[openstack-dev] [neutron] high dhcp lease times in neutron deployments considered harmful (or not???)

Ihar Hrachyshka ihrachys at redhat.com
Fri Mar 13 11:05:19 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(Sorry for reviving an old thread.)

On 01/28/2015 02:55 PM, Ihar Hrachyshka wrote:
> On 01/28/2015 09:50 AM, Kevin Benton wrote:
>> Hi,
>> 
>> Approximately a year and a half ago, the default DHCP lease time
>> in Neutron was increased from 120 seconds to 86400 seconds.[1]
>> This was done with the goal of reducing DHCP traffic with very
>> little discussion (based on what I can see in the review and bug
>> report). While it it does indeed reduce DHCP traffic, I don't
>> think any bug reports were filed showing that a 120 second lease
>> time resulted in too much traffic or that a jump all of the way
>> to 86400 seconds was required instead of a value in the same
>> order of magnitude.
> 
> I guess that would be a good case for FORCERENEW DHCP extension
> [1] though after digging thru dnsmasq code a bit, I doubt it
> supports the extension (though e.g. systemd dhcp client/server from
> networkd module do). Le sigh.
> 
> [1]: https://tools.ietf.org/html/rfc3203
> 

Note that DHCPv6 has Reconfigure message type exactly for the case of
pushing new configuration to clients that still possess valid IA_ID
configuration. It's defined in RFC3315, section 19 [1].

The only problem with the message type is that DHCP authentication is
mandatory for this type of messages, to avoid potential DoS attacks
(concern that is probably not relevant in our isolated setup).

I haven't had any experience with authN for DHCP before, but afaik it
does not involve any prior data injection into clients. Correct me if
I am wrong.

[1]: http://tools.ietf.org/html/rfc3315#section-19

/Ihar
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVAsRvAAoJEC5aWaUY1u57WDMH/jMthBci6cB1FdLVv92zTXNQ
xl6iQziR8UAUmWrk90jdt9d9QsAJR9Z6zyPb3UuQTsw+NeCUEsTeDyqt6k4LR9nx
kn1a5pNJ+C3EMtNkDv2WP4kPFg/dTfp05dvrxaqJMpSZZAnpfD4v5uraqy5S3S39
uRZy166LeaJ2Nd1yfH9agQfJd347nTXKxpvwZxQPjbw3qOBfkN3W0UNlwYQWbIHr
6wpCVeB7wRsc5isQ2DneGkPERa3ooFMgjLqUMj7hxgvykVikJK1EVY2DxcFRoWPR
mimPhJ4kuCnpmPszJ4BCfTXYuTaggia1XrnDQSRfKlWhgRQPnuk+fxEZFlNAGTk=
=hFap
-----END PGP SIGNATURE-----

More information about the OpenStack-dev mailing list