1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
|
.. _hooks-lease-query:
``lease_query``: Leasequery Support
===================================
This library provides support for DHCPv4 Leasequery as described in
`RFC 4388 <https://tools.ietf.org/html/rfc4388>`__; and for DHCPv6
Leasequery (`RFC 5007 <https://tools.ietf.org/html/rfc5007>`__).
.. note::
This library can only be loaded by the ``kea-dhcp4`` or
``kea-dhcp6`` process.
The Leasequery library is only available to ISC customers with a paid support contract.
.. _lease-query-dhcpv4:
DHCPv4 Leasequery
~~~~~~~~~~~~~~~~~
DHCPv4 simple Leasequery provides a requester the ability to query for
active lease information for either a single IP address or a single client.
RFC 4388 calls for three such queries:
- Query by IP address
The IP address of interest is contained within the ``ciaddr`` field of
the query.
- Query by hardware address
The hardware address of interest is contained with the ``chaddr`` field
of the query.
- Query by client identifier
The client identifier of interest is sent in the ``dhcp-client-identifier``
option (61) of the query.
The inbound DHCPLEASEQUERY packet must supply only one of the three values
above. Queries which supply more than one of these values are dropped.
In addition, the query must contain the IP address of the requester in
``giaddr``. This value is used not only as the destination for the
query response but also to validate the requester against a known
list of IP addresses which are permitted to query. This list of valid
requester addresses is specified as part of the Leasequery hook library's
configuration (see the section on configuration below).
In response to a valid query, the server returns one of three message
types:
- DHCPLEASEUNKNOWN
Returned when the IP address of interest is not one the server knows
about (query by IP address); or there are no active leases for the
client of interest (query by hardware address or client ID).
- DHCPLEASEUNASSIGNED
Returned when the IP address is one the server knows of but for which
there are no active leases (applies only to query by IP address).
- DHCPLEASEACTIVE
Returned when there is at least one active lease found matching the
criteria.
For both DHCPLEASEUNKNOWN and DHCPLEASEUNASSIGNED responses, the only
information sent back to the requester in response is the query parameter
itself (i.e. one of: IP address, hardware address, or client identifier).
For DHCPLEASEACTIVE the server provides the following information
for the newest active lease that matches the criteria, in the response:
- ``ciaddr`` - set to the lease's IP address
- ``chaddr`` - set to the lease's hardware address
In addition, one or more of the following options are included:
.. tabularcolumns:: |p{0.2\linewidth}|p{0.1\linewidth}|p{0.7\linewidth}|
.. table:: DHCPLEASEACTIVE options
:class: longtable
:widths: 30 10 70
+------------------------------+-------+-----------------------------------------------+
| Option | Code | Content |
+==============================+=======+===============================================+
| dhcp-client-identifier | 61 | copied from the lease (if appropriate) |
+------------------------------+-------+-----------------------------------------------+
| client-last-transaction-time | 91 | the amount of time that has elapsed since the |
| | | lease's client-last-transaction-time (CLTT). |
| | | This value is also used by the server to |
| | | adjust lifetime and timer values. |
+------------------------------+-------+-----------------------------------------------+
| dhcp-lease-time | 51 | lease's lifetime reduced by CLTT |
+------------------------------+-------+-----------------------------------------------+
| dhcp-renewal-time | 58 | as controlled by kea-dhcp4 configuration and |
| | | then reduced by CLTT |
+------------------------------+-------+-----------------------------------------------+
| dhcp-rebind-time | 59 | as dictated by kea-dhcp4 configuration and |
| | | then reduced by CLTT |
+------------------------------+-------+-----------------------------------------------+
| dhcp-agent-options | 82 | if stored on the lease. (See |
| | | :ref:`dhcp4-store-extended-info`) |
+------------------------------+-------+-----------------------------------------------+
| associated-ip | 92 | a list of all other IP addresses for which |
| | | the client has active leases. (Does not apply |
| | | to query by IP address) |
+------------------------------+-------+-----------------------------------------------+
The ``dhcp-server-identifier`` option (54) is returned in all responses in keeping with
RFC 2131, section 4.3.1.
RFC 4388 allows requesters to ask for specific options via the
``dhcp-parameter-request-list`` (PRL, option 55). This is not currently supported in Kea.
