KEA DHCP NTP server option behavior

Sergei_Shablovsky

Dear pfSense Gurus!

Little background-off topic:
Recently find the bug in KEA DHCP server:
not starting when find FQDN name in settings, mean when You put FQDN instead of IP in “NTP Server [x]” field in
In log: ERROR [kea-dhcp4.dhcp4.0xbe6c7012000] DHCP4_INIT_FAIL failed to initialize Kea server: configuration error using file '/usr/local/etc/kea/kea-dhcp4.conf': option data does not match option definition (space: dhcp4, code: 42): Failed to convert string to address 'int-time.local.lan': Invalid argument (/usr/local/etc/kea/kea-dhcp4.conf:377:33)

But doing experiments with the KEA DHCP server push me to dive in it’s behavior.

Because official docs are SHOCKING LY brief I have several questions:

Please teach me, what’s the behavior of KEA DHCP server if:

SETTINGS 1 ——————————
(local time-server IP + Interface IP)

NTP Server 1
192.168.50.1 (local IP of dedicated internal time-server)
NTP Server 2
192.168.5.1 (IP of this Interface, also the same 192.168.5.1 in “Server Options/DNS Servers” and “Other DHCP Options/Gateway” options).

SETTINGS 2 ——————————
(Interface IP only)

NTP Server 1
192.168.5.1 (IP of this Interface, also the same 192.168.5.1 in “Server Options/DNS Servers” and “Other DHCP Options/Gateway” options).

SETTINGS 3 ——————————
(local time-server IP, 2 (two) different external IP on himself, Interface IP)

NTP Server 1
192.168.50.1 (local IP of dedicated internal time-server)
NTP Server 2
23.65.144.12 (external static IP entry of the same pfSense, UPLINK A)
NTP Server 3
47.12.168.4 (external static IP entry of the same pfSense, UPLINK B)
NTP Server 4
192.168.5.1 (IP of this Interface, also the same 192.168.5.1 in “Server Options/DNS Servers” and “Other DHCP Options/Gateway” options).

Which settings and how work ?
How impact orders of settings?
(Shortly to say “how KEA implementation in 2.7.2-RELEASE deal with ntpd NTP server inside pfSense)
How to ensure what exactly receive the DHCP client on their request?
(pcap+WireShark, logs,…?)

THANK YOU SO MUCH for DETAILED explanation!

P.S. I hope this helps much of pfSense’s users.

Gertjan

@Sergei_Shablovsky said in KEA DHCP NTP server option behavior:

How to ensure what exactly receive the DHCP client on their request?

What the clients gets is what the server sends.

Diagnostics > Packet Capture
Select your interface, typically, LAN,
Protocol : UDP
Ports : 67 and 68
Go for full details : View option : Full.
And hit Start.

Now, on a client, - a windows device :

ipconfig /renew

and you will see a full packet for the request, and what the DHCP server send.

Btw : this doesn't mean the client actually uses the NTP (if any) received by DHCP.
If the device permits me to do so, I normally set manually the NTP address to 192.168.1.1. No great, I know.

Sergei_Shablovsky

@Gertjan said in KEA DHCP NTP server option behavior:

@Sergei_Shablovsky said in KEA DHCP NTP server option behavior:

How to ensure what exactly receive the DHCP client on their request?

What the clients gets is what the server sends.

Diagnostics > Packet Capture
Select your interface, typically, LAN,
Protocol : UDP
Ports : 67 and 68
Go for full details : View option : Full.
And hit Start.

Now, on a client, - a windows device :

ipconfig /renew

and you will see a full packet for the request, and what the DHCP server send.

Thank You so much for explanation!

And how to see what’s happened between ntpd and KEA ?
(I mean which NTP server take KEA from ntpd by default, etc…)

Btw : this doesn't mean the client actually uses the NTP (if any) received by DHCP.

Most of modern (even 5-7 years old) devices (PDU/SDU, Environment monitoring, Security systems, etc) - able to use.
And most OSS. Especially, if this is Windows.

If the device permits me to do so, I normally set manually the NTP address to 192.168.1.1. No great, I know.

No-no-no! I couldn’t make this MANUALLY for 200~500 devices in a building….! ;) Only may be for extra $7M payment w/o taxes :)

Gertjan

@Sergei_Shablovsky

Maybe a WTF situation.
I'm using ISC right now, as I need DCHP options for some internal testing.
I've checked, the ntp server option (42 - right ?!) is present :

....
subnet 192.168.1.0 netmask 255.255.255.0 {
	pool {

		range 192.168.1.70 192.168.1.200;
	}

	option routers 192.168.1.1;
	option domain-name "bhf.tld";
	option domain-name-servers 192.168.1.1;
	default-lease-time 86400;
	max-lease-time 345600;
	ping-check true;
	option ntp-servers 1.2.3.4;

}
.....

