Kea DHCP

(Migrating to Kea from ISC DHCP)

Carsten Strotmann and the ISC KEA Team

Created: 2020-12-02 Wed 11:31

Software Migrations

About migrations

Migrations from old to new software products are required from time to time
Not all software can be upgraded to new functionality
- Sometimes a clean start is needed to update the underlying implementation
- Such new implementations often cannot provide 100% compatibility
- Examples: BIND 8 -> BIND 9, Python2 -> Python3, ISC DHCP -> Kea DHCP

Migration strategies

Possible migration strategies
- Upgrade of the existing infrastructure
- Re-design of the existing infrastructure

Re-Design of an existing infrastructure

A re-design can be used to remove shortcomings of the old design
- A migration is a good time to review the current design
- A new design can make use of modern features that were not available at the time of the original design
- Maybe it is time to introduce IPv6?
- Implement new features
  - Automatic configuration management
  - Monitoring
  - Better documentation

Configuration migration

A DHCP configuration can be quite complex
- Migrating such a configuration can be challenging
- There could be unknown pitfalls
- Testing and Monitoring are important (the Kea DHCP team has created tools to help with this)

About automated configuration migration

Automated migration of an existing DHCP configuration might be possible
But be aware:
- automated migrations don't utilize the power of the new system
- automated migrations create a non-optimal configuration that might be harder to maintain
Recommendation: if possible, take time and do a manual migration

Kea Migration Assistant (KeaMA)

The Kea Migration Assistant (KeaMA) is a tool provided by ISC to help migrating an existing ISC DHCP configuration to Kea DHCP
- the output of KeaMA can be used as a starting point for creating a Kea DHCP configuration
- don't expect miracles from KeaMA: in most cases, it will not be able to convert the complete ISC DHCP configuration

What KeaMA can do

KeaMA is good at converting simple configuration structures
- Reservations
- Subnet and Shared-Network definitions
- DHCP Option definitions

What KeaMA cannot do

There are some ISC DHCP configuration statements that cannot be translated into a Kea DHCP configuration
- configurations where ISC DHCP and Kea DHCP differ
  - Failover vs. High-Availability
  - Support for hardware types other than Ethernet
  - Shared-Network pools
  - ISC DHCP spawning classes
  - …

Building Kea Migration Assistant (KeaMA)

KeaMA is part of the ISC DHCP Server
- It reuses the ISC DHCP configuration file parser
- ISC provides experimental RPM/DEB packages on Cloudsmith: https://cloudsmith.io/~isc/repos/keama/packages/
- It is recommended to install and use KeaMA on a dedicated migration machine
  - copy the ISC DHCP configuration to that machine and migrate the configuration there

KeaMA: getting the source

Download the latest ISC DHCP source code and extract the tar file

wget http://ftp.isc.org/isc/dhcp/4.4.2/dhcp-4.4.2.tar.gz
tar xvfz dhcp-4.4.2.tar.gz

KeaMA: preparing the source

The KeaMA source must be adjusted to be compiled on your Linux/Unix system and hardware architecture
- the configure script will check the running operating system and will create the build files required to compile KeaMA

cd dhcp-4.2.2/
./configure

KeaMA: Compile from source

Once the configure script returns without error, the KeaMA tool can be build

cd keama
make

KeaMA: using KeaMA

it is not required to install KeaMA, it can be used directly from the build directory
KeaMA syntax

keama [ -4 | -6] [ -D ] [ -N ] [ -r {perform|fatal|pass} ] \
  [ -l hook-library-path ] [ -i input-file ] [ -o output-file ]

KeaMA: Example usage

this is an example of using KeaMA on an ISC DHCPv4 configuration file
- the option -N will place host reservations in the appropriate subnet
- the option -r pass will pass host names into the Kea DHCP configuration. Often these host names need to be replaced with their IP addresses manually.

./keama -4 -N -r pass -i dhcpd.conf -o kea-dhcp4.conf

KeaMA: example result

Comments point to parts of the configuration that most likely need manual adjustment
Known issues are referenced with their Gitlab issue number
- Example: Issue #245 below can be found at https://gitlab.isc.org/isc-projects/kea/-/issues/245

{
  # dhcpd.conf
  /// This configuration declares some subnets but has no interfaces-config
  /// Reference Kea #245
  "Dhcp4": {
//  "statement": {
//    "config": {
//      "value": "allow",
//      "name": "allow-booting",
//      "code": 9
//    }
//  },
    "dhcp-ddns": {
      "qualifying-suffix": "home.example.com",
      "enable-updates": true
    },
[...]

