It is possible to run a server that provides only options and no addresses or @@ -4434,9 +4409,9 @@ configuration: } } -This very simple configuration will provide DNS server information to +This very simple configuration provides DNS server information to all clients in the network, regardless of their location. Note the -specification of the memfile lease database; this is needed as Kea +specification of the Memfile lease database; this is needed as Kea requires a lease database to be specified even if it is not used. .. _dhcp6-rfc7550: @@ -4444,16 +4419,16 @@ requires a lease database to be specified even if it is not used. Support for RFC 7550 (now part of RFC 8415) =========================================== -`RFC 7550 `__ introduced some +`RFC 7550 `__ introduced some changes to the previous DHCPv6 specifications, `RFC -3315 `__ and `RFC -3633 `__, to resolve a few issues +3315 `__ and `RFC +3633 `__, to resolve a few issues with the coexistence of multiple stateful options in the messages sent -between the clients and servers. Those changes were later included in +between clients and servers. Those changes were later included in the most recent DHCPv6 protocol specification, `RFC -8415 `__, which obsoleted `RFC -7550 `__. Kea supports `RFC -8415 `__ along with these protocol +8415 `__, which obsoleted `RFC +7550 `__. Kea supports `RFC +8415 `__ along with these protocol changes, which are briefly described below. When a client, such as a requesting router, requests an allocation of @@ -4480,13 +4455,13 @@ DHCPv6 server, and the server provides no configuration mechanisms to disable this behavior. The following are the other behaviors first introduced in `RFC -7550 `__ (now part of `RFC -8415 `__) and supported by the Kea +7550 `__ (now part of `RFC +8415 `__) and supported by the Kea DHCPv6 server: - Set T1/T2 timers to the same value for all stateful (IA_NA and IA_PD) - options to facilitate renewal of all a client's leases at the same - time (in a single message exchange), + options to facilitate renewal of all of a client's leases at the same + time (in a single message exchange). - Place NoAddrsAvail and NoPrefixAvail status codes in the IA_NA and IA_PD options in the Advertise message, rather than as the top-level @@ -4499,7 +4474,7 @@ Using a Specific Relay Agent for a Subnet The relay must have an interface connected to the link on which the clients are being configured. Typically the relay has a global IPv6 -address configured on the interface that belongs to the subnet from +address configured on that interface, which belongs to the subnet from which the server will assign addresses. Normally, the server is able to use the IPv6 address inserted by the relay (in the link-addr field in RELAY-FORW message) to select the appropriate subnet. @@ -4519,7 +4494,7 @@ appropriate subnet. The following example assumes that there is a subnet 2001:db8:1::/64 that is accessible via a relay that uses 3000::1 as its IPv6 address. The server is able to select this subnet for any incoming packets that -come from a relay with an address in 2001:db8:1::/64 subnet. It also +come from a relay that has an address in the 2001:db8:1::/64 subnet. It also selects that subnet for a relay with address 3000::1. :: @@ -4553,12 +4528,11 @@ mandatory. Segregating IPv6 Clients in a Cable Network =========================================== -In certain cases, it is useful to mix relay address information, -introduced in `Using a Specific Relay Agent for a -Subnet <#dhcp6-relay-override>`__, with client classification, explained -in `??? <#classify>`__. One specific example is in a cable network, -where typically modems get addresses from a different subnet than all -devices connected behind them. +In certain cases, it is useful to mix relay address information +(introduced in :ref:`dhcp6-relay-override`), with client classification, explained +in :ref:`classify`. One specific example is in a cable network, +where modems typically get addresses from a different subnet than all +the devices connected behind them. Let us assume that there is one CMTS (Cable Modem Termination System) with one CM MAC (a physical link that modems are connected to). We want @@ -4615,11 +4589,11 @@ Kea allows specification of which of the supported methods should be used and in what order. This configuration may be considered a fine tuning of the DHCP deployment. In a typical deployment the default value of ``"any"`` is sufficient and there is no need to select specific -methods. Changing the value of this parameter is the most useful in +methods. Changing the value of this parameter is most useful in cases when an administrator wants to disable certain methods; for example, if the administrator trusts the network infrastructure more than the information provided by the clients themselves, they may prefer -information provided by the relays over that provided by the clients. +information provided by the relays over that provided by clients. The configuration is controlled by the ``mac-sources`` parameter as follows: @@ -4641,11 +4615,11 @@ have at least one value. Supported methods are: -- ``any`` - Not an actual method, just a keyword that instructs Kea to +- ``any`` - not an actual method, just a keyword that instructs Kea to try all other methods and use the first one that succeeds. This is the default operation if no ``mac-sources`` are defined. -- ``raw`` - In principle, a DHCPv6 server could use raw sockets to +- ``raw`` - in principle, a DHCPv6 server could use raw sockets to receive incoming traffic and extract MAC/hardware address information. This is currently not implemented for DHCPv6 and this value has no effect. @@ -4653,26 +4627,27 @@ Supported methods are: - ``duid`` - DHCPv6 uses DUID identifiers instead of MAC addresses. There are currently four DUID types defined, and two of them (DUID-LLT, which is the default, and DUID-LL) convey MAC address - information. Although `RFC 8415 <>`__ forbids it, it is possible to + information. Although `RFC 8415 `__ + forbids it, it is possible to parse those DUIDs and extract necessary information from them. This method is not completely reliable, as clients may use other DUID types, namely DUID-EN or DUID-UUID. -- ``ipv6-link-local`` - Another possible acquisition method comes from +- ``ipv6-link-local`` - another possible acquisition method comes from the source IPv6 address. In typical usage, clients are sending their packets from IPv6 link-local addresses. There is a good chance that those addresses are based on EUI-64, which contains a MAC address. This method is not completely reliable, as clients may use other link-local address types. In particular, privacy extensions, defined - in `RFC 4941 `__, do not use MAC + in `RFC 4941 `__, do not use MAC addresses. Also note that successful extraction requires that the address's u-bit must be set to 1 and its g-bit set to 0, indicating that it is an interface identifier as per `RFC 2373, section - 2.5.1 `__. + 2.5.1 `__. -- ``client-link-addr-option`` - One extension defined to alleviate +- ``client-link-addr-option`` - one extension defined to alleviate missing MAC issues is the client link-layer address option, defined - in `RFC 6939 `__. This is an + in `RFC 6939 `__. This is an option that is inserted by a relay and contains information about a client's MAC address. This method requires a relay agent that supports the option and is configured to insert it. This method is @@ -4680,7 +4655,7 @@ Supported methods are: specified as ``rfc6939``, which is an alias for ``client-link-addr-option``. -- ``remote-id`` - `RFC 4649 `__ +- ``remote-id`` - `RFC 4649 `__ defines a remote-id option that is inserted by a relay agent. Depending on the relay agent configuration, the inserted option may convey the client's MAC address information. This parameter can also @@ -4688,7 +4663,7 @@ Supported methods are: - ``subscriber-id`` - Another option that is somewhat similar to the previous one is subscriber-id, defined in `RFC - 4580 `__. It, too, is inserted by + 4580 `__. It, too, is inserted by a relay agent that is configured to insert it. This parameter