© 2018 IS

C

KeaA m

odern DH

CP engine

UKNOF40

Tomek M

rugalski tom

ek(at)isc(dot)org

© 2018 IS

C

If you never heard about Kea…

▪M

odern DHCPv4, DHCPv6 and DDNS servers

▪Perform

ance▪

Scalable (millions of devices)

▪O

n-line reconfiguration (no restarts after config changes)▪

Feature rich: shared networks, v6, PD, custom

options,…

▪D

atabase Backends ▪

Hooks (3rd party libraries, like apache m

odules)▪

REST m

anagement API

▪Linux, BSDs, M

acOS, …

▪

Open source (M

PL2)▪

1.4.0 beta about to be released (May 2018)

© 2018 IS

C

Backends

▪Leases, host reservations in DB (1.4)▪

CSV▪

MySQ

L, PostgreSQL

▪Cassandra

▪Configuration in DB likely in 1.5

▪SQ

L data can be modified any tim

e▪

All changes applied instantly (no restart)▪

Can manipulate the DB directly or

▪Use host com

mands (1.2) and subnets (1.3)

© 2018 IS

C

Hooks (1 of 2)

▪1.1: U

ser Check – exam

ple access control▪

1.2: Forensic Logging – audit trail for legal purposes ▪

1.2: Flexible Identifier – identify hosts by expression, e.g. concat(relay4[2].hex, relay4[6].hex)▪

1.2: Host C

omm

ands – query, add and delete host reservations using REST interface▪

1.3: Subnet managem

ent (add, get, update, delete subnets and shared netw

orks via REST API)▪

1.3: Extra lease comm

ands (add, get, update, delete, w

ipe all, get all leases via REST API)

Open source

Prem

ium

© 2018 IS

C

Hooks (2 of 2)

▪1.4: H

A – high availability solution (heartbeat, failure detection, lease updates, recovering DB from

partner)▪

1.4: Radius – access control and host reservation using FreeRadius, accounting ▪

1.4: Host C

aching – cache host responses locally from

slower backends for extra perform

ance (includes negative caching)▪

1.5: Limits - ability to rate lim

it queries, limit # of

leases per subnet, pool, port, device, time restricted

leases (valid until, not valid before)

Open source

Prem

ium

© 2018 IS

C

Anyone can write hooks

Facebookdatacenter

running on Kea

Photo by A

ngelo Failla, Facebook

© 2018 IS

C

Flex-id (1.2)▪

Flexible Identifier

How to identify hosts:

▪O

pen source ▪

MAC, duid, circuit-id, client-id

▪Prem

ium

▪Alm

ost anything could be used (35 different expressions)▪

Options (client, relay, vendor)

▪Fixed fields▪

Concat, substring▪

Meta-data (interface nam

e, src/dst IP, …

)

concat(relay4[1].hex, relay4[2].hex)

© 2018 IS

C

REST API (1.2/1.3)

Overview

: ▪

Comm

and Channel (Unix socket)

▪REST interface (http/https)

▪JSO

N com

mands, JSO

N responses▪

kea-shell provided (python 2.x, 3.x example)

Manipulate:

▪W

hole config (config-get/set/test/write)

▪Shared netw

orks, subnets (subnet4/6-list/add/get/del)

▪H

ost Reservations (reservation-get/add/del)▪

Leases (lease4/6-get/add/update/del/wipe)

▪Statistics (statistic-get/reset/get-all)

▪Server (list-com

mands, shutdow

n, version-get, build-report, leases-reclaim

, etc.)

More to com

e in future releases

{ "command": "subnet6-add", "arguments": { "subnet6": [ { "id": 234, "subnet": "2001:db8:1::/64", ... } ] }}{ "result": 0, "text": "IPv6 subnet added", "arguments": { "subnet6": [ { "id": 234, "subnet": "2001:db8:1::/64" } ] }}

Com

mand

Response

© 2018 IS

C

High Availability (1.4)

▪Load balancing or hot standby

▪RESTful API based

▪H

ook points (sending lease updates, etc.)▪

Heartbeats over control channel

▪Lease updates via lease_cm

ds hook▪

Failure detection based on ‘secs’ field

▪Auto-sync of leasedatabase

▪Backup server

▪50/50 LB split

▪V4 and V6

Kea server 1

Kea server 2

Bi-directional

lease updates

50% of leases

assigned & m

anaged by each server

50%50%

© 2018 IS

C

Apache Cassandra (1.4)

