Introduction
This article summarizes the TCP and UDP ports (service ports) used by the Kea DHCP server.
Standard Ports
These ports are specified by the various protocols Kea implements and uses. They are documented here for completeness. Changing them is generally impractical, outside of very controlled circumstances (e.g., a lab environment).
| Proto | Port | Assignment |
|---|---|---|
| UDP | 67 | DHCPv4 server |
| UDP | 68 | DHCPv4 client |
| UDP | 546 | DHCPv6 server |
| UDP | 547 | DHCPv6 client |
| Both | 53 | DNS |
The "Proto" column gives the transport protocol used. "Both" indicates the protocol uses both UDP and TCP transport protocols.
The DHCP standards specify not only a destination port for the server to listen on, but a source port for the client to send from. This is done because clients may have to exchange DHCP packets before the client has IP address or network information. DHCP thus may employ network broadcast/multicast, and placeholder IP addresses. That in turn makes it difficult to distinguish a client from a server in the usual ways. Using distinct ports prevents ambiguity and loops.
Management Ports
Kea has several facilities which may listen on a service port, to provide management of Kea. This include the Kea API as well as HA dedicated listeners.
Unlike the standard protocols, these management protocols do not have reserved port numbers registered with IANA or any other standards body. Operators must choose port numbers for them.
Not all of these ports need to be assigned. Features not in use may be omitted. Indeed, use of the management API is entirely optional, so it is possible no management port assignments will be needed.
Suggested Ports
Given the arbitrary nature of these port selections, and for reasons of documentation clarity, the following port assignments are suggested for Kea management.
| Proto | Port | Alt | Assignment |
|---|---|---|---|
| TCP | 8000 | 808 | kea-ctrl-agent API |
| TCP | 8004 | 804 | kea-dhcp4 direct API |
| TCP | 8005 | 805 | kea-dhcp4 HA dedicated listener |
| TCP | 8006 | 806 | kea-dhcp6 direct API |
| TCP | 8007 | 807 | kea-dhcp6 HA dedicated listener |
| TCP | 8053 | 803 | kea-dhcp-ddns direct API |
These are merely suggestions. Operators may configure whatever ports they find appropriate for each use.
Privileged Ports
On servers which permit logon by untrusted users, it may be beneficial to have Kea use privileged ports for management.
Unix systems traditionally prevent unprivileged users (non-root users) from listening on ports numbered below 1024 — designating them privileged ports. Only a privileged user (root) can listen on a privileged port. Any user can listen on port 1024 and above.
If the environment allows untrusted users (for example, ISP customers), a nefarious user might try to have software under their control listen on a port that should be assigned to some other service. They could then impersonate that service, and perhaps do things like steal passwords. Using privileged ports lets software assume that anything listening on a privileged port must be trustworthy, and not an impersonator.
The "Alt" column in the table above provides suggested port numbers for this purpose.
If the server running Kea does not permit login except by trusted users, use of privileged ports may not be necessary, although it could provide an element of defense-in-depth.
Why these ports?
The example configurations which come with Kea mostly use the assignments given in the "Port" column in the table above. As mentioned above, local port assignments are fundamentally arbitrary. "We had to pick something."
The early implementations of Kea had only the Kea Control Agent, without capability of direct API, nor HA dedicated listener. Port 8000 is a very common alternative for HTTP listeners (the standard being port 80), so it was a reasonable choice for Kea as well.
As additional listeners were added to Kea, numbers similar to 8000 were chosen. 8004 and 8006 are mnemonic for IPv4 and IPv6. The corresponding HA dedicated listeners take the direct API port number, and add one. For the D2 direct API, 8053 is mnemonic for port 53 used by DNS.
For the privileged ports ("Alt" column), those particular ports were chosen because (at the time of writing) they had no IANA assignment, nor any major independent use. Individual digits were again mnemonic with existing usage.
See also
- Knowledgebase
- Kea Administrator Reference Manual (ARM)
- Third-party resources