Report information
The Basics
Id:
38699
Status:
resolved
Priority:
Medium/Medium
Queue:
dhcp-public
People
Owner:
Nobody in particular
Requestors:
Michael Glasgow <glasgow@beer.net>
Cc:
AdminCc:
BugTracker
Version Fixed:
4.3.5 4.1-ESV-R14
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
4.4.0
Priority:
P2 Normal
Severity:
S2 Normal
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
(no value)
Area:
(no value)
Dates
Created:Mon, 23 Feb 2015 16:15:47 -0500
Updated:Mon, 02 Oct 2017 10:50:47 -0400
Closed:Mon, 02 Oct 2017 10:50:47 -0400

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Mon, 23 Feb 2015 16:15:48 -0500 Michael Glasgow <glasgow@beer.net> - Ticket created
CC: marketing@isc.org
Subject: dhcp-4.2.5-27.0.1.el7_0.2 - dhcrelay drops responses inappropriately
Date: Mon, 23 Feb 2015 21:15:44 +0000
To: dhcp-bugs@isc.org
From: "Michael Glasgow" <glasgow@beer.net>

Bug Report from www.isc.org:

  • Name: Michael Glasgow
  • Email: glasgow@beer.net
  • Software Version: dhcp-4.2.5-27.0.1.el7_0.2
  • OS: Oracle Linux 7
  • Subject:dhcrelay drops responses inappropriately

Bug Detail

Bitten by this bug today:

https://lists.isc.org/pipermail/dhcp-users/2014-April/017829.html

Quoting the main part:

dhcrelay creates link-level AF_PACKET socket and bind()s it to the interface facing clients. This socket has a read event handler got_one() that further calls do_relay4() that does the actual relaying logic. Another socket that dhcrelay creates is AF_INET. This socket is used ONLY to send DHCP requests to the DHCP server, but it is NOT USED to read any packets from the DHCP server. This is because AF_INET socket is using fallback_discard() handler whenever a packets arrives. This callback, you guessed it right,
simply drops all the packets that server sent.

The upshot is that there is presently no way to prevent dhcrelay from serving client requests on the subnet where it will receive replies from the DHCP server, e.g.:

dhcpd <- s1 -> dhcrelay <-s2-> dhclient

where "s1" and "s2" are distinct subnets, and I need dhcrelay to service clients on "s2" but not on "s1" (because dhcpd is already listening there).

Excluding dhcrelay's interface on "s1" using -i <s2> results in the aforementioned behavior, breaking clients on "s2". This would seem to be a relatively common configuration for a router running a dhcp relay, so it seems like it should be supported.

---

This email was received through isc.org Bug Submission Form

All information within this email is considered confidential and for internal use only.

Tue, 24 Mar 2015 23:33:35 -0400 Shawn Routhier <sar@isc.org> - Status changed from 'new' to 'open'
  Fri, 03 Jul 2015 15:01:44 -0400 Cathy Almond <cathya@isc.org> - Correspondence added

> * Name: Michael Glasgow > > * Email: glasgow@beer.net > > * Software Version: dhcp-4.2.5-27.0.1.el7_0.2 > > * OS: Oracle Linux 7 > > * Subject:dhcrelay drops responses inappropriately > > Bug Detail > > Bitten by this bug today: > > https://lists.isc.org/pipermail/dhcp-users/2014-April/017829.html > > Quoting the main part: > > dhcrelay creates link-level AF_PACKET socket and bind()s it to the > interface > facing clients. This socket has a read event handler got_one() that > further > calls do_relay4() that does the actual relaying logic. Another socket > that > dhcrelay creates is AF_INET. This socket is used ONLY to send DHCP > requests to > the DHCP server, but it is NOT USED to read any packets from the DHCP > server. > This is because AF_INET socket is using fallback_discard() handler > whenever a > packets arrives. This callback, you guessed it right, > simply drops all the packets that server sent. > > The upshot is that there is presently no way to prevent dhcrelay from > serving > client requests on the subnet where it will receive replies from the > DHCP > server, e.g.: > > dhcpd <- s1 -> dhcrelay <-s2-> dhclient > > where "s1" and "s2" are distinct subnets, and I need dhcrelay to > service > clients on "s2" but not on "s1" (because dhcpd is already listening > there). > > Excluding dhcrelay's interface on "s1" using -i <s2> results in the > aforementioned behavior, breaking clients on "s2". This would seem to > be a > relatively common configuration for a router running a dhcp relay, so > it seems > like it should be supported. > > --- > > This email was received through isc.org Bug Submission Form Hi Michael, Thanks for this report, We had conjectured that your problem might already have been addressed in recent changes going through, but we now suspect that it has not. I'm passing on a question from our engineers therefore - is this a significant functionality problem, or is it just causing unwanted log messages, but in the end, the client is being given an appropriate lease? Kind regards, Cathy Almond ISC Support
Fri, 14 Aug 2015 00:24:00 -0400 Shawn Routhier <sar@isc.org> - Queue changed from #8 to #9
  Thu, 27 Aug 2015 12:39:18 -0400 Cathy Almond <cathya@isc.org> - Correspondence added