▪Distributed non-relational NoSQ

L database▪

Massive scalability w

ithout a single point of failure▪

Replication factor▪

Can operate with

at least one nodesurviving

▪CQ

L▪

Data denormalization

RFNO

DESFAILURES

11

02

31

35

24

73

…

HANO

DESFAILURES

21

RF = 2N + 1 can survive N

failures

© 2018 IS

C

1.4 coming up

▪1.4.0 beta: M

ay 14th, 1.4.0 final: June 15th▪

Improved shared netw

orks performance

▪Im

proved classification▪

mem

ber(foo) && !mem

ber(bar) && (relay4[2].hex == ‘abcd’)▪

Fixed statistics when run m

ultiple instances with the sam

e DB▪

Many sm

aller bugfixes and improvem

ents(100+ tickets closed and counting)

kea.isc.org/roadmap

© 2018 IS

C

▪Authentication▪

Access control▪

Address Reservation▪

Class assignment

▪Accounting

▪Attributes custom

izable▪

FreeRadius based▪

DHCPv4 and DH

CPv6

Kea server

RAD

IUS server

DH

CPD

ISCO

VER

Client

Access-request

(remote-id / circuit-id)

Access-accept

(User-C

lass, Framed-Pool /

Framed-IP-A

ddress)

Lease assigned, renewed, released or expiredA

ccounting-request

(User-C

lass, username,

Framed-IP …

)

User-C

lass cached in Kea

DH

CPO

FFER

RADIU

S Integration (1.4)

© 2018 IS

C

DB C

onfiguration Storage (1.5)

kea.isc.org/wiki/CentralizedConfigNetconf

© 2018 IS

C

YANG

/NETC

ON

F (1.5) <server xm

lns=“…”>

<server-config> <netw

ork-ranges>

<option-set-id>1</option-set-id>

<network-range>

<netw

ork-range-id>1</network-range-id>

<netw

ork-description />

<network-prefix>2001:db8::/56</netw

ork-prefix>

<option-set-id>2</option-set-id>

<address-pools>

<address-pool>

<pool-id>1</pool-id>

<start-address>2001:db8::1</start-address>

<end-address>2001:db8::ffff</end-address>

<renew-tim

e>20</renew-tim

e>

<rebind-time>90</rebind-tim

e>

<valid-lifetime>150</valid-lifetim

e>

<preferred-lifetime>120</preferred-lifetim

e>

</address-pool>

</address-pools>

</network-range>

</network-ranges>

</server-config> </server>

container network-ranges {

description "This model supports a hierarchy ...";

list network-range {

key network-range-id;

leaf network-range-id {

type uint32; m

andatory true; }

container address-pools { description "A container that describes the …

"; list address-pool { leaf start-address { type inet:ipv6-address-no-zone; m

andatory true; description "start address"; } leaf end-address { type inet:ipv6-address-no-zone; m

andatory true; description "end address"; } leaf valid-lifetim

e { type yang:tim

eticks; m

andatory true; description "valid liftim

e for IA"; } …

}

Configuration

YANG m

odel

© 2018 IS

C

TreeView for YAN

G m

odel

© 2018 IS

C

Useful links

▪K

ea project homepage: http://kea.isc.org

▪D

ocumentation: http://kea.isc.org/docs/

▪U

ser’s Guide - 100+ pages of guidance w

ith examples for users,

REST API documentation, and user docum

entation for premium

hooks (easy to see if you w

ould benefit from purchasing them

)▪

List of all log messages - w

ith an explanation what happened and

why, a nod tow

ards the mainfram

e era▪

Developer’s Guide - for developers and contributors, explains the

internals, also includes Hooks interface API▪

Kea business page: http://isc.org/kea▪

High level overview, prem

ium hooks w

hite papers, ISC DHCP vs Kea com

parison, support links, 24/7 support available▪

The source code: http://github.com/isc-projects/kea

▪Source code for prem

ium hooks is also provided to purchasers

© 2018 IS

C

Q&A

Questions?

Suggestions?

Tomatoes?