| Subject: | dhcrelay and Relay Agent Information option |
| From: | "Stanislav Chromčák" <chromcak@ztatovyhlavy.cz> |
| Date: | Sun, 11 Nov 2018 19:32:13 +0100 |
| To: | dhcp-suggest@isc.org |
Hello.
I have found a problem in dhcrelay related to support of Relay Agent Information (R-I-A) option.
In section 2.1 of RFC 3046 this is stated:
Relay agents receiving a DHCP packet from an untrusted circuit with
giaddr set to zero (indicating that they are the first-hop router)
but with a Relay Agent Information option already present in the
packet SHALL discard the packet and increment an error count.
...
The mechanisms for distinguishing between "trusted" and "untrusted"
circuits are specific to the type of circuit termination equipment,
and may involve local administration.
This statement is referred in dhcrelay man page in description of -m option:
-m append|replace|forward|discard
Control the handling of incoming DHCPv4 packets which already contain relay agent options. If such a packet does not have giaddr set in its header, the DHCP standard requires that the packet be discarded. ...
Unfortunatelly current dhcrelay code behaves differently:
- if -a option is not specified, no code checking if R-A-I is present is invoked when DCHP DISCOVER is handled, so if giaddr is not present in incoming packet, packet is forwarded with original R-A-I and with giaddr set to dhcp relay address
- if -a option is specified, by default all packets with R-A-I are forwarded with value provided by dhcrelay and with filled giaddr (either original one if it was present in incoming packet or with dhcp relay address)
- if -m option is specified, it is applied to both types of packets - with giaddr and without giaddr present
- there is no way to specify if dhcrelay should handle incoming packets without giaddr as coming from trusted or untrusted circuit
By other words, currently there is no way how to configure dhcrelay to discard incoming packets without giaddr and with R-A-I.
I have prepared patch, which improve the handling a little bit:
- add new option (-t) by which the user inform dhcrelay that all interfaces should be handled as trusted
- add code to discard packet without giaddr address but with R-A-I if interfaces are not trusted
- it also fix the situation that -m option does not take any effect till user specify -a option explicitly, even there is no hint in man page about this dependency
Pros of the patch:
+ it makes dhcrelay to be more complian to RFC 3046
+ it makes dhcrelay to behave similar way as cisco routers, which by default discard incoming packets without giaddr and with R-A-I and which provides similar option (ip dhcp relay information trust-all)
Cons of the patch:
- it changes default behavior of dhcrelay - newly packets without giaddr and with R-A-I are discarded, previously they were forwarded
- it does not solve all issues, like allowing user to specify which interfaces should be handled as trusted and which should be handled as untrusted, user can choose either all trusted or all untrusted only
Please check if my proposed solution could be adopted to ISC dhcrelay
Thank you
Stanislav Chromčák
Message body not shown because it is not plain text.
Message body not shown because it is not plain text.