IP Allocation and Network Discovery in MAAS

Part of the work MAAS takes on for you is IP Address Management, or IPAM. By default, when you deploy a machine in MAAS, a static IP address will be allocated for its use outside of the range of DHCP addresses. This decouples deployed machines and containers from a dependency on DHCP, and ensures that the state of the DHCP server does not impact deployed machines. In addition, the DHCP address pool remains free, such as for enlisting or commissioning a new machine, or other types of temporary purposes. (Machines in MAAS can also be configured to pull IP addresses from DHCP, if desired.)

But how does MAAS know how to avoid IP addresses which are already in-use? There are a few ways:

  • When a known host in MAAS (either a deployable machine, or a known device) has been assigned an address. This can happen manually or automatically.
  • When a dynamic range has been defined in MAAS. MAAS will never allocate a static IP address within a dynamic (DHCP) range.
  • When a reserved range has been defined in MAAS. By default, this causes MAAS to avoid the IP addresses within the range. Addresses within reserved ranges can still be allocated manually (or automatically, in the case of an unmanaged subnet).
  • When MAAS observes an in-use address on the network.

But how does does MAAS know which addresses are in-use?

By default, network discovery in MAAS uses a conservative approach. MAAS listens (via a spawned tcpdump process) to ARP traffic on each interface. Importantly, “promiscuous mode” (asking the host to forward all traffic from the NIC to the CPU, not just traffic directed to itself) is not required; unicast ARP traffic will most likely be switched to the proper port already, and initial ARP requests must be broadcast. In much the same way that a switch learns the network topology by observing “seen” MACs and using that data to understand where network traffic should be sent, MAAS records “seen” (ip-address, mac-address) pairs. MAAS performs deep inspection of ARP packets; it looks at data in broadcast ARP packets that might otherwise be ignored by OS networking stacks, such as the sender hardware address, and even which 802.1q VLAN ID they arrived on.

On each subnet, active discovery can be enabled, which increases the accuracy of the data by periodically sending out a minimal amount of traffic and listening to ARP replies. It’s best to ensure nmap is installed when enabling active discovery, since it is capable of very fast ARP scanning. MAAS will fall back to using a slower ping scan if nmap is not available.

With MAAS continually listening to and scanning the network, it’s difficult for a legitimate host to hide its presence. Since ARP is critical to IP-over-Ethernet networking, even if ICMP traffic is blocked, hosts will still be seen by MAAS.

MAAS presents the data from network discovery in the dashboard, allowing users to easily record devices in MAAS based on discoveries. In addition, when automatically allocating a new IP address, network discovery data allows the “least recently used” address on the subnet to be chosen.

1 Like