On Mon Feb 23 21:15:48 2015, glasgow@beer.net wrote: > Bug Report from www.isc.org: > > * Name: Michael Glasgow > > * Email: glasgow@beer.net > > * Software Version: dhcp-4.2.5-27.0.1.el7_0.2 > > * OS: Oracle Linux 7 > > * Subject:dhcrelay drops responses inappropriately > > Bug Detail > > Bitten by this bug today: > > https://lists.isc.org/pipermail/dhcp-users/2014-April/017829.html > > Quoting the main part: > > dhcrelay creates link-level AF_PACKET socket and bind()s it to the > interface > facing clients. This socket has a read event handler got_one() that > further > calls do_relay4() that does the actual relaying logic. Another socket > that > dhcrelay creates is AF_INET. This socket is used ONLY to send DHCP > requests to > the DHCP server, but it is NOT USED to read any packets from the DHCP > server. > This is because AF_INET socket is using fallback_discard() handler > whenever a > packets arrives. This callback, you guessed it right, > simply drops all the packets that server sent. > > The upshot is that there is presently no way to prevent dhcrelay from > serving > client requests on the subnet where it will receive replies from the > DHCP > server, e.g.: > > dhcpd <- s1 -> dhcrelay <-s2-> dhclient > > where "s1" and "s2" are distinct subnets, and I need dhcrelay to > service > clients on "s2" but not on "s1" (because dhcpd is already listening > there). > > Excluding dhcrelay's interface on "s1" using -i <s2> results in the > aforementioned behavior, breaking clients on "s2". This would seem to > be a > relatively common configuration for a router running a dhcp relay, so > it seems > like it should be supported. > > --- > > This email was received through isc.org Bug Submission Form > > All information within this email is considered confidential and for > internal > use only. Hi Michael, Thanks for this report, This behaviour is something that has been around in ISC DHCP for a very long time - and we agree that it can result in duplicate requests being received by the DHCP servers, but at the same time, it should not be causing any problems. As this has been the way that ISC DHCP has operated for a long time, we're a little reluctant to try to change it now - but before we make that decision, we'd first like to check back with you whether or not this is causing you a significant operational issue, beyond the inevitable logging of the duplicated requests on the same subnet as the DHCP server? Kind regards, Cathy Almond ISC Support
  Thu, 27 Aug 2015 14:53:53 -0400 Michael Glasgow <glasgow@beer.net> - Correspondence added
Subject: Re: [ISC-Bugs #38699] dhcp-4.2.5-27.0.1.el7_0.2 - dhcrelay drops responses inappropriately
Date: Thu, 27 Aug 2015 13:53:48 -0500 (CDT)
To: dhcp-review@isc.org
From: "Michael Glasgow" <glasgow@beer.net>