can also be specified as ``rfc4580``, which is an alias for ``subscriber-id``. This method is currently not implemented. @@ -4696,7 +4671,7 @@ Supported methods are: - ``docsis-cmts`` - Yet another possible source of MAC address information are the DOCSIS options inserted by a CMTS that acts as a DHCPv6 relay agent in cable networks. This method attempts to extract - MAC address information from suboption 1026 (cm mac) of the + MAC address information from sub-option 1026 (cm mac) of the vendor-specific option with vendor-id=4491. This vendor option is extracted from the relay-forward message, not the original client's message. @@ -4704,13 +4679,13 @@ Supported methods are: - ``docsis-modem`` - The final possible source of MAC address information are the DOCSIS options inserted by the cable modem itself. This method attempts to extract MAC address information from - suboption 36 (device id) of the vendor-specific option with + sub-option 36 (device id) of the vendor-specific option with vendor-id=4491. This vendor option is extracted from the original client's message, not from any relay options. -Empty mac-sources is not allowed. If you do not want to specify it, -either simply omit the mac-sources definition or specify it with the -"any" value which is the default. +Empty mac-sources is not allowed. Administrators who do not want to specify it +should either simply omit the mac-sources definition or specify it with the +"any" value, which is the default. .. _dhcp6-decline: @@ -4762,9 +4737,8 @@ handling procedure. The lease6_decline hook is triggered after the incoming DHCPDECLINE message has been sanitized and the server is about to decline the lease. The declined-addresses statistic is increased after the hook returns (both global and subnet-specific variants). (See -`Statistics in the DHCPv6 Server <#dhcp6-stats>`__ and -`??? <#hooks-libraries>`__ for more details on DHCPv6 statistics and Kea -hook points.) +:ref:`dhcp6-stats` and :ref:`hooks-libraries` +for more details on DHCPv6 statistics and Kea hook points.) Once the probation time elapses, the declined lease is recovered using the standard expired-lease reclamation procedure, with several @@ -4781,7 +4755,7 @@ is to monitor pool utilization. Most people would forget to include declined-addresses in the calculation, and simply use assigned-addresses/total-addresses. This would cause a bias towards under-representing pool utilization. As this has a potential for major -issues, we decided not to decrease assigned-addresses immediately after +issues, ISC decided not to decrease assigned-addresses immediately after receiving DHCPDECLINE, but to do it later when Kea recovers the address back to the available pool. @@ -4793,537 +4767,536 @@ Statistics in the DHCPv6 Server **Note** This section describes DHCPv6-specific statistics. For a general - overview and usage of statistics, see `??? <#stats>`__. + overview and usage of statistics, see :ref:`stats`. The DHCPv6 server supports the following statistics: .. table:: DHCPv6 Statistics - +-----------------------+-----------------------+-----------------------+ - | Statistic | Data Type | Description | - +=======================+=======================+=======================+ - | pkt6-received | integer | Number of DHCPv6 | - | | | packets received. | - | | | This includes all | - | | | packets: valid, | - | | | bogus, corrupted, | - | | | rejected, etc. This | - | | | statistic is expected | - | | | to grow rapidly. | - +-----------------------+-----------------------+-----------------------+ - | pkt6-receive-drop | integer | Number of incoming | - | | | packets that were | - | | | dropped. The exact | - | | | reason for dropping | - | | | packets is logged, | - | | | but the most common | - | | | reasons may be: an | - | | | unacceptable or not | - | | | supported packet type | - | | | is received, direct | - | | | responses are | - | | | forbidden, the | - | | | server-id sent by the | - | | | client does not match | - | | | the server's | - | | | server-id, or the | - | | | packet is malformed. | - +-----------------------+-----------------------+-----------------------+ - | pkt6-parse-failed | integer | Number of incoming | - | | | packets that could | - | | | not be parsed. A | - | | | non-zero value of | - | | | this statistic | - | | | indicates that the | - | | | server received a | - | | | malformed or | - | | | truncated packet. | - | | | This may indicate | - | | | problems in your | - | | | network, faulty | - | | | clients, faulty relay | - | | | agents, or a bug in | - | | | the server. | - +-----------------------+-----------------------+-----------------------+ - | pkt6-solicit-received | integer | Number of SOLICIT | - | | | packets received. | - | | | This statistic is | - | | | expected to grow; its | - | | | increase means that | - | | | clients that just | - | | | booted started their | - | | | configuration process | - | | | and their initial | - | | | packets reached your | - | | | Kea server. | - +-----------------------+-----------------------+-----------------------+ - | pkt6-advertise-receiv | integer | Number of ADVERTISE | - | ed | | packets received. | - | | | Advertise packets are | - | | | sent by the server | - | | | and the server is | - | | | never expected to | - | | | receive them. A | - | | | non-zero value of | - | | | this statistic | - | | | indicates an error | - | | | occurring in the | - | | | network. One likely | - | | | cause would be a | - | | | misbehaving relay | - | | | agent that | - | | | incorrectly forwards | - | | | ADVERTISE messages | - | | | towards the server, | - | | | rather than back to | - | | | the clients. | - +-----------------------+-----------------------+-----------------------+ - | pkt6-request-received | integer | Number of DHCPREQUEST | - | | | packets received. | - | | | This statistic is | - | | | expected to grow. Its | - | | | increase means that | - | | | clients that just | - | | | booted received the | - | | | server's response | - | | | (DHCPADVERTISE) and | - | | | accepted it, and are | - | | | now requesting an | - | | | address | - | | | (DHCPREQUEST). | - +-----------------------+-----------------------+-----------------------+ - | pkt6-reply-received | integer | Number of REPLY | - | | | packets received. | - | | | This statistic is | - | | | expected to remain | - | | | zero at all times, as | - | | | REPLY packets are | - | | | sent by the server | - | | | and the server is | - | | | never expected to | - | | | receive them. A | - | | | non-zero value | - | | | indicates an error. | - | | | One likely cause | - | | | would be a | - | | | misbehaving relay | - | | | agent that | - | | | incorrectly forwards | - | | | REPLY messages | - | | | towards the server, | - | | | rather than back to | - | | | the clients. | - +-----------------------+-----------------------+-----------------------+ - | pkt6-renew-received | integer | Number of RENEW | - | | | packets received. | - | | | This statistic is | - | | | expected to grow; its | - | | | increase means that | - | | | clients received | - | | | their addresses and | - | | | prefixes and are | - | | | trying to renew them. | - +-----------------------+-----------------------+-----------------------+ - | pkt6-rebind-received | integer | Number of REBIND | - | | | packets received. A | - | | | non-zero value | - | | | indicates that | - | | | clients didn't | - | | | receive responses to | - | | | their RENEW messages | - | | | (through the regular | - | | | lease-renewal | - | | | mechanism) and are | - | | | attempting to find | - | | | any server that is | - | | | able to take over | - | | | their leases. It may | - | | | mean that some | - | | | servers' REPLY | - | | | messages never | - | | | reached the clients. | - +-----------------------+-----------------------+-----------------------+ - | pkt6-release-received | integer | Number of RELEASE | - | | | packets received. | - | | | This statistic is | - | | | expected to grow when | - | | | a device is being | - | | | shut down in the | - | | | network; it indicates | - | | | that the address or | - | | | prefix