WAVESEC requirements for DHCP server

Main page

WAVEsec Clients

• FreeSWAN at IETF-57
• KAME/BSD
• OS/X
• Others

Base Station

• Checklist
• Router
• DNS server
• DHCP server
• IPsec server
• Appendix mode

Downloads

• Binaries
• Raw patches

DHCP server requirements

The DHCP server must be capable of taking a custom DHCP option containing a raw RSA key in DNS format and installing it into a DNS server using dynamic DNS updates.

DHCP 3.0.1rc9 with one set of patches can do this. These patches add our custom DHCP option. They should be integrated into some future release. Note that they interfere with the dhcrelay program, but we are working on getting them to play nicely together.

The easy way: download our patched dhcpd source.

The DHCP server need not be on the same machine as the WAVESEC server.

DHCP server setup

Install a patched dhcpd

The server should have the patched dhcpd installed on it. Use the install instructions in the dynamic DNS update FAQ.

Custom configure dhcpd

Once you've confirmed that you can update the reverse map with PTR records, then add the following to /etc/dhcpd.conf:

option oe-key     code 159 = string;
option oe-gateway code 160 = ip-address;

on commit {     
  if (not static and
      ((config-option server.ddns-updates = null) or
       (config-option server.ddns-updates != 0))) {

      if exists oe-key {                                            
        set ddns-rev-name =                                                 
           concat (binary-to-ascii (10, 8, ".",                            
                                     reverse (1, leased-address)), ".",     
                    pick (config-option server.ddns-rev-domainname,         
                          "in-addr.arpa."));

        set full-oe-key = option oe-key;

        switch (ns-update (delete (IN, 25, ddns-rev-name, null),
                            add (IN, 25, ddns-rev-name, full-oe-key,
                                lease-time / 2)))           
        {                                                           
        default:                                                    
          unset ddns-rev-name;                              
          break;                                                    
        case NOERROR:                                       
          on release or expiry {                                    
            switch (ns-update (delete (IN, 25, ddns-rev-name, null))) {
            case NOERROR:                               
              unset ddns-rev-name;                                  
              break;                                        
            }                                               
          }
        }                                                           
      }
  }                                                         
}

Create empty lease files

Red Hat's dhcpd uses a different lease file location from the standard distribution from ISC. When using Red Hat's /etc/rc.d/init.d/dhcp as the startup script (ISC doesn't install one), the script silently exits if lease files don't exist in the Red Hat location (/var/lib/dhcp/dhcpd.leases). On the other hand, ISC dhcpd exits if /var/state/dhcp/dhcpd.leases does not exist. Solution: create an empty file for each:

    touch /var/lib/dhcp/dhcpd.leases

    touch /var/state/dhcp/dhcpd.leases

Better solution: make the script and the program agree on the file name.