Report information
The Basics
Id:
45451
Status:
resolved
Estimated:
1 hour (60 minutes)
Worked:
30 minutes
Users:
tmark: 30 minutes
Priority:
Medium/Medium
Queue:
dhcp-public
People
BugTracker
Version Fixed:
4.4.0 4.3.7(dev) 4.1-ESV-R16(dev)
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
4.4.0 4.3.7 4.1-ESV-R16
Priority:
P3 Low
Severity:
S3 Low
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
(no value)
Area:
Other
Attachments
bug-report.txt
Dates
Created:Thu, 22 Jun 2017 21:18:49 -0400
Updated:Fri, 12 Jan 2018 10:07:00 -0500
Closed:Fri, 12 Jan 2018 10:06:59 -0500

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Thu, 22 Jun 2017 21:18:50 -0400 Rob Riepel <riepel@stanford.edu> - Ticket created
Date: Thu, 22 Jun 2017 18:18:34 -0700
From: "Rob Riepel" <riepel@stanford.edu>
Subject: [confidential] DHCPv6 client class matching bug in DHCP server 4.3.5
To: dhcp-bugs@isc.org

[confidential] to keep the detail of our config out of the public view per our management. We currently use DHCPv4 client classes to great avail. Our v4 setup looks something like this: class "roaming" { match hardware; } class "frozen" { match hardware; } class "vile" { match hardware; deny booting; } shared-network AiF-net.stanford.edu { subnet 10.86.67.192 netmask 255.255.255.192 { option routers 10.86.67.193; pool { allow members of "frozen"; max-lease-time 2520; default-lease-time 2520; range 10.86.67.212 10.86.67.231; } } subnet 171.66.67.192 netmask 255.255.255.192 { option routers 171.66.67.193; pool { allow members of "roaming"; max-lease-time 2520; default-lease-time 2520; range 171.66.67.222 171.66.67.251; } } } host sr16-1bba467e4a-fcfc48d6e6ea { ethernet fc:fc:48:d6:e6:ea; } subclass "roaming" 1:fc:fc:48:d6:e6:ea; host daedalus-c82a14291f57 { hardware ethernet c8:2a:14:29:1f:57; fixed-address 171.64.20.40; } subclass "vile" 1:c8:2a:14:29:1f:57; We've duplicated that for DHCPv6, by teasing the LL address out of DUIDs that include it, so we can use the same DHCP configuration generation tools. The v6 configs looks like: class "roaming" { match su-client-id; log(debug, "roaming match"); } class "frozen" { match su-client-id; log(debug, "frozen match"); } class "vile" { match su-client-id; log(debug, "vile match"); deny booting; } # where, su-client-id == 1:LLaddress (details in attached bug report) shared-network Pine-B-net.stanford.edu { subnet6 2607:f6d0:0:a13f::/64 { pool6 { allow members of "roaming"; max-lease-time 2520; default-lease-time 2520; range6 2607:f6d0:0:a13f:bad:c0ff:ee:1 2607:f6d0:0:a13f:bad:c0ff:ee:6e; } } } host Scar-f44d30426ad3 { hardware ethernet f4:4d:30:42:6a:d3; } subclass "roaming" 1:f4:4d:30:42:6a:d3; host daedalus-109add9e9ea5 { hardware ethernet 10:9a:dd:9e:9e:a5; } subclass "vile" 1:10:9a:dd:9e:9e:a5; In testing to make sure "vile" hosts never obtain leases, we found they did. Repeated tests confirmed this and suggest an indexing problem in the dhcpd class matching algorithm. I believe the attached bug report (appended as an attachment to avoid mail mangling) shows this, as clients show up in the class of the previous client. The attached report includes version information, the relevant bits of the dhcpd.conf, and an annotated section of the log file starting from dhcpd start until after the problems (no log lines have been excluded). I would attached the full dhcpd.conf, but it's quite large (18M). Let me know if you want it. Happy to test patches if it comes to that. -- Rob Riepel
bug-report.txt

Message body is not shown because sender requested not to inline it.