.. _lease-query-dhcpv4-config:
DHCPv4 Leasequery Configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Configuring the Leasequery hook library for use is straightforward. It
supports a single parameter, ``requesters``, which is a list of IP addresses from
which DHCPLEASEQUERY packets are accepted. In other words, it is a list of
known requesters. The following code shows an example configuration with two requester
addresses:
::
:
"hooks-libraries": [
{
"library": "lib/kea/hooks/libdhcp_lease_query.so",
"parameters": {
"requesters": [ "192.0.1.1", "10.0.0.2" ]
}
}
],
:
.. note::
For security purposes, there is no way to specify wildcards. Each requester address
must be explicitly listed.
.. _lease-query-dhcpv6:
DHCPv6 Leasequery
~~~~~~~~~~~~~~~~~
DHCPv6 simple Leasequery gives a requester the ability to query for
active lease information for either a single IP address or a single client
DUID. The query type and parameters are conveyed in an ``lq-query`` option (44)
attached to a ``DHCPV6_LEASEQUERY`` message:
- ``query-type``
This is either ``query-by-address`` (1) or ``query-by-clientid`` (2)
- ``link-address``
The global link address, when not empty, instructs the query to be
limited to leases within that "link." Kea uses this value to
select only leases that belong to subnets whose prefix matches
this value. Active leases for prefix delegations for
a matched subnet are included in the query reply, even if the
delegated prefix itself falls outside the subnet prefix.
- ``query-options``
A single ``iaaddr`` option (12) must be supplied when querying by address.
When querying by client ID, a single ``clientid`` option (1) must be
supplied. RFC 5007 also calls for an optional, ``oro`` option (6), to
request specific options be returned for matched leases. This is
not currently implemented.
.. note::
`RFC 5007, Section 3.3 <https://tools.ietf.org/html/rfc5007#section-3.3>`__
states that querying by IP address should return either a lease (e.g.
binding) for the address itself or a lease for a delegated prefix that
contains the address. The latter is not currently implemented. Leases for
delegated prefixes may only be returned when querying by client ID. See
`GitLab issue #1275 <https://gitlab.isc.org/isc-projects/kea/-/issues/1275>`__
``DHCPV6_LEASEQUERY`` queries are only honored if the source address of
the query matches an entry in a list of known IP addresses which are
permitted to query. This list of valid requester addresses is specified
as part of the Leasequery hook library’s configuration (see the section
on configuration below). Queries received from unknown requesters are
logged and dropped.
In response to a valid query, the server carries out the requisite
activities and returns a ``DHCPV6_LEASEQUERY_REPLY``. All replies contain
at least a ``status-code`` option (13) that indicates the outcome of the query
as detailed in the following table:
.. tabularcolumns:: |p{0.5\linewidth}|p{0.3\linewidth}|p{0.1\linewidth}|p{0.3\linewidth}|
.. table:: DHCPV6_LEASEQUERY_REPLY status option values per query outcome
:class: longtable
:widths: 50 30 10 30
+--------------------------------------+-------------------------+--------+------------------------------+
| | Status | Status | Status |
| Query Outcome | Label | Code | Text |
+======================================+=========================+========+==============================+
| Invalid query type field | STATUS_UnknownQueryType | 7 | "unknown query-type" |
+--------------------------------------+-------------------------+--------+------------------------------+
| Query by IP address that does not | STATUS_Malformed | 10 | "missing D6O_IAADDR" |
| contain an address option | | | |
+--------------------------------------+-------------------------+--------+------------------------------+
| Query by IP address for an address | STATUS_NotConfigured | 9 | "address not in a configured |
| that does fall within any configured | | | pool" |
| pools | | | |
+--------------------------------------+-------------------------+--------+------------------------------+
| Query by IP address which found only | STATUS_Success | 0 | "inactive lease exists" |
| an inactive lease (e.g. expired, | | | |
| declined, reclaimed-expired) | | | |
+--------------------------------------+-------------------------+--------+------------------------------+
| Query by IP address that found no | STATUS_Success | 0 | "no active lease" |
| leases (active or otherwise) | | | |
+--------------------------------------+-------------------------+--------+------------------------------+
| Query by IP address that found an | STATUS_Success | 0 | "active lease found" |
| active lease for the address | | | |
+--------------------------------------+-------------------------+--------+------------------------------+
| Query by Client ID that does not | STATUS_Malformed | 10 | "missing D6O_CLIENTID" |
| contain a client ID option | | | |
+--------------------------------------+-------------------------+--------+------------------------------+
| Query by Client ID with a link | STATUS_NotConfigured | 9 | "not a configured link" |
| address that does not match any | | | |
| configured subnets | | | |
+--------------------------------------+-------------------------+--------+------------------------------+
| Query by client ID which found no | STATUS_Success | 0 | "no active leases" |
| matching leases | | | |
+--------------------------------------+-------------------------+--------+------------------------------+
| Query by client ID which found one | STATUS_Success | 0 | "active lease(s) found" |
| or more active leases | | | |
+--------------------------------------+-------------------------+--------+------------------------------+
For those scenarios where the query was either invalid or for which no matching active
leases were found, the ``DHCPV6_LEASEQUERY_REPLY`` only contains the ``status-code``
option (12) per the above table.