assigned is | - | | | reported as no longer | - | | | needed. Note that | - | | | many devices, | - | | | especially wireless, | - | | | do not send RELEASE | - | | | packets either | - | | | because of design | - | | | choice or due to the | - | | | client moving out of | - | | | range. | - +-----------------------+-----------------------+-----------------------+ - | pkt6-decline-received | integer | Number of DECLINE | - | | | packets received. | - | | | This statistic is | - | | | expected to remain | - | | | close to zero. Its | - | | | increase means that a | - | | | client leased an | - | | | address, but | - | | | discovered that the | - | | | address is currently | - | | | used by an unknown | - | | | device in your | - | | | network. If this | - | | | statistic is growing, | - | | | it may indicate a | - | | | misconfigured server | - | | | or devices that have | - | | | statically assigned | - | | | conflicting | - | | | addresses. | - +-----------------------+-----------------------+-----------------------+ - | pkt6-infrequest-recei | integer | Number of | - | ved | | INFORMATION-REQUEST | - | | | packets received. | - | | | This statistic is | - | | | expected to grow if | - | | | there are devices | - | | | that are using | - | | | stateless DHCPv6. | - | | | INFORMATION-REQUEST | - | | | messages are used by | - | | | clients that request | - | | | stateless | - | | | configuration, i.e. | - | | | options and | - | | | parameters other than | - | | | addresses or | - | | | prefixes. | - +-----------------------+-----------------------+-----------------------+ - | pkt6-dhcpv4-query-rec | integer | Number of | - | eived | | DHCPv4-QUERY packets | - | | | received. This | - | | | statistic is expected | - | | | to grow if there are | - | | | devices that are | - | | | using | - | | | DHCPv4-over-DHCPv6. | - | | | DHCPv4-QUERY messages | - | | | are used by DHCPv4 | - | | | clients on an | - | | | IPv6-only line which | - | | | encapsulates the | - | | | requests over DHCPv6. | - +-----------------------+-----------------------+-----------------------+ - | pkt6-dhcpv4-response- | integer | Number of | - | received | | DHCPv4-RESPONSE | - | | | packets received. | - | | | This statistic is | - | | | expected to remain | - | | | zero at all times, as | - | | | DHCPv4-RESPONSE | - | | | packets are sent by | - | | | the server and the | - | | | server is never | - | | | expected to receive | - | | | them. A non-zero | - | | | value indicates an | - | | | error. One likely | - | | | cause would be a | - | | | misbehaving relay | - | | | agent that | - | | | incorrectly forwards | - | | | DHCPv4-RESPONSE | - | | | message towards the | - | | | server rather than | - | | | back to the clients. | - +-----------------------+-----------------------+-----------------------+ - | pkt6-unknown-received | integer | Number of packets | - | | | received of an | - | | | unknown type. A | - | | | non-zero value of | - | | | this statistic | - | | | indicates that the | - | | | server received a | - | | | packet that it wasn't | - | | | able to recognize; | - | | | either it had an | - | | | unsupported type or | - | | | was possibly | - | | | malformed. | - +-----------------------+-----------------------+-----------------------+ - | pkt6-sent | integer | Number of DHCPv6 | - | | | packets sent. This | - | | | statistic is expected | - | | | to grow every time | - | | | the server transmits | - | | | a packet. In general, | - | | | it should roughly | - | | | match pkt6-received, | - | | | as most incoming | - | | | packets cause the | - | | | server to respond. | - | | | There are exceptions | - | | | (e.g. server | - | | | receiving a REQUEST | - | | | with server-id | - | | | matching other | - | | | server), so do not | - | | | worry if it is less | - | | | than pkt6-received. | - +-----------------------+-----------------------+-----------------------+ - | pkt6-advertise-sent | integer | Number of ADVERTISE | - | | | packets sent. This | - | | | statistic is expected | - | | | to grow in most cases | - | | | after a SOLICIT is | - | | | processed. There are | - | | | certain uncommon, but | - | | | valid, cases where | - | | | incoming SOLICIT | - | | | packets are dropped, | - | | | but in general this | - | | | statistic is expected | - | | | to be close to | - | | | pkt6-solicit-received | - | | | . | - +-----------------------+-----------------------+-----------------------+ - | pkt6-reply-sent | integer | Number of REPLY | - | | | packets sent. This | - | | | statistic is expected | - | | | to grow in most cases | - | | | after a SOLICIT (with | - | | | rapid-commit), | - | | | REQUEST, RENEW, | - | | | REBIND, RELEASE, | - | | | DECLINE, or | - | | | INFORMATION-REQUEST | - | | | is processed. There | - | | | are certain cases | - | | | where there is no | - | | | response. | - +-----------------------+-----------------------+-----------------------+ - | pkt6-dhcpv4-response- | integer | Number of | - | sent | | DHCPv4-RESPONSE | - | | | packets sent. This | - | | | statistic is expected | - | | | to grow in most cases | - | | | after a DHCPv4-QUERY | - | | | is processed. There | - | | | are certain cases | - | | | where there is no | - | | | response. | - +-----------------------+-----------------------+-----------------------+ - | subnet[id].total-nas | integer | Total number of NA | - | | | addresses available | - | | | for DHCPv6 management | - | | | for a given subnet; | - | | | in other words, this | - | | | is the sum of all | - | | | addresses in all | - | | | configured pools. | - | | | This statistic | - | | | changes only during | - | | | configuration | - | | | changes. Note that it | - | | | does not take into | - | | | account any addresses | - | | | that may be reserved | - | | | due to host | - | | | reservation. The *id* | - | | | is the subnet-id of a | - | | | given subnet. This | - | | | statistic is exposed | - | | | for each subnet | - | | | separately, and is | - | | | reset during a | - | | | reconfiguration | - | | | event. | - +-----------------------+-----------------------+-----------------------+ - | subnet[id].assigned-n | integer | Number of NA | - | as | | addresses in a given | - | | | subnet that are | - | | | assigned. It | - | | | increases every time | - | | | a new lease is | - | | | allocated (as a | - | | | result of receiving a | - | | | REQUEST message) and | - | | | is decreased every | - | | | time a lease is | - | | | released (a RELEASE | - | | | message is received) | - | | | or expires. The *id* | - | | | is the subnet-id of a | - | | | given subnet. This | - | | | statistic is exposed | - | | | for each subnet | - | | | separately, and is | - | | | reset during a | - | | | reconfiguration | - | | | event. | - +-----------------------+-----------------------+-----------------------+ - | subnet[id].total-pds | integer | Total number of PD | - | | | prefixes available | - | | | for DHCPv6 management | - | | | for a given subnet; | - | | | in other words, this | - | | | is the sum of all | - | | | prefixes in all | - | | | configured pools. | - | | | This statistic | - | | | changes only during | - | | | configuration | - | | | changes. Note it does | - | | | not take into account | - | | | any prefixes that may | - | | | be reserved due to | - | | | host reservation. The | - | | | *id* is the subnet-id | - | | | of a given subnet. | - | | | This statistic is | - | | | exposed for each | - | | | subnet separately, | - | | | and is reset during a | - | | | reconfiguration | - | | | event. | - +-----------------------+-----------------------+-----------------------+ - | subnet[id].assigned-p | integer | Number of PD prefixes | - | ds | | in a given subnet | - | | | that are assigned. It | - | | | increases every time | - | | | a new lease is | - | | | allocated (as a | - | | | result of receiving a | - | | | REQUEST message) and | - | | | is decreased every | - | | | time a lease is | - | | | released (a RELEASE | - | | | message is received) | - | | | or expires. The *id* | - | | | is the subnet-id of a | - | | | given subnet. This | - | | | statistic is