suppress message -> ISC DHCP has reached end-of-life
-
Turn on KEA it will fix the error for good
Make sure to upvote
-
@JonathanLee said in suppress message -> ISC DHCP has reached end-of-life:
Turn on kea will fix it
... and create more than enough other problems, in my experience. I do not understand why pfSense is labeling ISC as "deprecated" while not admitting that Kea is "alpha-quality".
-
@tgl said in suppress message -> ISC DHCP has reached end-of-life:
why pfSense is labeling ISC as "deprecated"
Because it is ;)
https://www.isc.org/blogs/isc-dhcp-eol/
If they didn't - then for sure people would be complaining why didn't they let anyone know. Here is the thing, if you feel uncomfortable with running a deprecated isc, and kea is not to your level of need as of yet.. Run dhcp on something else on your network. But they have let you know..
The one take away you should take from the above link is this..
"However, it is time to start thinking about a migration plan to a more modern system that is actively maintained."
This is what they did with the warning.. Could it have been worded a bit differently? Yeah ok sure maybe, but one thing this has proven yet again is users don't read anything unless its shoved into their face. There was a whole netgate blog entry entry about how kea is "preview" and and all kinds of warnings in the release notes about features that are missing, etc..
The warning that pops into your face for sure will accomplish the above statement from the isc link ;) You can wait for kea integration into pfsense to be to the level you want.. Or you can run something else, or you can just continue to use isc. But at least you should be aware now.. Maybe it was painful - because again without reading the documentation that was made available, you come to find oh this doesn't work now, or the logging is not to your liking, etc. But it does get you thinking about dhcpd maybe ;)
But to be honest, for many users - kea is viable.. All they want is an IP to be handed out to their clients. It does that.. So such a warning and in your face sort of thing is one way to get them to move over from the currently EOL isc dhcpd. Because otherwise they wouldn't have a clue and would never switch.. How many users are still running some old version of pfsense? Because for whatever reason it didn't pop up into their face there was a new version.. See it all the time - oh my pfsense said it was the latest version.. I didn't know there was a new version, etc.. Really its been 3 years, and you didn't think there was an update? ;)
This sort of thing drives me nuts. You chose to run pfsense on your network, because you were not happy with your isp or soho routers feature set, or you thought it was cool, or whatever.. But then you don't pay attention to if there is an update out, or read any of the release notes when new versions come out? I personally don't get it..
Not saying it couldn't of been done a bit different, or slightly different wording in the warning.. But then again - as the admin of your install, it is your responsibility to keep yourself informed. The information was provided - if you failed to read it.. Who's fault is that?
-
@tgl said in suppress message -> ISC DHCP has reached end-of-life:
I do not understand why pfSense is labeling ISC as "deprecated" while not admitting that Kea is "alpha-quality".
Easy. They figured out that when you throw ISC DHCP into whatever search engine, you'll see the author of ISC DHCP saying the same thing for a a couple of years now.
Btw : don't worry, this info was actually know by everybody that uses ISC DHCP, like pfSense admins etc. Like everybody knows that Windows 7, 8 and 10 shouldn't be used anymore (and half the planet is still knowingly doing so).
They, ISC, have been working on a new DHCP server KEA for the last several years, and it's production ready.
The only thing that is 'new' and needs some more polishing, is the GUI pfSense front end. KEA, the server, is very usable. The upcoming 24.x and 2.8.x will addresses outstanding issues like DHCP options etc.
As the author of DHCP and KEA says : KEA is usable, but there are some conditions.
So, Netgate decided to relay the info, and have he user base 'play' with them both, and while doing so getting the needed feedback so they know where to prioritize their coding (GUI) attention.@johnpoz types faster ^^
-
ISC DHCP has CVE major issues. VLAN hopping, VLAN leaking unauthorized access. Big issues. Please move to KEA ASAP
Says the guy still running 23.09.01 with ISC..
If my crypto chip worked in 24 I would be running KEA in a second -
@JonathanLee and were are these so called major CVEs - please link to them.. I don't see how some application could have anything to do with vlan hoping..
https://www.cvedetails.com/vulnerability-list/vendor_id-64/product_id-17706/ISC-Dhcp.html
-
@johnpoz I will have to find it. I remember reading something while in college about it. I think it was a metasploit or something, I will look for it and post info.
-
@JonathanLee if it was such a major CVE, why would it not be listed on the link I posted too? How could a dhcpd be used to hop vlans? Even if it handed you an IP from the wrong scope - that doesn't get you to another vlan.. Most of the CVEs I have seen about isc dhcpd have been related to crashing dhcpd and causing some sort of dos..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
https://www.cisa.gov/news-events/alerts/2024/02/13/isc-releases-security-advisories-bind-9
It’s related to bind
I have seen something a couple years ago, it was on vulnhub and or a metasploit. Leaking memory and accessing other vlans
Trust me it is out there…
Older versions of pen testing software something had it.
-
https://kb.isc.org/docs/cve-2022-2929
Leaking memory one, this one too. I don’t think KEA has the same issues.
-
@JonathanLee said in suppress message -> ISC DHCP has reached end-of-life:
tps://kb.isc.org/docs/cve-2022-2929
And the fix for that is 4.4.3-P1, which is what is currently used in 23.09.1
What does bind have to do with users moving to kea? If your going to try and scare people - "ISC DHCP has CVE major issue" "Please move to KEA ASAP"
For gosh sake have some actual credible reason..
-
@johnpoz did it work? Are you using KEA? :)
-
@JonathanLee hahaha, no I am not using kea.. You making jokes now - hahah
-
I'm not using Kea on my local router either. Yet. There's nothing exploitable I'm aware of in ISC that I'm worried about. Also yet!
-
See I fixed it no error :)
-
@JonathanLee I was on ISC to start with and someone here suggested it because .. it's going to be depreciated RSN (real soon now)
Then I read (as I was considering going back to KEA since ISC didn't resolve my issue and I read a few reports that going back breaks a bunch of stuff leaving you to do it all over again from the beginning.
Since I'm in sponge mode currently .. I want to resolve all the lil things I have going on and sort out my understanding of firewall rules before "doing it over again"
-
@Tacyon if your on pfSense plus just create a boot environment to test with and after if it doesn’t work just go back to that BE. I really like the BE I play with stuff all the time and I am able to quickly normalize a stable version at the push of a button for my family when they are home
-
@Tacyon ISC was an amazing set of software. I wonder what made that team so successful for so long. It’s got to come down to a great team of people they had. I hope that pfSense can get some of those programmers to help out one day. Who knows why it is depreciated. It worked well for a long time, still does. Again the longer it goes with no updates the more vulnerable it will become.
Make sure to upvote
-
@JonathanLee Kea is ISC's follow-on to their old DHCP code; it's not like those people just disappeared into the ether. You can read their statement about the differences between the products here.
TBH, my take on it is that they felt they needed to have some proprietary add-on products, which the ISC DHCP codebase and licensing didn't really leave any room for. That's fine though, at the end of the day we all need to make some money.
-
@JonathanLee said in suppress message -> ISC DHCP has reached end-of-life:
ISC was an amazing set of software. I wonder what made that team so successful for so long.
Kea is produced by the same ISC group, so not sure what you mean. It's mostly the exact same folks. And ISC is the name of the company, not the software name.
ISC produces a DHCP server, a DHCP client, the BIND name server daemon, and now Kea to replace the aging DHCP server. Here is their website: https://www.isc.org/ showing their products (scroll down the page a bit).