Differences between Kea and ISC DHCP

Shared Networks

ISC DHCP permits pools at shared-network level
In Kea DHCP, a pool must belong to a subnet
In Kea DHCP, selecting a lease from a shared-network has a performance penalty compared to selecting a lease from a plain subnet

Client classification

Kea DHCP does not have a concept similar to permit or deny in ISC DHCP
- In ISC DHCP, this is used to permit or deny certain client classes in subnets
- This can be done in Kea DHCP as well, but the logic is different
Kea DHCP does not support spawning classes (which are used for dynamic lease limit configurations)
- There is (currently) no per client / per class lease limit in Kea DHCP

DHCP Options

ISC DHCP can resolve DNS names to IP addresses for options that require an IP address. Kea DHCP does not resolve DNS names
- The Kea Migration Assistant can resolve the DNS names into IP addresses while converting an ISC DHCP configuration
Option inheritance scoping is different between ISC DHCP and Kea DHCP

High-Availability

ISC DHCP supports the IETF DHCPv4 Failover Protocol draft https://datatracker.ietf.org/doc/html/draft-ietf-dhc-failover
Kea DHCP supports its own DHCP high availability implementation for DHCPv6 and DHCPv4
Both create a highly available DHCP service, but the implementation and configuration details are different
Document comparing failover in ISC DHCP to HA in Kea DHCP https://kb.isc.org/docs/aa-01617

Kea High Availability vs ISC DHCP Failover (1)

Number of servers in an HA cluster
- ISC DHCP: 2
- Kea DHCP: 2 active + unlimited backup servers
Failover relationships
- ISC DHCP: one per subnet
- Kea DHCP: one per instance
Load balancing
- ISC DHCP: Flexible split (RFC3074)
- Kea DHCP: fixed 50/50 split (RFC3074)

Kea High Availability vs ISC DHCP Failover (2)

Lazy lease updates (MCLT)
- ISC DHCP: yes (server responds to the client immediately)
- Kea DHCP: no (server waits for lease update completion before responding to client)
Send lease updates to external entity
- ISC DHCP: no
- Kea DHCP: yes (via backup server or custom hook library)
Rebalancing pools
- ISC DHCP: yes
- Kea DHCP: no

Kea High Availability vs ISC DHCP Failover (3)

Database replication for sharing lease info
- ISC DHCP: no
- Kea DHCP: yes (optional)
API
- ISC DHCP: omapi
- Kea DHCP: RESTful API

Host reservations

In ISC DHCP all host declarations are global
Kea DHCP supports global and per-subnet/shared-network reservations
ISC DHCP can have reservations that are not viable on the subnet where the clients are attached
- Kea does not start if configured with an address or prefix that is not viable on its subnet; it displays an error

Scripts and Tools

Most 3rd party tools and scripts that work with ISC DHCP do not work with Kea DHCP
- parse lease file
- SNMP monitoring agents
- Configuration orchestration
Many use cases are covered by the Kea API

Manual Migration

Client Classes

The Kea Migration Assistant will translate the client classification rules from ISC DHCP to Kea DHCP
- the Kea DHCP configuration will have the original client classification as a comment

[...]
    "client-classes": [
      {
        "name": "virtualbox",
        /// from: match if (substring(hardware, 1, 3)) = 0x080027
        "test": "substring(pkt4.mac,0,3) == 0x080027"
      },
[...]

Understanding Client Classification https://kb.isc.org/docs/understanding-client-classification

Client Classes

review and, if possible, simplify the client classification tests
- Kea DHCP might have expressions that better define the class
- Using Expressions in Classification: https://kea.readthedocs.io/en/kea-1.8.1/arm/classify.html#using-expressions-in-classification

[...]
      {
        "name": "gen#virtualbox#!KNOWN#_AND_#!microsoft-client#",
        "test": "(member('virtualbox') or not member('KNOWN')) and not member('microsoft-client')"
      },
      {
        "name": "gen#!KNOWN#_AND_#!virtualbox#!microsoft-client#",
        "test": "(not member('KNOWN')) and not member('virtualbox') and not member('microsoft-client')"
      }
[...]