Cathy Almond via RT wrote: > Thanks for this report, > > This behaviour is something that has been around in ISC DHCP for > a very long time - and we agree that it can result in duplicate > requests being received by the DHCP servers, but at the same time, > it should not be causing any problems. > > As this has been the way that ISC DHCP has operated for a long > time, we're a little reluctant to try to change it now - but before > we make that decision, we'd first like to check back with you > whether or not this is causing you a significant operational issue, > beyond the inevitable logging of the duplicated requests on the > same subnet as the DHCP server? Appreciate your response. I abandoned the ISC relay code for this reason, so I guess you could say it was significant for me. In my case, the subnets south of the relay ("s2" in my example) are all dmz subnets, so traffic to/from the relay host's trusted interface is scrutinized very carefully. Security-wise, it was not acceptable for the relay to respond to requests on the trsuted side of the network, in case an attacker somehow got control of the relay host. Of course, I understand that if they got root on the relay host, they could do so regardless, but with this broken behavior it becomes much more difficult for my monitoring to detect them doing so. In other words, by watching the network I can't easily distinguish the "normal" broken behavior from an attack signature. What makes this worse is that Linux processes traffic to/from AF_PACKET sockets such that iptables cannot filter these out. So that was my use case -- a very strict security posture which rendered ISC's code too painful (though not impossible) to use. I could've worked around it somehow, but I found other code to use instead. Additionally, purely from a functional standpoint I must say I view the blanket assertion that it should not be causing any problems with some skepticism. At a minimum, it could easily cause unexpected behavior where the user has defined classes based on which relay a request came through. You could also imagine a case where the relay is pointing at a different dhcpd than the dhcpd running on s1, with a very different configuration, so that the client hosts are configured differently based on who wins the race. I wouldn't assume that folks are ok with this behavior just because you don't get a ton of bug reports about it. I've been doing IT for a very long time, and it was not easy to figure out what was going on here. If I hadn't figured out why it was happening, I would've just silently moved on to another vendor's code and never submitted the report. Could be plenty of people doing the same thing... not sure you would really know unless you have separate metrics for users of dhcrelay as opposed to dhcpd itself. -- Michael Glasgow <glasgow@beer.net>
Fri, 28 Aug 2015 14:54:48 -0400 Shawn Routhier <sar@isc.org> - Priority P2 Normal added
Fri, 28 Aug 2015 14:54:48 -0400 Shawn Routhier <sar@isc.org> - Severity S2 Normal added
Fri, 28 Aug 2015 14:54:49 -0400 Shawn Routhier <sar@isc.org> - Queue changed from #9 to #8
  Fri, 02 Oct 2015 04:29:09 -0400 Cathy Almond <cathya@isc.org> - Correspondence added