exposed | - | | | for each subnet | - | | | separately, and is | - | | | reset during a | - | | | reconfiguration | - | | | event. | - +-----------------------+-----------------------+-----------------------+ - | reclaimed-leases | integer | Number of expired | - | | | leases that have been | - | | | reclaimed since | - | | | server startup. It is | - | | | incremented each time | - | | | an expired lease is | - | | | reclaimed (counting | - | | | both NA and PD | - | | | reclamations) and is | - | | | reset when the server | - | | | is reconfigured. | - +-----------------------+-----------------------+-----------------------+ - | subnet[id].reclaimed- | integer | Number of expired | - | leases | | leases associated | - | | | with a given subnet | - | | | (*"id"* is the | - | | | subnet-id) that have | - | | | been reclaimed since | - | | | server startup. It is | - | | | incremented each time | - | | | an expired lease is | - | | | reclaimed (counting | - | | | both NA and PD | - | | | reclamations) and is | - | | | reset when the server | - | | | is reconfigured. | - +-----------------------+-----------------------+-----------------------+ - | declined-addresses | integer | Number of IPv6 | - | | | addresses that are | - | | | currently declined; a | - | | | count of the number | - | | | of leases currently | - | | | unavailable. Once a | - | | | lease is recovered, | - | | | this statistic will | - | | | be decreased; | - | | | ideally, this | - | | | statistic should be | - | | | zero. If this | - | | | statistic is non-zero | - | | | or increasing, a | - | | | network administrator | - | | | should investigate | - | | | whether there is a | - | | | misbehaving device in | - | | | the network. This is | - | | | a global statistic | - | | | that covers all | - | | | subnets. | - +-----------------------+-----------------------+-----------------------+ - | subnet[id].declined-a | integer | Number of IPv6 | - | ddresses | | addresses that are | - | | | currently declined in | - | | | a given subnet; a | - | | | count of the number | - | | | of leases currently | - | | | unavailable. Once a | - | | | lease is recovered, | - | | | this statistic will | - | | | be decreased; | - | | | ideally, this | - | | | statistic should be | - | | | zero. If this | - | | | statistic is non-zero | - | | | or increasing, a | - | | | network administrator | - | | | should investigate | - | | | whether there is a | - | | | misbehaving device in | - | | | the network. The *id* | - | | | is the subnet-id of a | - | | | given subnet. This | - | | | statistic is exposed | - | | | for each subnet | - | | | separately. | - +-----------------------+-----------------------+-----------------------+ - | reclaimed-declined-ad | integer | Number of IPv6 | - | dresses | | addresses that were | - | | | declined, but have | - | | | now been recovered. | - | | | Unlike | - | | | declined-addresses, | - | | | this statistic never | - | | | decreases. It can be | - | | | used as a long-term | - | | | indicator of how many | - | | | actual valid Declines | - | | | were processed and | - | | | recovered from. This | - | | | is a global statistic | - | | | that covers all | - | | | subnets. | - +-----------------------+-----------------------+-----------------------+ - | subnet[id].reclaimed- | integer | Number of IPv6 | - | declined-addresses | | addresses that were | - | | | declined, but have | - | | | now been recovered. | - | | | Unlike | - | | | declined-addresses, | - | | | this statistic never | - | | | decreases. It can be | - | | | used as a long-term | - | | | indicator of how many | - | | | actual valid Declines | - | | | were processed and | - | | | recovered from. The | - | | | *id* is the subnet-id | - | | | of a given subnet. | - | | | This statistic is | - | | | exposed for each | - | | | subnet separately. | - +-----------------------+-----------------------+-----------------------+ + +-----------------------------------------+-----------------------+------------------------+ + | Statistic | Data Type | Description | + +=========================================+=======================+========================+ + | pkt6-received | integer | Number of DHCPv6 | + | | | packets received. | + | | | This includes all | + | | | packets: valid, | + | | | bogus, corrupted, | + | | | rejected, etc. This | + | | | statistic is expected | + | | | to grow rapidly. | + +-----------------------------------------+-----------------------+------------------------+ + | pkt6-receive-drop | integer | Number of incoming | + | | | packets that were | + | | | dropped. The exact | + | | | reason for dropping | + | | | packets is logged, | + | | | but the most common | + | | | reasons may be: an | + | | | unacceptable or not | + | | | supported packet type | + | | | is received, direct | + | | | responses are | + | | | forbidden, the | + | | | server-id sent by the | + | | | client does not match | + | | | the server's | + | | | server-id, or the | + | | | packet is malformed. | + +-----------------------------------------+-----------------------+------------------------+ + | pkt6-parse-failed | integer | Number of incoming | + | | | packets that could | + | | | not be parsed. A | + | | | non-zero value of | + | | | this statistic | + | | | indicates that the | + | | | server received a | + | | | malformed or | + | | | truncated packet. | + | | | This may indicate | + | | | problems in the | + | | | network, faulty | + | | | clients, faulty relay | + | | | agents, or a bug in | + | | | the server. | + +-----------------------------------------+-----------------------+------------------------+ + | pkt6-solicit-received | integer | Number of SOLICIT | + | | | packets received. | + | | | This statistic is | + | | | expected to grow; its | + | | | increase means that | + | | | clients that just | + | | | booted started their | + | | | configuration process | + | | | and their initial | + | | | packets reached the | + | | | Kea server. | + +-----------------------------------------+-----------------------+------------------------+ + | pkt6-advertise-received | integer | Number of ADVERTISE | + | | | packets received. | + | | | Advertise packets are | + | | | sent by the server | + | | | and the server is | + | | | never expected to | + | | | receive them. A | + | | | non-zero value of | + | | | this statistic | + | | | indicates an error | + | | | occurring in the | + | | | network. One likely | + | | | cause would be a | + | | | misbehaving relay | + | | | agent that | + | | | incorrectly forwards | + | | | ADVERTISE messages | + | | | towards the server, | + | | | rather than back to | + | | | the clients. | + +-----------------------------------------+-----------------------+------------------------+ + | pkt6-request-received | integer | Number of DHCPREQUEST | + | | | packets received. | + | | | This statistic is | + | | | expected to grow. Its | + | | | increase means that | + | | | clients that just | + | | | booted received the | + | | | server's response | + | | | (DHCPADVERTISE) and | + | | | accepted it, and are | + | | | now requesting an | + | | | address | + | | | (DHCPREQUEST). | + +-----------------------------------------+-----------------------+------------------------+ + | pkt6-reply-received | integer | Number of REPLY | + | | | packets received. | + | | | This statistic is | + | | | expected to remain | + | | | zero at all times, as | + | | | REPLY packets are | + | | | sent by the server | + | | | and the server is | + | | | never expected to | + | | | receive them. A | + | | | non-zero value | + | | | indicates an error. | + | | | One likely cause | + | | | would be a | + | | | misbehaving relay | + | | | agent that | + | | | incorrectly forwards | + | | | REPLY messages | + | | | towards the server, | + | | | rather than back to | + | | | the clients. | + +-----------------------------------------+-----------------------+------------------------+ + | pkt6-renew-received | integer | Number of RENEW | + | | | packets received. | + | | | This statistic is | + | | | expected to grow; its | + | | | increase means that | + | | | clients