Expressions

ISC DHCP allows complex expressions in the configuration file
- The ISC DHCP configuration file is almost a programming language
- Most effects of ISC DHCP expressions can be created with the Kea DHCP functions, or existing hook libraries (flex_id or flex_option hooks)
- In other cases, a custom hook can be used to implement almost any logic required
  - 3rd party hook examples: https://github.com/search?q=kea+hook

Custom Kea hooks

ISC DHCP to Kea DHCP Migration Plan

Proposed migration steps

Get familiar with Kea DHCP
- run a production Kea DHCP for some time (some month) in a small and low risk network
- test features that will be used in the larger production networks

Proposed migration steps

Install Kea DHCP alongside the existing ISC DHCP
Write and test the Kea DHCP configuration
- configure the DHCP relays to forward DHCP messages to ISC DHCP (production) and Kea DHCP (test)
  - block the responses from Kea DHCP in the host firewall of the Kea DHCP OS (for example Linux nftables)
  - inspect the responses from Kea DHCP and compare with the responses from ISC DHCP
Implement Logging and Monitoring

Proposed migration steps

Define the time line for the migration
Lower the lease/refresh times on the ISC DHCP before the migration
- One hour DHCP refresh is safe for most devices
- Modern operating systems (Windows, Linux, macOS etc) can work with low DHCP refresh times, such as 5 minutes
- Embedded or older DHCP clients (MS-DOS, Windows 9x, QNX etc) that can be found in industrial control units need safe refresh values

Proposed migration steps

Start with a friendly crowd, low risk network (IT department WLAN)
Switch networks one-by-one via DHCP relay configuration
- On regression, switch back to ISC DHCP for this one network and investigate

Proposed migration steps

Monitor leases on the ISC DHCP as well
- At some point in time, there should be no DHCP requests coming to the old server(s)
- time to shut the old systems down

Proposed migration steps

Next Webinars

ISC webinars are taking a break until the new year and ISC will announce new webinars early in 2021.

Resources

Alan Clegg – NANOG 76 - DHCP Migration to Kea
- https://pc.nanog.org/static/published/meetings/NANOG76/1998/20190610_Clegg_Dhcp_Migration_To_v1.pdf
Kea High Availability vs ISC DHCP Failover
- https://kb.isc.org/docs/aa-01617
Kea HA Design Document
- https://gitlab.isc.org/isc-projects/kea/-/wikis/designs/High-Availability-Design
Available 3rd party hooks for Kea DHCP
- https://gitlab.isc.org/isc-projects/kea/-/wikis/Hooks-available
Using Host Reservations in Kea
- https://kb.isc.org/docs/what-are-host-reservations-how-to-use-them

Kea DHCP

Carsten Strotmann and the ISC KEA Team

Software Migrations

About migrations

Migration strategies

Re-Design of an existing infrastructure

Configuration migration

About automated configuration migration

Kea Migration Assistant (KeaMA)

Kea Migration Assistant (KeaMA)

What KeaMA can do

What KeaMA cannot do

Building Kea Migration Assistant (KeaMA)

KeaMA: getting the source

KeaMA: preparing the source

KeaMA: Compile from source

KeaMA: using KeaMA

KeaMA: Example usage

KeaMA: example result

Differences between Kea and ISC DHCP

Shared Networks

Client classification

DHCP Options

High-Availability

Kea High Availability vs ISC DHCP Failover (1)

Kea High Availability vs ISC DHCP Failover (2)

Kea High Availability vs ISC DHCP Failover (3)

Host reservations

Scripts and Tools

Manual Migration

Client Classes

Client Classes

Expressions

Custom Kea hooks

ISC DHCP to Kea DHCP Migration Plan

Proposed migration steps

Proposed migration steps

Proposed migration steps

Proposed migration steps

Proposed migration steps

Proposed migration steps

Proposed migration steps

Proposed migration steps

Proposed migration steps

Proposed migration steps

Proposed migration steps

Next Webinars

Resources

Questions and Answers