On Thu Aug 27 18:53:53 2015, glasgow@beer.net wrote: > Cathy Almond via RT wrote: > > Thanks for this report, > > > > This behaviour is something that has been around in ISC DHCP for > > a very long time - and we agree that it can result in duplicate > > requests being received by the DHCP servers, but at the same time, > > it should not be causing any problems. > > > > As this has been the way that ISC DHCP has operated for a long > > time, we're a little reluctant to try to change it now - but before > > we make that decision, we'd first like to check back with you > > whether or not this is causing you a significant operational issue, > > beyond the inevitable logging of the duplicated requests on the > > same subnet as the DHCP server? > > Appreciate your response. > > I abandoned the ISC relay code for this reason, so I guess you > could say it was significant for me. > > In my case, the subnets south of the relay ("s2" in my example) > are all dmz subnets, so traffic to/from the relay host's trusted > interface is scrutinized very carefully. Security-wise, it was > not acceptable for the relay to respond to requests on the trsuted > side of the network, in case an attacker somehow got control of > the relay host. Of course, I understand that if they got root on > the relay host, they could do so regardless, but with this broken > behavior it becomes much more difficult for my monitoring to detect > them doing so. In other words, by watching the network I can't > easily distinguish the "normal" broken behavior from an attack > signature. What makes this worse is that Linux processes traffic > to/from AF_PACKET sockets such that iptables cannot filter these out. > > So that was my use case -- a very strict security posture which > rendered ISC's code too painful (though not impossible) to use. > I could've worked around it somehow, but I found other code to > use instead. > > Additionally, purely from a functional standpoint I must say I view > the blanket assertion that it should not be causing any problems > with some skepticism. At a minimum, it could easily cause unexpected > behavior where the user has defined classes based on which relay > a request came through. You could also imagine a case where the > relay is pointing at a different dhcpd than the dhcpd running on > s1, with a very different configuration, so that the client hosts > are configured differently based on who wins the race. > > I wouldn't assume that folks are ok with this behavior just because > you don't get a ton of bug reports about it. I've been doing IT > for a very long time, and it was not easy to figure out what was > going on here. If I hadn't figured out why it was happening, I > would've just silently moved on to another vendor's code and never > submitted the report. Could be plenty of people doing the same > thing... not sure you would really know unless you have separate > metrics for users of dhcrelay as opposed to dhcpd itself. > Hi Michael, Many thinks for taking the time and trouble to write up your use case. On the basis of your response, we are now considering potential changes to the relay code in relation to interfaces - but this ticket will still have to compete for engineering resources against other worthy bug reports and feature requests. So whether or not anything is done is not definite. But I thought you might like to know that your input has in fact caused us to reconsider our stance, even though we might not be able to address the issue in the immediate future. Kind regards, Cathy
  Wed, 07 Oct 2015 12:51:45 -0400 Michael Glasgow <glasgow@beer.net> - Correspondence added
Subject: Re: [ISC-Bugs #38699] dhcp-4.2.5-27.0.1.el7_0.2 - dhcrelay drops responses inappropriately
Date: Wed, 7 Oct 2015 11:51:39 -0500 (CDT)
To: dhcp-bugs@isc.org
From: "Michael Glasgow" <glasgow@beer.net>

Cathy Almond via RT wrote: > Many thinks for taking the time and trouble to write up your use case. > > On the basis of your response, we are now considering potential > changes to the relay code in relation to interfaces - but this > ticket will still have to compete for engineering resources against > other worthy bug reports and feature requests. So whether or not > anything is done is not definite. > > But I thought you might like to know that your input has in fact > caused us to reconsider our stance, even though we might not be > able to address the issue in the immediate future. Thanks for your response. I can certainly understand your challenges with dev priority, but I'm glad my info was useful nonetheless. Take care, -- Michael Glasgow <glasgow@beer.net>
Fri, 16 Oct 2015 03:15:38 -0400 Cathy Almond <cathya@isc.org> - Versions Planned 4.4.0 added
  Mon, 02 Oct 2017 10:49:43 -0400 Thomas Markwalder <tmark@isc.org> - Correspondence added

Hello Michael: I wanted to let you know that your issue was addressed as of ISC DHCP 4.3.5 and 4.1-ESV-R14 under a different ticket (our newest maintenance releases are 4.3.6 and 4.1-ESV-R15). Our next feature release will be 4.4.0, due out Q1 of '18. We addressed the issue by adding two command line options to dhcrelay: -iu ifname Specifies an upstream network interface: an interface from which replies from servers and other relay agents will be accepted. Multiple interfaces may be specified by using more than one -iu option. This argument is intended to be used in conjunction with one or more -i or -id arguments. -id ifname Specifies a downstream network interface: an interface from which requests from clients and other relay agents will be accepted. Multiple interfaces may be specified by using more than one -id option. This argument is intended to be used in conjunction with one or more -i or -iu arguments. While I realize this comes after you have moved on to other solutions, I thought you'd like to know. Regards, Thomas Markwalder ISC Software Engineering
Mon, 02 Oct 2017 10:50:45 -0400 Thomas Markwalder <tmark@isc.org> - Version Fixed 4.3.5 4.1-ESV-R14 added
Mon, 02 Oct 2017 10:50:47 -0400 Thomas Markwalder <tmark@isc.org> - Status changed from 'open' to 'resolved'
Mon, 02 Oct 2017 10:50:47 -0400 Thomas Markwalder <tmark@isc.org> - Queue changed from #8 to dhcp-public
Mon, 02 Oct 2017 10:50:47 -0400 Thomas Markwalder <tmark@isc.org> - Dependency on #41547: added