received | + | | | their addresses and | + | | | prefixes and are | + | | | trying to renew them. | + +-----------------------------------------+-----------------------+------------------------+ + | pkt6-rebind-received | integer | Number of REBIND | + | | | packets received. A | + | | | non-zero value | + | | | indicates that | + | | | clients did not | + | | | receive responses to | + | | | their RENEW messages | + | | | (through the regular | + | | | lease-renewal | + | | | mechanism) and are | + | | | attempting to find | + | | | any server that is | + | | | able to take over | + | | | their leases. It may | + | | | mean that some | + | | | servers' REPLY | + | | | messages never | + | | | reached the clients. | + +-----------------------------------------+-----------------------+------------------------+ + | pkt6-release-received | integer | Number of RELEASE | + | | | packets received. | + | | | This statistic is | + | | | expected to grow when | + | | | a device is being | + | | | shut down in the | + | | | network; it indicates | + | | | that the address or | + | | | prefix assigned is | + | | | reported as no longer | + | | | needed. Note that | + | | | many devices, | + | | | especially wireless, | + | | | do not send RELEASE | + | | | packets either | + | | | because of design | + | | | choice or due to the | + | | | client moving out of | + | | | range. | + +-----------------------------------------+-----------------------+------------------------+ + | pkt6-decline-received | integer | Number of DECLINE | + | | | packets received. | + | | | This statistic is | + | | | expected to remain | + | | | close to zero. Its | + | | | increase means that a | + | | | client leased an | + | | | address, but | + | | | discovered that the | + | | | address is currently | + | | | used by an unknown | + | | | device in the | + | | | network. If this | + | | | statistic is growing, | + | | | it may indicate a | + | | | misconfigured server | + | | | or devices that have | + | | | statically assigned | + | | | conflicting | + | | | addresses. | + +-----------------------------------------+-----------------------+------------------------+ + | pkt6-infrequest-received | integer | Number of | + | | | INFORMATION-REQUEST | + | | | packets received. | + | | | This statistic is | + | | | expected to grow if | + | | | there are devices | + | | | that are using | + | | | stateless DHCPv6. | + | | | INFORMATION-REQUEST | + | | | messages are used by | + | | | clients that request | + | | | stateless | + | | | configuration, i.e. | + | | | options and | + | | | parameters other than | + | | | addresses or | + | | | prefixes. | + +-----------------------------------------+-----------------------+------------------------+ + | pkt6-dhcpv4-query-received | integer | Number of | + | | | DHCPv4-QUERY packets | + | | | received. This | + | | | statistic is expected | + | | | to grow if there are | + | | | devices that are | + | | | using | + | | | DHCPv4-over-DHCPv6. | + | | | DHCPv4-QUERY messages | + | | | are used by DHCPv4 | + | | | clients on an | + | | | IPv6-only line which | + | | | encapsulates the | + | | | requests over DHCPv6. | + +-----------------------------------------+-----------------------+------------------------+ + | pkt6-dhcpv4-response-received | integer | Number of | + | | | DHCPv4-RESPONSE | + | | | packets received. | + | | | This statistic is | + | | | expected to remain | + | | | zero at all times, as | + | | | DHCPv4-RESPONSE | + | | | packets are sent by | + | | | the server and the | + | | | server is never | + | | | expected to receive | + | | | them. A non-zero | + | | | value indicates an | + | | | error. One likely | + | | | cause would be a | + | | | misbehaving relay | + | | | agent that | + | | | incorrectly forwards | + | | | DHCPv4-RESPONSE | + | | | message towards the | + | | | server rather than | + | | | back to the clients. | + +-----------------------------------------+-----------------------+------------------------+ + | pkt6-unknown-received | integer | Number of packets | + | | | received of an | + | | | unknown type. A | + | | | non-zero value of | + | | | this statistic | + | | | indicates that the | + | | | server received a | + | | | packet that it wasn't | + | | | able to recognize; | + | | | either it had an | + | | | unsupported type or | + | | | was possibly | + | | | malformed. | + +-----------------------------------------+-----------------------+------------------------+ + | pkt6-sent | integer | Number of DHCPv6 | + | | | packets sent. This | + | | | statistic is expected | + | | | to grow every time | + | | | the server transmits | + | | | a packet. In general, | + | | | it should roughly | + | | | match pkt6-received, | + | | | as most incoming | + | | | packets cause the | + | | | server to respond. | + | | | There are exceptions | + | | | (e.g. server | + | | | receiving a REQUEST | + | | | with server-id | + | | | matching other | + | | | server), so do not | + | | | worry if it is less | + | | | than pkt6-received. | + +-----------------------------------------+-----------------------+------------------------+ + | pkt6-advertise-sent | integer | Number of ADVERTISE | + | | | packets sent. This | + | | | statistic is expected | + | | | to grow in most cases | + | | | after a SOLICIT is | + | | | processed. There are | + | | | certain uncommon, but | + | | | valid, cases where | + | | | incoming SOLICIT | + | | | packets are dropped, | + | | | but in general this | + | | | statistic is expected | + | | | to be close to | + | | | pkt6-solicit-received. | + +-----------------------------------------+-----------------------+------------------------+ + | pkt6-reply-sent | integer | Number of REPLY | + | | | packets sent. This | + | | | statistic is expected | + | | | to grow in most cases | + | | | after a SOLICIT (with | + | | | rapid-commit), | + | | | REQUEST, RENEW, | + | | | REBIND, RELEASE, | + | | | DECLINE, or | + | | | INFORMATION-REQUEST | + | | | is processed. There | + | | | are certain cases | + | | | where there is no | + | | | response. | + +-----------------------------------------+-----------------------+------------------------+ + | pkt6-dhcpv4-response-sent | integer | Number of | + | | | DHCPv4-RESPONSE | + | | | packets sent. This | + | | | statistic is expected | + | | | to grow in most cases | + | | | after a DHCPv4-QUERY | + | | | is processed. There | + | | | are certain cases | + | | | where there is no | + | | | response. | + +-----------------------------------------+-----------------------+------------------------+ + | subnet[id].total-nas | integer | Total number of NA | + | | | addresses available | + | | | for DHCPv6 management | + | | | for a given subnet; | + | | | in other words, this | + | | | is the sum of all | + | | | addresses in all | + | | | configured pools. | + | | | This statistic | + | | | changes only during | + | | | configuration | + | | | changes. Note that it | + | | | does not take into | + | | | account any addresses | + | | | that may be reserved | + | | | due to host | + | | | reservation. The *id* | + | | | is the subnet-id of a | + | | | given subnet. This | + | | | statistic is exposed | + | | | for each subnet | + | | | separately, and is | + | | | reset during a | + | | | reconfiguration | + | | | event. | + +-----------------------------------------+-----------------------+------------------------+ + | subnet[id].assigned-nas | integer | Number of NA | + | | | addresses in a given | + | | | subnet that are | + | | | assigned. It | + | | | increases every time | + | | | a new lease is | + | | | allocated (as a | + | | | result of receiving a | + | | | REQUEST message) and | + | | | is decreased every | + | | | time a lease is | + | | | released (a RELEASE | + | | | message is received) | + | | | or expires. The *id* | + | | | is the subnet-id of a | + | | | given subnet. This | + | | | statistic is exposed | + | | | for each subnet | + | | | separately, and is | + | | | reset during a | + | | | reconfiguration | + | | | event. | + +-----------------------------------------+-----------------------+------------------------+ + | subnet[id].total-pds | integer | Total number of PD | + | | | prefixes available | + | | | for DHCPv6 management | + | | | for a given subnet; | + | | | in other words, this | + | | | is the sum of all | + | | | prefixes in all | + | | | configured pools. | + | | | This statistic | + | | | changes only during | + | | | configuration | + | | | changes. Note it does | + | | | not take into account | + | | | any prefixes that may | + | | | be reserved due to | + | | | host reservation. The | + | | | *id* is the subnet-id | + | | | of a given subnet. | + | | | This statistic is | + | | | exposed for each | + | | | subnet separately, | + | | | and is reset during a | + | | | reconfiguration | + | | | event. | + +-----------------------------------------+-----------------------+------------------------+ + | subnet[id].assigned-pds | integer | Number of PD prefixes | + | | | in a given subnet | + | | | that are assigned. It | + | | | increases every time | + | | | a new lease is | + | | | allocated (as a | + | | | result of receiving a | + | | | REQUEST message) and | + | | | is decreased every | + | | | time a lease is | + | | | released (a RELEASE | + | | | message is received) | + | | | or expires. The *id* | + | | | is the subnet-id of a | + | | | given subnet. This | + | | | statistic is exposed | + | | | for each subnet | + | | | separately, and is | + | | | reset during a | + | | | reconfiguration | + | | | event. | + +-----------------------------------------+-----------------------+------------------------+ + | reclaimed-leases | integer | Number of expired | + | | | leases that have been | + | | | reclaimed since | + | | | server startup. It is | + | | | incremented each time | + | | | an expired lease is | + | | | reclaimed (counting | + | | | both NA and PD | + | | | reclamations) and is | + | | | reset when the server | + | | | is reconfigured. | + +-----------------------------------------+-----------------------+------------------------+ + | subnet[id].reclaimed-leases | integer | Number of expired | + | | | leases associated | + | | | with a given subnet | + | | | (*"id"* is the | + | | | subnet-id) that have | + | | | been reclaimed since | + | | | server startup. It is | + | | | incremented each time | + | | | an expired lease is | + | | | reclaimed (counting | + | | | both NA and PD | + | | | reclamations) and is | + | | | reset when the server | + | | | is reconfigured. | + +-----------------------------------------+-----------------------+------------------------+ + | declined-addresses | integer | Number of IPv6 | + | | | addresses that are | + | | | currently declined; a | + | | | count of the number | + | | | of leases currently | + | | | unavailable. Once a | + | | | lease is recovered, | + | | | this statistic will | + | | | be decreased; | + | | | ideally, this | + | | | statistic should be | + | | | zero. If this | + | | | statistic is non-zero | + | | | or increasing, a | + | | | network administrator | + | | | should investigate | + | | | whether there is a | + | | | misbehaving device in | + | | | the network. This is | + | | | a global statistic | + | | | that covers all | + | | | subnets. | + +-----------------------------------------+-----------------------+------------------------+ + | subnet[id].declined-addresses | integer | Number of IPv6 | + | | | addresses that are | + | | | currently declined in | + | | | a given subnet; a | + | | | count of the number | + | | | of leases currently | + | | | unavailable. Once a | + | | | lease is recovered, | + | | | this statistic will | + | | | be decreased; | + | | | ideally, this | + | | | statistic should be | + | | | zero. If this | + | | | statistic is non-zero | + | | | or increasing, a | + | | | network administrator | + | | | should investigate | + | | | whether there is a | + | | | misbehaving device in | + | | | the network. The *id* | + | | | is the subnet-id of a | + | | | given subnet. This | + | | | statistic is exposed | + | | | for each subnet | + | | | separately. | + +-----------------------------------------+-----------------------+------------------------+ + | reclaimed-declined-addresses | integer | Number of IPv6 | + | | | addresses that were | + | | | declined, but have | + | | | now been recovered. | + | | | Unlike | + | | | declined-addresses, | + | | | this statistic never | + | | | decreases. It can be | + | | | used as a long-term | + | | | indicator of how many | + | | | actual valid Declines | + | | | were processed and | + | | | recovered from. This | + | | | is a global statistic | + | | | that covers all | + | | | subnets. | + +-----------------------------------------+-----------------------+------------------------+ + | subnet[id].reclaimed-declined-addresses | integer | Number of IPv6 | + | | | addresses that were | + | | | declined, but have | + | | | now been recovered. | + | | | Unlike | + | | | declined-addresses, | + | | | this statistic never | + | | | decreases. It can be | + | | | used as a long-term | + | | | indicator of how many | + | | | actual valid Declines | + | | | were processed and | + | | | recovered from. The | + | | | *id* is the subnet-id | + | | | of a given subnet. | + | | | This statistic is | + | | | exposed for each | + | | | subnet separately. | + +-----------------------------------------+-----------------------+------------------------+ .. _dhcp6-ctrl-channel: @@ -5332,7 +5305,7 @@ Management API for the DHCPv6 Server The management API allows the issuing of specific management commands, such as statistics retrieval, reconfiguration, or shutdown. For more -details, see `??? <#ctrl-channel>`__. Currently, the only supported +details, see :ref:`ctrl-channel`. Currently, the only supported communication channel type is UNIX stream socket. By default there are no sockets open; to instruct Kea to open a socket, the following entry in the configuration file can be used: @@ -5352,7 +5325,7 @@ in the configuration file can be used: } The length of the path specified by the ``socket-name`` parameter is -restricted by the maximum length for the UNIX socket name on your +restricted by the maximum length for the UNIX socket name on the administrator's operating system, i.e. the size of the ``sun_path`` field in the ``sockaddr_un`` structure, decreased by 1. This value varies on different operating systems between 91 and 107 characters. Typical @@ -5360,7 +5333,8 @@ values are 107 on Linux and 103 on FreeBSD. Communication over the control channel is conducted using JSON structures. See the -`Control Channel section in the Kea Developer's Guide `__ +`Control Channel section in the Kea Developer's Guide +`__ for more details. The DHCPv6 server supports the following operational commands: @@ -5378,7 +5352,7 @@ The DHCPv6 server supports the following operational commands: - shutdown - version-get -as described in `??? <#commands-common>`__. In addition, it supports the +as described in :ref:`commands-common`. In addition, it supports the following statistics-related commands: - statistic-get @@ -5388,28 +5362,28 @@ following statistics-related commands: - statistic-reset-all - statistic-remove-all -as described in `??? <#command-stats>`__. +as described in :ref:`command-stats`. .. _dhcp6-user-contexts: User Contexts in IPv6 ===================== -Kea allows loading hook libraries that sometimes could benefit from +Kea allows loading hook libraries that can sometimes benefit from additional parameters. If such a parameter is specific to the whole library, it is typically defined as a parameter for the hook library. However, sometimes there is a need to specify parameters that are different for each pool. -User contexts can store arbitrary data as long as it has valid JSON -syntax and its top level element is a map (i.e. the data must be +User contexts can store an arbitrary data file as long as it has valid JSON +syntax and its top-level element is a map (i.e. the data must be enclosed in curly brackets). However, some hook libraries may expect specific formatting; please consult the specific hook library documentation for details. User contexts can be specified