When a query finds active leases in more than one subnet and the query's ``link-address``
is empty, then, in addition to the status-code, the ``DHCPV6_LEASEQUERY_REPLY``
contains an ``lq-client-link`` option (48). The ``lq-client-link`` contains a list of
IPv6 addresses, one for each subnet in which a lease was found (see
`RFC 5007, Section 4.1.2.5 <https://tools.ietf.org/html/rfc5007#section-4.1.2.5>`__)
If, however, the query's ``link-address`` is not empty, the list of queries is
pruned to contain only leases that belong to that subnet.
When the query results in one or more active leases which all belong to a single
subnet, in addition to the ``status-code``, the ``DHCPV6_LEASEQUERY_REPLY`` contains a
``client-data`` option (45) (see
`RFC 5007, Section 4.1.2.2 <https://tools.ietf.org/html/rfc5007#section-4.1.2.2>`__).
The client-data option encapsulates the following options:
.. tabularcolumns:: |p{0.2\linewidth}|p{0.1\linewidth}|p{0.7\linewidth}|
.. table:: OPTION_CLIENT_DATA returned when active lease(s) are found
:class: longtable
:widths: 30 10 70
+------------------------------+-------+-----------------------------------------------+
| Option | Code | Content |
+==============================+=======+===============================================+
| clientid | 1 | copied from the lease (if one exists) |
+------------------------------+-------+-----------------------------------------------+
| clt-time | 46 | amount of time that has elapsed since the |
| | | lease's client-last-transaction-time (CLTT). |
| | | This value will also be used by the server to |
| | | adjust lifetime and timer values. |
+------------------------------+-------+-----------------------------------------------+
| iaaddr | 5 | One option per matched address. Fields in |
| | | each option: |
| | | - lease address |
| | | - valid lifetime reduced by CLTT |
| | | - preferred lifetime reduced by CLTT |
+------------------------------+-------+-----------------------------------------------+
| iaprefix | 26 | One option per matched prefix. Fields in |
| | | each option: |
| | | - prefix |
| | | - prefix length |
| | | - valid lifetime reduced by CLTT |
| | | - preferred lifetime reduced by CLTT |
+------------------------------+-------+-----------------------------------------------+
If the lease with the most recent client-last-transaction-time (CLTT)
value has relay information in its user-context (see
:ref:`store-extended-info-v6`), then an ``OPTION_LQ_RELAY_DATA`` option is
added to the reply (see
`RFC 5007, Section 4.1.2.4 <https://tools.ietf.org/html/rfc5007#section-4.1.2.4>`__).
The relay information on the lease is a list with an entry for each
relay layer the client packet (e.g. ``DHCPV6_REQUEST``) traversed, with the
first entry in the list being the outermost layer (closest to the server). The
``peer-address`` field of the ``lq-rely-option`` is set to the peer address of this
relay. The list of relays is then used to construct a ``DHCPV6_RELAY_FORW`` message
equivalent to that which contained the client packet, minus the client packet.
This message is stored in the ``DHCP-relay-message`` field of the ``lq-relay-data`` option.
.. _lease-query-dhcpv6-config:
DHCPv6 Leasequery Configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Configuring the Leasequery hook library for use is straightforward. It
supports a single parameter, ``requesters``, which is a list of IP addresses from
which DHCPV6_LEASEQUERY packets are accepted. In other words, it is a list of
known requesters. The following code shows an example configuration with two requester
addresses:
::
:
"hooks-libraries": [
{
"library": "lib/kea/hooks/libdhcp_lease_query.so",
"parameters": {
"requesters": [ "2001:db8:1::1", "2001:db8:2::1" ]
}
}
],
:
.. note::
For security purposes, there is no way to specify wildcards. Each requester address
must be explicitly listed.
|
