| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309 |
- <?xml version="1.0" encoding="UTF-8"?>
- <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
- <!ENTITY mdash "—" >
- ]>
- <chapter id="classify">
- <title>Client Classification</title>
- <section>
- <title>Client Classification Overview</title>
- <para>
- In certain cases it is useful to differentiate between different
- types of clients and treat them differently. There are many reasons
- why one might want to treat clients different some common reasons
- include:
- <itemizedlist>
- <listitem><para>
- The clients represent different pieces of topology, for example a cable
- modem vs the clients behind that modem.
- </para></listitem>
- <listitem><para>
- The clients have different behavior, for example a smart phone vs a lapttop
- vs a desktop.
- </para></listitem>
- <listitem><para>
- The clients require different values for some options, for example a docsis3.0
- cable modem vs a docsis2.0 cable modem.
- </para></listitem>
- </itemizedlist>
- </para>
- <para>
- It is envisaged that client classification will be used for changing the
- behavior of almost any part of the DHCP message processing, including assigning
- leases from different pools, assigning different options (or different values of
- the same options) etc. For now, there are only two mechanisms that take
- advantage of client classification: subnet selection and assigning different
- options. For cable modems there are specific options for use with the TFTP
- server address and the boot file field.
- </para>
- <para>
- The process of doing classification is conducted in three steps. The first step
- is to assess an incoming packet and assign it to zero or more classes. The
- second step is to choose a subnet, possibly based on the class information.
- The third step is to assign options again possibly based on the class
- information.
- </para>
- <para>
- Options will be included from all of the assigned classes. In the case two
- or more classes include an option the value from the first class will be used.
- Similarly if two or more classes are associated with a subnet the first subnet
- will be used. In the future the processing order of the various classes may
- be specified but for now it is being left unspecified and may change in
- future releases.
- </para>
- <para>
- There are two methods of doing classification. The first is automatic and relies
- on examining the values in the vendor class options. Information from these
- options is extracted and a class name is constructed from it and added to
- the class list for the packet. The second allows you to specify an expression
- that is evaluated for each packet. If the result is true the packet is
- a member of the class.
- </para>
- <note>
- <para>
- The power of the expressions in the classification step is deliberately
- limited in order to minimize the amount of time required to process each
- expression. The expression for each class must be executed on each packet,
- if they are overly complex or time consuming they may impact the performance
- of the server. If you require complex or time consuming expressions you
- should write a hook to perform the necessary work.
- </para>
- </note>
- <note>
- <para>
- Care should be taken with client classification as it is easy for
- clients that do not meet class criteria to be denied any service altogether.
- </para>
- </note>
- </section>
- <section id="classification-using-vendor">
- <title>Using Vendor Class Information In Classification</title>
- <para>
- The server checks whether an incoming DHCPv4 packet includes
- the vendor class identifier option (60) or an incoming DHCPv6 packet
- includes the vendor class option (16). If it does, the content of that
- option is prepended with "VENDOR_CLASS_" then it is interpreted
- as a class. For example, modern cable modems will send this option with
- value "docsis3.0" and as a result the packet will belong to
- class "VENDOR_CLASS_docsis3.0".
- </para>
- </section>
- <section id="classification-using-expressions">
- <title>Using Expressions In Classification</title>
- <para>
- The expression portion of classification contains operators and values.
- Values are currently strings and operators take a string or strings and
- return another string. When all the operations have completed
- the result should be a value of "true" or "false".
- The packet belongs to
- the class (and the class name is added to the list of classes) if the result
- is "true". Expressions are written in standard format and can be nested.
- </para>
- <para>
- Expressions are pre-processed during the parsing of the configuration file
- and converted to an internal representation. This allows certain types of
- errors (such as incorrect syntax) to be caught and logged. Other errors
- (for example mistakes when setting up the values for a substring) won't be
- caught and may affect the classification. In general if an expression has
- a problem a log message will be emitted at the debug level and the result
- will be an empty string.
- </para>
- <para>
- The expressions are a work in progress and the supported operators and
- values are limited. The expectation is that additional operators and values
- will be added over time, however it is expected the basic mechanisms will
- remain the same.
- </para>
- <para>
- <table frame="all" id="classification-values-list">
- <title>List of Classification Values</title>
- <tgroup cols='3'>
- <colspec colname='name' />
- <colspec colname='example' />
- <colspec colname='description' />
- <thead>
- <row>
- <entry>Name</entry>
- <entry>Example</entry>
- <entry>Description</entry>
- </row>
- </thead>
- <tbody>
- <row><entry>String</entry><entry>'example'</entry><entry>A string</entry></row>
- <row><entry>Hex String</entry><entry>'0XABCD'</entry><entry>A hexadecimal string</entry></row>
- <row><entry>Option</entry><entry>option[code]</entry><entry>The value of the option with code "code" from the packet</entry></row>
- </tbody>
- </tgroup>
- </table>
- </para>
- <para>
- Hex Strings are converted into a string as expected. The starting "0X" or
- "0x" is removed and if the string is an odd number of characters a
- "0" is prepended to it.