at global scope, shared network, subnet, pool, client class, option data, or definition level, and via host -reservation. One other useful usage is the ability to store comments or +reservation. One other useful feature is the ability to store comments or descriptions. Let's consider a lightweight 4over6 deployment as an example. It is an @@ -5420,10 +5394,10 @@ additional options. Values of these options are correlated to delegated prefixes, so it is reasonable to keep these parameters together with the PD pool. On the other hand, lightweight 4over6 is not a commonly used feature, so it is not a part of the base Kea code. The solution to this -problem is to use user context. For each PD pool that is expected to be +problem is to specify a user context. For each PD pool that is expected to be used for lightweight 4over6, a user context with extra parameters is -defined. Those extra parameters will be used by a hook library that -would be loaded only when dynamic calculation of the lightweight 4over6 +defined. Those extra parameters will be used by a hook library +and loaded only when dynamic calculation of the lightweight 4over6 option is actually needed. An example configuration looks as follows: :: @@ -5449,8 +5423,8 @@ option is actually needed. An example configuration looks as follows: } ], "subnet": "2001:db8::/32", - // This is a subnet specific context. You can put any type of - // information here as long as it is a valid JSON. + // This is a subnet-specific context. Any type of + // information can be entered here as long as it is valid JSON. "user-context": { "comment": "Those v4-v6 migration technologies are tricky.", "experimental": true, @@ -5461,13 +5435,13 @@ option is actually needed. An example configuration looks as follows: ... } -Kea does not interpret or use the content of the user context; it simply -stores it, making it available to the hook libraries. It is up to each -hook library to extract the information and use it. The parser +Kea does not interpret or use the user context information; it simply +stores it and makes it available to the hook libraries. It is up to each +hook library to extract that information and use it. The parser translates a "comment" entry into a user context with the entry, which allows a comment to be attached inside the configuration itself. -For more background information, see `??? <#user-context>`__. +For more background information, see :ref:`user-context`. .. _dhcp6-std: @@ -5477,59 +5451,59 @@ Supported DHCPv6 Standards The following standards are currently supported: - *Dynamic Host Configuration Protocol for IPv6*, `RFC - 3315 `__: Supported messages are + 3315 `__: Supported messages are SOLICIT, ADVERTISE, REQUEST, RELEASE, RENEW, REBIND, INFORMATION-REQUEST, CONFIRM and REPLY. - *IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) - version 6*, `RFC 3633 `__: + version 6*, `RFC 3633 `__: Supported options are IA_PD and IA_PREFIX. Also supported is the status code NoPrefixAvail. - *DNS Configuration options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6)*, `RFC - 3646 `__: Supported option is + 3646 `__: Supported option is DNS_SERVERS. - *The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Relay Agent Remote-ID Option*, `RFC - 4649 `__: REMOTE-ID option is + 4649 `__: REMOTE-ID option is supported. - *The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Client Fully Qualified Domain Name (FQDN) Option*, `RFC - 4704 `__: Supported option is + 4704 `__: Supported option is CLIENT_FQDN. - *Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Option for - Dual-Stack Lite*, `RFC 6334 `__: + Dual-Stack Lite*, `RFC 6334 `__: the AFTR-Name DHCPv6 Option is supported. - *Relay-Supplied DHCP Options*, `RFC - 6422 `__: Full functionality is + 6422 `__: Full functionality is supported: OPTION_RSOO, ability of the server to echo back the options, checks whether an option is RSOO-enabled, ability to mark additional options as RSOO-enabled. - *Prefix Exclude Option for DHCPv6-based Prefix Delegation*, `RFC - 6603 `__: Prefix Exclude option + 6603 `__: Prefix Exclude option is supported. - *Client Link-Layer Address Option in DHCPv6*, `RFC - 6939 `__: Supported option is + 6939 `__: Supported option is client link-layer address option. - *Issues and Recommendations with Multiple Stateful DHCPv6 Options*, - `RFC 7550 `__: All + `RFC 7550 `__: All recommendations related to the DHCPv6 server operation are supported. - *DHCPv6 Options for Configuration of Softwire Address and Port-Mapped - Clients*, `RFC 7598 `__: All + Clients*, `RFC 7598 `__: All options indicated in this specification are supported by the DHCPv6 server. - *Dynamic Host Configuration Protocol for IPv6 (DHCPv6)*, `RFC - 8415 `__: New DHCPv6 protocol + 8415 `__: New DHCPv6 protocol specification which obsoletes RFC 3315, RFC 3633, RFC 3736, RFC 4242, RFC 7083, RFC 7283, and RFC 7550 @@ -5544,7 +5518,7 @@ treated as “not implemented yet”, rather than actual limitations. - The server will allocate, renew, or rebind a maximum of one lease for a particular IA option (IA_NA or IA_PD) sent by a client. `RFC - 8415 `__ allows for multiple + 8415 `__ allows for multiple addresses or prefixes to be allocated for a single IA. - Temporary addresses are not supported. @@ -5565,12 +5539,12 @@ directory. Configuration Backend in DHCPv6 =============================== -In the `??? <#config-backend>`__ we have described the Configuration -Backend feature, its applicability and limitations. This section focuses +In the :ref:`config-backend` section we have described the Configuration +Backend feature, its applicability, and its limitations. This section focuses on the usage of the CB with the DHCPv6 server. It lists the supported -parameters, describes limitations and gives examples of the DHCPv6 +parameters, describes limitations, and gives examples of the DHCPv6 server configuration to take advantage of the CB. Please also refer to -the sibling section `??? <#dhcp4-cb>`__ for the DHCPv4 specific usage of +the sibling section :ref:`dhcp4-cb` for the DHCPv4-specific usage of the CB. .. _dhcp6-cb-parameters: @@ -5580,118 +5554,90 @@ Supported Parameters The ultimate goal for the CB is to serve as a central configuration repository for one or multiple Kea servers connected to the database. In -the future it will be possible to store the most of the server's -configuration in the database and reduce the configuration file to bare -minimum, i.e. the only mandatory parameter will be the -``config-control`` which includes the necessary information to connect -to the database. In the Kea 1.6.0 release, however, only the subset of +the future it will be possible to store most of the server's +configuration in the database and reduce the configuration file to a bare +minimum; the only mandatory parameter will be the +``config-control``, which includes the necessary information to connect +to the database. In the Kea 1.6.0 release, however, only a subset of the DHCPv4 server parameters can be stored in the database. All other parameters must be specified in the JSON configuration file, if required. -The following table lists DHCPv6 specific parameters supported by the -Configuration Backend with an indication on which level of the hierarchy -it is currently supported. The "n/a" is used in cases when the -particular parameter is not applicable on the particular level of the -hierarchy or in cases when the parameter is not supported by the server -on this level of hierarchy. The "no" is used when the parameter is -supported by the server on the particular level of hierarchy but is not +The following table lists DHCPv6-specific parameters supported by the +Configuration Backend, with an indication on which level of the hierarchy +it is currently supported. "n/a" is used in cases when a +particular parameter is not applicable on a particular level of the +hierarchy, or in cases when the parameter is not supported by the server +at this level of the hierarchy. "no" is used when the parameter is +supported by the server on the given level of the hierarchy, but is not configurable via the Configuration