Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    suppress message -> ISC DHCP has reached end-of-life

    Scheduled Pinned Locked Moved General pfSense Questions
    24 Posts 8 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG
      Gertjan @tgl
      last edited by Gertjan

      @tgl said in suppress message -> ISC DHCP has reached end-of-life:

      I do not understand why pfSense is labeling ISC as "deprecated" while not admitting that Kea is "alpha-quality".

      Easy. They figured out that when you throw ISC DHCP into whatever search engine, you'll see the author of ISC DHCP saying the same thing for a a couple of years now.

      Btw : don't worry, this info was actually know by everybody that uses ISC DHCP, like pfSense admins etc. Like everybody knows that Windows 7, 8 and 10 shouldn't be used anymore (and half the planet is still knowingly doing so).

      They, ISC, have been working on a new DHCP server KEA for the last several years, and it's production ready.

      The only thing that is 'new' and needs some more polishing, is the GUI pfSense front end. KEA, the server, is very usable. The upcoming 24.x and 2.8.x will addresses outstanding issues like DHCP options etc.

      As the author of DHCP and KEA says : KEA is usable, but there are some conditions.
      So, Netgate decided to relay the info, and have he user base 'play' with them both, and while doing so getting the needed feedback so they know where to prioritize their coding (GUI) attention.

      @johnpoz types faster ^^

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      1 Reply Last reply Reply Quote 0
      • JonathanLeeJ
        JonathanLee
        last edited by JonathanLee

        ISC DHCP has CVE major issues. VLAN hopping, VLAN leaking unauthorized access. Big issues. Please move to KEA ASAP

        Says the guy still running 23.09.01 with ISC..
        If my crypto chip worked in 24 I would be running KEA in a second

        Make sure to upvote

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @JonathanLee
          last edited by

          @JonathanLee and were are these so called major CVEs - please link to them.. I don't see how some application could have anything to do with vlan hoping..

          https://www.cvedetails.com/vulnerability-list/vendor_id-64/product_id-17706/ISC-Dhcp.html

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          JonathanLeeJ 1 Reply Last reply Reply Quote 0
          • JonathanLeeJ
            JonathanLee @johnpoz
            last edited by

            @johnpoz I will have to find it. I remember reading something while in college about it. I think it was a metasploit or something, I will look for it and post info.

            Make sure to upvote

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @JonathanLee
              last edited by

              @JonathanLee if it was such a major CVE, why would it not be listed on the link I posted too? How could a dhcpd be used to hop vlans? Even if it handed you an IP from the wrong scope - that doesn't get you to another vlan.. Most of the CVEs I have seen about isc dhcpd have been related to crashing dhcpd and causing some sort of dos..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              JonathanLeeJ 2 Replies Last reply Reply Quote 1
              • JonathanLeeJ
                JonathanLee @johnpoz
                last edited by JonathanLee

                @johnpoz

                https://www.cisa.gov/news-events/alerts/2024/02/13/isc-releases-security-advisories-bind-9

                It’s related to bind

                I have seen something a couple years ago, it was on vulnhub and or a metasploit. Leaking memory and accessing other vlans

                Trust me it is out there…

                Older versions of pen testing software something had it.

                Make sure to upvote

                1 Reply Last reply Reply Quote 0
                • JonathanLeeJ
                  JonathanLee @johnpoz
                  last edited by

                  @johnpoz

                  https://kb.isc.org/docs/cve-2022-2929

                  Leaking memory one, this one too. I don’t think KEA has the same issues.

                  Make sure to upvote

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @JonathanLee
                    last edited by

                    @JonathanLee said in suppress message -> ISC DHCP has reached end-of-life:

                    tps://kb.isc.org/docs/cve-2022-2929

                    And the fix for that is 4.4.3-P1, which is what is currently used in 23.09.1

                    What does bind have to do with users moving to kea? If your going to try and scare people - "ISC DHCP has CVE major issue" "Please move to KEA ASAP"

                    For gosh sake have some actual credible reason..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    JonathanLeeJ 1 Reply Last reply Reply Quote 2
                    • JonathanLeeJ
                      JonathanLee @johnpoz
                      last edited by

                      @johnpoz did it work? Are you using KEA? :)

                      Make sure to upvote

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @JonathanLee
                        last edited by

                        @JonathanLee hahaha, no I am not using kea.. You making jokes now - hahah

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          I'm not using Kea on my local router either. Yet. There's nothing exploitable I'm aware of in ISC that I'm worried about. Also yet!

                          1 Reply Last reply Reply Quote 1
                          • JonathanLeeJ
                            JonathanLee
                            last edited by JonathanLee

                            Screenshot 2024-03-29 at 14.46.42.png

                            Screenshot 2024-03-29 at 14.47.19.png

                            See I fixed it no error :)

                            Make sure to upvote

                            1 Reply Last reply Reply Quote 0
                            • TacyonT
                              Tacyon @JonathanLee
                              last edited by

                              @JonathanLee I was on ISC to start with and someone here suggested it because .. it's going to be depreciated RSN (real soon now)

                              Then I read (as I was considering going back to KEA since ISC didn't resolve my issue and I read a few reports that going back breaks a bunch of stuff leaving you to do it all over again from the beginning.

                              Since I'm in sponge mode currently .. I want to resolve all the lil things I have going on and sort out my understanding of firewall rules before "doing it over again"

                              JonathanLeeJ TacyonT 3 Replies Last reply Reply Quote 0
                              • JonathanLeeJ
                                JonathanLee @Tacyon
                                last edited by

                                @Tacyon if your on pfSense plus just create a boot environment to test with and after if it doesn’t work just go back to that BE. I really like the BE I play with stuff all the time and I am able to quickly normalize a stable version at the push of a button for my family when they are home

                                Make sure to upvote

                                1 Reply Last reply Reply Quote 1
                                • JonathanLeeJ
                                  JonathanLee @Tacyon
                                  last edited by JonathanLee

                                  @Tacyon ISC was an amazing set of software. I wonder what made that team so successful for so long. It’s got to come down to a great team of people they had. I hope that pfSense can get some of those programmers to help out one day. Who knows why it is depreciated. It worked well for a long time, still does. Again the longer it goes with no updates the more vulnerable it will become.

                                  Make sure to upvote

                                  T bmeeksB 2 Replies Last reply Reply Quote 0
                                  • T
                                    tgl @JonathanLee
                                    last edited by

                                    @JonathanLee Kea is ISC's follow-on to their old DHCP code; it's not like those people just disappeared into the ether. You can read their statement about the differences between the products here.

                                    TBH, my take on it is that they felt they needed to have some proprietary add-on products, which the ISC DHCP codebase and licensing didn't really leave any room for. That's fine though, at the end of the day we all need to make some money.

                                    1 Reply Last reply Reply Quote 1
                                    • bmeeksB
                                      bmeeks @JonathanLee
                                      last edited by bmeeks

                                      @JonathanLee said in suppress message -> ISC DHCP has reached end-of-life:

                                      ISC was an amazing set of software. I wonder what made that team so successful for so long.

                                      Kea is produced by the same ISC group, so not sure what you mean. It's mostly the exact same folks. And ISC is the name of the company, not the software name.

                                      ISC produces a DHCP server, a DHCP client, the BIND name server daemon, and now Kea to replace the aging DHCP server. Here is their website: https://www.isc.org/ showing their products (scroll down the page a bit).

                                      1 Reply Last reply Reply Quote 2
                                      • TacyonT
                                        Tacyon @Tacyon
                                        last edited by

                                        @JonathanLee - nope ... 2.7.2 CE from Dec of last year.

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.