I've set the ntp server address to "1.2.3.4" to make it stand out.

I typical DHCP request from my NAS :

07:12:33.348883 00:11:32:a7:d5:88 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 00:11:32:a7:d5:88, length 300, xid 0x8ec28118, Flags [none] (0x0000)
	  Client-Ethernet-Address 00:11:32:a7:d5:88
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message (53), length 1: Request
	    Requested-IP (50), length 4: 192.168.1.33
	    Hostname (12), length 13: "DiskStation2^@"
	    Parameter-Request (55), length 7: 
	      Subnet-Mask (1), BR (28), Time-Zone (2), Default-Gateway (3)
	      Domain-Name (15), Domain-Name-Server (6), Hostname (12)
	    Client-ID (61), length 7: ether 00:11:32:a7:d5:88
07:12:33.349221 90:ec:77:29:39:2c > 00:11:32:a7:d5:88, ethertype IPv4 (0x0800), length 354: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 340)
    192.168.1.1.67 > 192.168.1.33.68: [udp sum ok] BOOTP/DHCP, Reply, length 312, xid 0x8ec28118, Flags [none] (0x0000)
	  Your-IP 192.168.1.33
	  Client-Ethernet-Address 00:11:32:a7:d5:88
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message (53), length 1: ACK
	    Server-ID (54), length 4: 192.168.1.1
	    Lease-Time (51), length 4: 86400
	    Subnet-Mask (1), length 4: 255.255.255.0
	    Default-Gateway (3), length 4: 192.168.1.1
	    Domain-Name (15), length 21: "bhf.tld^@"
	    Domain-Name-Server (6), length 4: 192.168.1.1
	    Hostname (12), length 13: "diskstation2^@"

The ISC server never mentioned an ntp server in the reply section ...

Because .... is this the answer : the dhcp client didn't ask for one ??? ?

Things get better : https://superuser.com/questions/147248/windows-clients-not-using-ntp-server-provided-via-dhcp which actually answered what I already knew for years ...

I've looked at kea : the config of a set NTP server(s) is present ...
But again : if the client isn't asking for them .....

Sergei_Shablovsky

@Gertjan said in KEA DHCP NTP server option behavior:

@Sergei_Shablovsky

Maybe a WTF situation.
I'm using ISC right now, as I need DCHP options for some internal testing.
I've checked, the ntp server option (42 - right ?!) is present :

....
subnet 192.168.1.0 netmask 255.255.255.0 {
	pool {

		range 192.168.1.70 192.168.1.200;
	}

	option routers 192.168.1.1;
	option domain-name "bhf.tld";
	option domain-name-servers 192.168.1.1;
	default-lease-time 86400;
	max-lease-time 345600;
	ping-check true;
	option ntp-servers 1.2.3.4;

}
.....

I've set the ntp server address to "1.2.3.4" to make it stand out.

I typical DHCP request from my NAS :

07:12:33.348883 00:11:32:a7:d5:88 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 00:11:32:a7:d5:88, length 300, xid 0x8ec28118, Flags [none] (0x0000)
	  Client-Ethernet-Address 00:11:32:a7:d5:88
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message (53), length 1: Request
	    Requested-IP (50), length 4: 192.168.1.33
	    Hostname (12), length 13: "DiskStation2^@"
	    Parameter-Request (55), length 7: 
	      Subnet-Mask (1), BR (28), Time-Zone (2), Default-Gateway (3)
	      Domain-Name (15), Domain-Name-Server (6), Hostname (12)
	    Client-ID (61), length 7: ether 00:11:32:a7:d5:88
07:12:33.349221 90:ec:77:29:39:2c > 00:11:32:a7:d5:88, ethertype IPv4 (0x0800), length 354: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 340)
    192.168.1.1.67 > 192.168.1.33.68: [udp sum ok] BOOTP/DHCP, Reply, length 312, xid 0x8ec28118, Flags [none] (0x0000)
	  Your-IP 192.168.1.33
	  Client-Ethernet-Address 00:11:32:a7:d5:88
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message (53), length 1: ACK
	    Server-ID (54), length 4: 192.168.1.1
	    Lease-Time (51), length 4: 86400
	    Subnet-Mask (1), length 4: 255.255.255.0
	    Default-Gateway (3), length 4: 192.168.1.1
	    Domain-Name (15), length 21: "bhf.tld^@"
	    Domain-Name-Server (6), length 4: 192.168.1.1
	    Hostname (12), length 13: "diskstation2^@"

BTW, is this from WireShark?

The ISC server never mentioned an ntp server in the reply section ...