Backend. All supported parameters can be configured via ``cb_cmds`` hooks library -described in the `??? <#cb-cmds-library>`__. The general rule is that +described in the :ref:`cb-cmds-library` section. The general rule is that the scalar global parameters are set using the -``remote-global-parameter6-set``. The shared network specific parameters -are set using the ``remote-network6-set``. Finally, the subnet and pool -level parameters are set using the ``remote-subnet6-set``. Whenever -there is an exception from this general rule, it is highlighted in the -table. The non-scalar global parameters have dedicated commands, e.g. -modifying the global DHCPv6 options (``option-data``) is performed using -the ``remote-option6-global-set``. - -.. table:: List of DHCPv6 Parameters Supported by the Configuration -Backend - - +-----------+-----------+-----------+-----------+-----------+-----------+ - | Parameter | Global | Shared | Subnet | Pool | Prefix | - | | | Network | | | Delegatio | - | | | | | | n | - | | | | | | Pool | - +===========+===========+===========+===========+===========+===========+ - | calculate | yes | yes | yes | n/a | n/a | - | -tee-time | | | | | | - | s | | | | | | - +-----------+-----------+-----------+-----------+-----------+-----------+ - | client-cl | n/a | yes | yes | no | no | - | ass | | | | | | - +-----------+-----------+-----------+-----------+-----------+-----------+ - | decline-p | yes | n/a | n/a | n/a | n/a | - | robation- | | | | | | - | period | | | | | | - +-----------+-----------+-----------+-----------+-----------+-----------+ - | delegated | n/a | n/a | n/a | n/a | yes | - | -len | | | | | | - +-----------+-----------+-----------+-----------+-----------+-----------+ - | dhcp4o6-p | yes | n/a | n/a | n/a | n/a | - | ort | | | | | | - +-----------+-----------+-----------+-----------+-----------+-----------+ - | excluded- | n/a | n/a | n/a | n/a | no | - | prefix | | | | | | - +-----------+-----------+-----------+-----------+-----------+-----------+ - | excluded- | n/a | n/a | n/a | n/a | no | - | prefix-le | | | | | | - | n | | | | | | - +-----------+-----------+-----------+-----------+-----------+-----------+ - | interface | n/a | yes | yes | n/a | n/a | - +-----------+-----------+-----------+-----------+-----------+-----------+ - | interface | n/a | yes | yes | n/a | n/a | - | -id | | | | | | - +-----------+-----------+-----------+-----------+-----------+-----------+ - | option-da | yes (via | yes | yes | yes | yes | - | ta | remote-op | | | | | - | | tion6-glo | | | | | - | | bal-set) | | | | | - +-----------+-----------+-----------+-----------+-----------+-----------+ - | option-de | yes (via | n/a | n/a | n/a | n/a | - | f | remote-op | | | | | - | | tion-def6 | | | | | - | | -set) | | | | | - +-----------+-----------+-----------+-----------+-----------+-----------+ - | preferred | yes | yes | yes | n/a | n/a | - | -lifetime | | | | | | - +-----------+-----------+-----------+-----------+-----------+-----------+ - | prefix | n/a | n/a | n/a | n/a | yes | - +-----------+-----------+-----------+-----------+-----------+-----------+ - | prefix-le | n/a | n/a | n/a | n/a | yes | - | n | | | | | | - +-----------+-----------+-----------+-----------+-----------+-----------+ - | rapid-com | yes | yes | yes | n/a | n/a | - | mit | | | | | | - +-----------+-----------+-----------+-----------+-----------+-----------+ - | rebind-ti | yes | yes | yes | n/a | n/a | - | mer | | | | | | - +-----------+-----------+-----------+-----------+-----------+-----------+ - | relay | n/a | yes | yes | n/a | n/a | - +-----------+-----------+-----------+-----------+-----------+-----------+ - | renew-tim | yes | yes | yes | n/a | n/a | - | er | | | | | | - +-----------+-----------+-----------+-----------+-----------+-----------+ - | require-c | n/a | yes | yes | no | no | - | lient-cla | | | | | | - | sses | | | | | | - +-----------+-----------+-----------+-----------+-----------+-----------+ - | reservati | yes | yes | yes | n/a | n/a | - | on-mode | | | | | | - +-----------+-----------+-----------+-----------+-----------+-----------+ - | t1-percen | yes | yes | yes | n/a | n/a | - | t | | | | | | - +-----------+-----------+-----------+-----------+-----------+-----------+ - | t2-percen | yes | yes | yes | n/a | n/a | - | t | | | | | | - +-----------+-----------+-----------+-----------+-----------+-----------+ - | valid-lif | yes | yes | yes | n/a | n/a | - | etime | | | | | | - +-----------+-----------+-----------+-----------+-----------+-----------+ +``remote-global-parameter6-set``; the shared network-specific parameters +are set using ``remote-network6-set``; and the subnet- and pool-level +parameters are set using ``remote-subnet6-set``. Whenever +there is an exception to this general rule, it is highlighted in the +table. The non-scalar global parameters have dedicated commands; for example, +the global DHCPv6 options (``option-data``) are modified using +``remote-option6-global-set``. + +.. table:: List of DHCPv6 Parameters Supported by the Configuration Backend + + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | Parameter | Global | Shared | Subnet | Pool | Prefix | + | | | Network | | | Delegation | + | | | | | | Pool | + +==========================+============================+===========+===========+===========+============+ + | calculate-tee-times | yes | yes | yes | n/a | n/a | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | client-class | n/a | yes | yes | no | no | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | decline-probation-period | yes | n/a | n/a | n/a | n/a | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | delegated-len | n/a | n/a | n/a | n/a | yes | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | dhcp4o6-port | yes | n/a | n/a | n/a | n/a | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | excluded-prefix | n/a | n/a | n/a | n/a | no | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | excluded-prefix-len | n/a | n/a | n/a | n/a | no | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | interface | n/a | yes | yes | n/a | n/a | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | interface-id | n/a | yes | yes | n/a | n/a | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | option-data | yes (via | yes | yes | yes | yes | + | | remote-option6-global-set) | | | | | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | option-def | yes (via | n/a | n/a | n/a | n/a | + | | remote-option-def6-set) | | | | | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | preferred-lifetime | yes | yes | yes | n/a | n/a | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | prefix | n/a | n/a | n/a | n/a | yes | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | prefix-len | n/a | n/a | n/a | n/a | yes | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | rapid-commit | yes | yes | yes | n/a | n/a | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | rebind-timer | yes | yes | yes | n/a | n/a | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | relay | n/a | yes | yes | n/a | n/a | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | renew-timer | yes | yes | yes | n/a | n/a | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | require-client-classes | n/a | yes | yes | no | no | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | reservation-mode | yes | yes | yes | n/a | n/a | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | t1-percent | yes | yes | yes | n/a | n/a | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | t2-percent | yes | yes | yes | n/a | n/a | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ + | valid-lifetime | yes | yes | yes | n/a | n/a | + +--------------------------+----------------------------+-----------+-----------+-----------+------------+ .. _dhcp6-cb-json: @@ -5730,5 +5676,5 @@ Configuration Backend for the DHCPv6 server: } } -The configuration structure is almost identical as for the DHCPv4 server -(see `??? <#dhcp4-cb-json>`__ for the detailed description). +The configuration structure is almost identical to that of the DHCPv4 server +(see :ref:`dhcp4-cb-json` for the detailed description).