- </para>
- <para>
- Option extracts the value of the given option from the incoming packet. If the
- packet doesn't contain the option it returns an empty string.
- </para>
- <para>
- <table frame="all" id="classification-expressions-list">
- <title>List of Classification Expressions</title>
- <tgroup cols='3'>
- <colspec colname='name' />
- <colspec colname='example' />
- <colspec colname='description' />
- <thead>
- <row>
- <entry>Name</entry>
- <entry>Example</entry>
- <entry>Description</entry>
- </row>
- </thead>
- <tbody>
- <row><entry>Equal</entry> <entry>'foo' == 'bar'</entry><entry>Compare the two values and return "true" or "false"</entry></row>
- <row><entry>Substring</entry><entry>substring('foobar',0,3)</entry><entry>Return the requested substring</entry></row>
- </tbody>
- </tgroup>
- </table>
- </para>
- <para>
- The substring operator substring(value, start, length) accepts both positive and
- negative values for the starting position and the length. For start a value of
- 0 is the first byte in the string while -1 is the last byte. If the starting
- point is outside of the original string an empty string is returned. Length
- is the number of bytes to extract. A negative number means to count towards
- the beginning of the string but doesn't include the byte pointed to by start.
- The special value "all" means to return all bytes from start to the end of the
- string. If length is longer than the remaining portion of the string then
- the entire remaining portion is returned.
- </para>
- </section>
- <section id="classification-configuring">
- <title>Configuring Classes</title>
- <para>
- A class contains three items: a name, a test expression and option data.
- The name must exist and must be unique amongst all classes. The test
- expression and option data are optional.
- </para>
-
- <para>
- The test expression is a string containing the logical expression used to
- determine membership in the class. The entire expression is in double
- quotes.
- </para>
- <para>
- The option data is a list which defines any options that should be assigned
- to members of this class.
- </para>
- <para>
- <screen>
- "Dhcp4": {
- "subnet4": [
- {
- "subnet": "192.0.2.0/24",
- "pools": [ { "pool": "192.0.2.10 - 192.0.2.20" } ],
- "client-class": "Client_foo"
- }
- ],
- "client-class": [
- <userinput>
- {
- "name": "Client_foo",
- "test": "substring(option[61],0,3) == 'foo'",
- "option-data": [
- {
- "name": "doamin-name-servers",
- "code": 6,
- "space": "dhcp4",
- "csv-format": true,
- "data": "192.0.2.1, 192.0.2.2"
- }
- ]
- }
- </userinput>
- ...
- }</screen>
- </para>
- <para>
- In this example the class named "Client_foo" is defined. It is comprised
- of all clients who's client ids (option 61) start with the string "foo".
- They will be given an address from 192.0.2.10 to 192.0.2.20 and 192.0.2.1
- and 192.0.2.2 as their domain name servers.
- </para>
- </section>
- <section id="classification-subnets">
- <title>Configuring Subnets With Class Information</title>
- <para>
- In certain cases it beneficial to restrict access to certain subnets
- only to clients that belong to a given subnet. For details on client
- classes, see <xref linkend="classification-using-vendor"/> and
- <xref linkend="classification-using-expressions"/>
- Let's assume that the server is connected to a network segment that uses
- the 192.0.2.0/24 prefix. The Administrator of that network has decided
- that addresses from range 192.0.2.10 to 192.0.2.20 are going to be
- managed by the DHCP4 server. Only clients belonging to client class
- example_class are allowed to use this subnet. Such a
- configuration can be achieved in the following way:
- <screen>
- "Dhcp4": {
- "subnet4": [
- {
- <userinput>"subnet": "192.0.2.0/24",
- "pools": [ { "pool": "192.0.2.10 - 192.0.2.20" } ],
- "client-class": "example_class"</userinput>
- }
- ],
- ...
- }</screen>
- </para>
- </section>
- <section>
- <title>Using Classes</title>
- <para>
- Currently classes can be used for two functions. They can supply options
- to the members class and they can choose a subnet for the members of the class.
- </para>
- <para>
- When supplying options class options defined as part of the class definition
- are considred "class globals". They will override any global options that
- may be defined and in turn will be overridden by any options defined for an
- individual subnet.
- </para>
- </section>
- <section>
- <title>Classes and Hooks</title>
- <para>
- You may use a hook to classify your packets. This may be useful if the
- expression would either be complex or time consuming and be easier or
- better to write as code. Once the hook has added the proper class name
- to the packet the rest of the classification system will work as normal
- in choosing a subnet and selecting options.
- </para>
- </section>
- </chapter>
|