Since I start to learn about *nix NTP servers more, I read A LOT NEGATIVE feedbacks about bugs and security breaches in ISC server that not resolved FOR YEARS!

Because .... is this the answer : the dhcp client didn't ask for one ??? ?

Anyway one good news:

subnet 192.168.112.0 netmask 255.255.255.0 {
        max-lease-time 604800;
        default-lease-time 86400;
        authoritative;
        ignore client-updates;

        option ntp-servers 192.168.112.112; #self

        ... (many other options)
}

From this code understanding that NTP server allow to set self address as “NTP server address”.

Things get better : https://superuser.com/questions/147248/windows-clients-not-using-ntp-server-provided-via-dhcp which actually answered what I already knew for years ...

I've looked at kea : the config of a set NTP server(s) is present ...
But again : if the client isn't asking for them .....

Not agree with You :) :

• the question are very old (Asked 13 years, 8 months ago) an 0,005% for that something changed in modern versions of Win;

• as one of the leaderships in firewalling, pfSense may care about a lot of *nix systems. In *nix systems users put more attentIon to time sync because a lot of *nix servers used in military, government, health care, energy, finance and critical infrastructure.
  (Let’s to note the numbers of *nix systems would be grow because we just at the start of decades of wars, and Win are TOTALLY VULNERABLE system.).

So, as one of the leaders in firewalling in enterprise, pfSense DevTeam need to care about correct KEA working. ;)

Gertjan

@Sergei_Shablovsky said in KEA DHCP NTP server option behavior:

BTW, is this from WireShark?

Noop. Packet capturing using pfSense. With full details :

DHCP request from Syno NAS (derived from Linux)

@Sergei_Shablovsky said in KEA DHCP NTP server option behavior:

  Parameter-Request (55), length 7: 
    Subnet-Mask (1), BR (28), Time-Zone (2), Default-Gateway (3)
    Domain-Name (15), Domain-Name-Server (6), Hostname (12)

Note ; it doesn't ask for option '42' : NTP server.
So the DHCP server, ISC or KEA, doesn't give one.
Windows : I saw the same thing : doesn't ask for a NTP server IP(s).
So the DHCP server doesn't give one.

@Sergei_Shablovsky said in KEA DHCP NTP server option behavior:

I read A LOT NEGATIVE feedbacks about bugs and security breaches in ISC server that not resolved FOR YEARS!

Probably a reason why they, themselves, wiped the board, and restarted all over with what they've learned : they wrote KEA ?

@Sergei_Shablovsky said in KEA DHCP NTP server option behavior:

Anyway one good news:

subnet 192.168.112.0 netmask 255.255.255.0 {
max-lease-time 604800;
default-lease-time 86400;
authoritative;
ignore client-updates;

    option ntp-servers 192.168.112.112; #self

That's not the issue, ISC and KEA have the "NTP-server" parameter present, if you set one (an IP, not a host name, as other discovered).

@Sergei_Shablovsky said in KEA DHCP NTP server option behavior:

Not agree with You :) :

Neither myself, I hope to be wrong. But that's not what I'm seeing right now.

For example, my Synology NAS again :

I entered that IP "192.168.1.1" address manually. My NAS uses "DHCPv4" and "DCPv6" to obtain the IPv4 network info, and IPv6 network info. That works just fine, it sync time now.

@Sergei_Shablovsky said in KEA DHCP NTP server option behavior:

So, as one of the leaders in firewalling in enterprise, pfSense DevTeam need to care about correct KEA working. ;)

as the "ntp-server" option is present in the KEA config, on the server, pfSEnse, side, everything is set up.
Nothing more pfSEnse can do - if the DHCP client isn't asking for it ...

Sergei_Shablovsky

Ok!

So just waiting the bug with not understanding pfSense WebGUI the FQDN in NTP Server settings would be fixed.

Gertjan

@Sergei_Shablovsky said in KEA DHCP NTP server option behavior:

pfSense WebGUI the FQDN in NTP Server settings.

The popup does say " ... or a host name like myhost.example.com"

but, from what I make of the ISC DHCP server doc : IPv4 (not even IPv6) only !!)

https://kb.isc.org/docs/isc-dhcp-44-manual-pages-dhcp-options

KEA : same thing :

https://kea.readthedocs.io/en/kea-2.0.0/arm/dhcp4-srv.html

Again : I would like to be wrong, but as I see it, IPv4 is mandatory.
If a host name was possible, the pfSense GUI should resolve the host name first. It doesn't.
It checks if a given host name has the correct format, that's it.

I solved the issue by changing the pop text ^^ "IPv4 only !".

Sergei_Shablovsky

@Gertjan Thank You so much for efforts!

BTW, ISC Stork for BIND 9 and KEA services state monitoring looks like great tool!