Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

NIOS DNS DHCP IPAM

Reply

Bug: Infoblox and vRA API are handing out reserved IPs

New Member
Posts: 3
590     0

vRA is handing out IP addresses in Infoblox outside of established DHCP range(s). The next_available_ip function needs to return an IP address that is in a DHCP scope, NOT an address it feels is available because it's just sitting there unused. 

 

I confirmed this behavior by reading over a post I found earlier. I can't imagine why, in this many years, Infoblox still thinks that the best way to assign IPs via API call is to ignore ANY DHCP scopes and just go to town on reserved/static/unused IPs that could be getting used by a host of other services in Infoblox. 

 

vRA and the API should not care about anything outside of a DHCP-scoped IP address. Period. End of story. To do anything else is to break DHCP and essentially reverse it by forcing sysadmins to create static IPs in DHCP ranges (hoping no other service grabbing IPs uses those, I guess?) and then use the static/reserved/unassigned-but-not-in-DHCP IPs as the "real" IPs to hand out. 

 

Explain to me how the current method makes sense, and why the expected behavior for DHCP is completely and utterly ignored. 

Re: Bug: Infoblox and vRA API are handing out reserved IPs

Moderator
Moderator
Posts: 293
590     0

From an IPAM perspective, a DHCP range is considered "utilized" and those addresses are not available for allocation within the network space.  This allows the DHCP service to allocate addresses to DHCP clients without any concerns of stomping on a newly alllocated system.   The behavior is stable and predictable, and does not require services restarts to implement.  Our customers have been depending on this behavior for many years.

If you feel the behaviour should be changed, please work with your Infoblox account team to file an RFE (request for enhancement) and include a solid business case for the chanbge, and level of impact for not implementing the change.  The account team can help prioritize the request.

Re: Bug: Infoblox and vRA API are handing out reserved IPs

New Member
Posts: 3
590     0

"From an IPAM perspective, a DHCP range is considered "utilized" and those addresses are not available for allocation within the network space."

 

No, a DHCP range should NEVER be considered utilized. They're dynamic IPs - they exist to be handed out! They are Dynamic, not static, and thus should be the ones handed out when an IP address is requested. To claim anything else is to display a complete lack of knowledge about IPAM and DHCP. 

 

A refresher:  When an IP is requested, it is the DHCP's job (among others) to hand out an IP. It is NOT expected behavior to have static IPs assigned when working with IPv4. A static IP range exists to reserve IPs for other uses, not to hand out. IPAM MJUST ignore static IPs when doling out addresses. Anything else breaks DHCP. 

 

This is a bug, and this needs to be addressed. Here's a link to the DHCP RFC - please tell me the location where static IPs are to be handed out because DHCP addresses are reserved. 

 

I await your reply and justification for this bug. 

Showing results for 
Search instead for 
Did you mean: 

Recommended for You