Is DHCP relay in Openstack
Hello, This is my first interaction with Openstck mailinglists so hopefully I am sending this question to the correct place😊 The question is simple: does Openstack(Neutron) natively support DHCP relay? We have currently a (test) deployment using OVS driver but we may think switching to OVN. We would like to use an external DHCP server(BlueCat) that is already handling the rest of our network DHCP. I could not find anything related to this in docs. I found this spec: https://review.opendev.org/c/openstack/neutron-specs/+/105660 which seems to have been abandoned. I saw they mention the ISC.org dhcp relay tool. I saw it was deprecated in 20222 and not supported anymore and the new product Kea seems to lack the DHCP relay feature. I guess we could search for other solutions(If anyone has experience in this topic I would be grateful) but we would very much prefer a native, integrated solution that would be easy to manage. So is DHCP supported or planned to be supported in the near future? Best Regards, Andrei <a href="https://www.linkedin.com/company/the-pictet-group" target="_blank"></a> <a href="https://www.instagram.com/pictetgroup/" target="_blank"></a> <a href="https://twitter.com/PictetGroup" target="_blank"></a> This message is not intended for persons who are citizens of, domiciled or resident in, or entities registered in a country or jurisdiction in which its distribution, publication, provision or use would violate current laws and regulations. The content of this message is confidential and may be read and/or used only by the recipient of this message. For information about personal data protection, please refer to the Pictet Group’s Privacy Notice available at www.pictet.com/privacynotice. If you have received this e-mail message in error, please destroy it and delete it from your computer. The Pictet Group may not be held liable for the use, transmission or treatment of the content of this message. The recipient of this message remains solely liable for any form of reproduction, copying, disclosure, modification and/or publication of the content. No liability whatsoever will be incurred by the Pictet Group. The recipient of this message agrees to comply with the applicable laws and regulations in the jurisdictions where they use the information contained herein.<br>
Hi Andrei, On 4/16/25 12:23, Andrei RADU wrote:
Hello,
This is my first interaction with Openstck mailinglists so hopefully I am sending this question to the correct place😊
That's the correct place. Welcome!
The question is simple: does Openstack(Neutron) natively support DHCP relay?
Short answer: currently, no, and it's not a good idea to do that anyways. See below for more details.
We have currently a (test) deployment using OVS driver but we may think switching to OVN. We would like to use an external DHCP server(BlueCat) that is already handling the rest of our network DHCP.
I could not find anything related to this in docs.
I found this spec: https://review.opendev.org/c/openstack/neutron-specs/ +/105660 <https://review.opendev.org/c/openstack/neutron-specs/+/105660> which seems to have been abandoned.
It also shows in the spec: Neutron doesn't only provide a DHCP (using dnsmasq, by the way), it also provides tenant isolation. Meaning that for example, 2 projects may use the same 10.0.0.0/24 subnet range without any collision. To achieve this, Neutron makes sure that VMs cannot use IPs that they don't "own", and does this by checking the IP vs the MAC address given to the VM. Any traffic that's not matching the pair will be dropped by OpenVSwitch. This makes sure it's impossible to do IP spoofing. Under this condition, Neutron must know *in advance* what IP address the DHCP server will provide to the VM, and therefore, using a DHCP relay to an external DHCP server that Neutron doesn't control is not a good idea, unless one sacrifice the security I described above (in Neutron, that's called "port security", which can be disabled by an admin, but not a normal user). So, with port security off, it should be possible to bind a DHCP relay in a VM of a subnet, but I would not recommend doing this at all, as anyone would be able to do IP spoofing then. So there's no need to ask something special from OpenStack Neutron, just deploy that if you don't care about port security. I hope the above answers correctly to your question. If not, I'm sure someone else will correct what I wrote (to the best of my knowledge). Cheers, Thomas Goirand (zigo)
Hi Andrei, On 4/16/25 4:29 PM, Thomas Goirand wrote:
Hi Andrei,
On 4/16/25 12:23, Andrei RADU wrote:
Hello,
This is my first interaction with Openstck mailinglists so hopefully I am sending this question to the correct place😊
That's the correct place. Welcome!
The question is simple: does Openstack(Neutron) natively support DHCP relay?
Short answer: currently, no, and it's not a good idea to do that anyways. See below for more details.
Thanks for answering Thomas, and I would agree it's probably not a good idea to support DHCP relays. That said, the Neutron team is always willing to talk about new features if there is a good need behind it - like there is some functionality we just cannot get with what we have.
We have currently a (test) deployment using OVS driver but we may think switching to OVN. We would like to use an external DHCP server(BlueCat) that is already handling the rest of our network DHCP.
OVN has a built-in DHCP server, and with ML2/OVS you can use DHCP in a distributed config, both of which do all the work directly on the compute nodes. That greatly simplifies the architecture, so I'm not sure we'd want to undo that. So the question comes down to "what problem are you trying to solve?". Please don't take that in a snarky way can't think of a better way to ask it. Thanks, -Brian
I could not find anything related to this in docs.
I found this spec: https://review.opendev.org/c/openstack/neutron-specs/ +/105660 <https://review.opendev.org/c/openstack/neutron-specs/+/105660> which seems to have been abandoned.
It also shows in the spec: Neutron doesn't only provide a DHCP (using dnsmasq, by the way), it also provides tenant isolation. Meaning that for example, 2 projects may use the same 10.0.0.0/24 subnet range without any collision.
To achieve this, Neutron makes sure that VMs cannot use IPs that they don't "own", and does this by checking the IP vs the MAC address given to the VM. Any traffic that's not matching the pair will be dropped by OpenVSwitch. This makes sure it's impossible to do IP spoofing.
Under this condition, Neutron must know *in advance* what IP address the DHCP server will provide to the VM, and therefore, using a DHCP relay to an external DHCP server that Neutron doesn't control is not a good idea, unless one sacrifice the security I described above (in Neutron, that's called "port security", which can be disabled by an admin, but not a normal user).
So, with port security off, it should be possible to bind a DHCP relay in a VM of a subnet, but I would not recommend doing this at all, as anyone would be able to do IP spoofing then. So there's no need to ask something special from OpenStack Neutron, just deploy that if you don't care about port security.
I hope the above answers correctly to your question. If not, I'm sure someone else will correct what I wrote (to the best of my knowledge).
Cheers,
Thomas Goirand (zigo)
participants (3)
-
Andrei RADU
-
Brian Haley
-
Thomas Goirand