Thu, 22 Jun 2017 21:18:50 -0400 The RT System itself - Area bug added
  Tue, 27 Jun 2017 13:41:44 -0400 Thomas Markwalder <tmark@isc.org> - Correspondence added

Hello Rob: This is an intriguing problem. Thus far, using your configuration we have not been able to produce a mismatch. We are winding up work on our next releases, 4.3.6/4.1-ESV-R15, which are due out 7/31/17, so our resources are somewhat limited. Could you supply us with pcaps of the traffic that causes the mismatch? Regards, Thomas Markwalder ISC Software Engineering
Tue, 27 Jun 2017 13:41:45 -0400 The RT System itself - Status changed from 'new' to 'open'
  Tue, 27 Jun 2017 19:40:44 -0400 Rob Riepel <riepel@stanford.edu> - Correspondence added
Subject: Re: [ISC-Bugs #45451] [confidential] DHCPv6 client class matching bug in DHCP server 4.3.5
To: dhcp-confidential@isc.org
Date: Tue, 27 Jun 2017 16:40:31 -0700
From: "Rob Riepel" <riepel@stanford.edu>

On Jun 27, 2017, at 10:41 AM, Thomas Markwalder via RT <dhcp-confidential@isc.org> wrote: > This is an intriguing problem. Thus far, using your configuration we have not been able to produce a mismatch. We are winding up work on our next releases, 4.3.6/4.1-ESV-R15, which are due out 7/31/17, so our resources are somewhat limited. > > Could you supply us with pcaps of the traffic that causes the mismatch? As you can see from the files, I restart the server, started tcpdump (dst port 547 or dst port 546), and then told the "vile" client (same one as before) to configure IPv6 automatically. It matched "roaming" right off. The subsequent client, ac:bc:32:d3:2a:f1, which is a valid "roaming" client didn't explicitly match "roaming," but it didn't get an address either. About 15 seconds later it matched "roaming" and got an address. I've put the full config, log, and pcap files up at http://web.stanford.edu/~riepel/dhcpv6/ Let me know when you've got them so I remove them. Thanks. -- Rob Riepel
  Wed, 28 Jun 2017 06:47:39 -0400 Thomas Markwalder <tmark@isc.org> - Correspondence added

Hello Rob: We have pulled the files down, thank you. The full config file is quite large which may have something to do with it. My testing here was done based on the snippet you included before. I will keep you updated with our findings but it may be a bit before we can spend much time on it. Regards, Thomas Markwalder ISC Software Engineering On Tue Jun 27 23:40:44 2017, riepel@stanford.edu wrote: > On Jun 27, 2017, at 10:41 AM, Thomas Markwalder via RT <dhcp- > confidential@isc.org> wrote: > > > > This is an intriguing problem. Thus far, using your configuration we > > have not been able to produce a mismatch. We are winding up work on > > our next releases, 4.3.6/4.1-ESV-R15, which are due out 7/31/17, so > > our resources are somewhat limited. > > > > Could you supply us with pcaps of the traffic that causes the > > mismatch? > > As you can see from the files, I restart the server, started tcpdump > (dst port 547 or dst port 546), and then told the "vile" client (same > one as before) to configure IPv6 automatically. It matched "roaming" > right off. The subsequent client, ac:bc:32:d3:2a:f1, which is a valid > "roaming" client didn't explicitly match "roaming," but it didn't get > an address either. About 15 seconds later it matched "roaming" and got > an address. > > I've put the full config, log, and pcap files up at > http://web.stanford.edu/~riepel/dhcpv6/ > > Let me know when you've got them so I remove them. Thanks. > > -- > Rob Riepel
  Wed, 28 Jun 2017 18:11:43 -0400 Rob Riepel <riepel@stanford.edu> - Correspondence added
To: dhcp-confidential@isc.org
From: "Rob Riepel" <riepel@stanford.edu>
Date: Wed, 28 Jun 2017 15:11:30 -0700
Subject: Re: [ISC-Bugs #45451] [confidential] DHCPv6 client class matching bug in DHCP server 4.3.5

Thank you. FWIW, our config is virtually the same for our DHCPv4 service (except we use "match hardware," as mentioned in my original message), and class matching works as expected. (I tested it after encountering the v6 problems to make sure I understood what I was doing.) > On Jun 28, 2017, at 3:47 AM, Thomas Markwalder via RT <dhcp-confidential@isc.org> wrote: > > Hello Rob: > > We have pulled the files down, thank you. The full config file is quite large which may have something to do with it. My testing here was done based on the snippet you included before. > > I will keep you updated with our findings but it may be a bit before we can spend much time on it. > > Regards, > > Thomas Markwalder > ISC Software Engineering > > On Tue Jun 27 23:40:44 2017, riepel@stanford.edu wrote: >> On Jun 27, 2017, at 10:41 AM, Thomas Markwalder via RT <dhcp- >> confidential@isc.org> wrote: >> >> >>> This is an intriguing problem. Thus far, using your configuration we >>> have not been able to produce a mismatch. We are winding up work on >>> our next releases, 4.3.6/4.1-ESV-R15, which are due out 7/31/17, so >>> our resources are somewhat limited. >>> >>> Could you supply us with pcaps of the traffic that causes the >>> mismatch? >> >> As you can see from the files, I restart the server, started tcpdump >> (dst port 547 or dst port 546), and then told the "vile" client (same >> one as before) to configure IPv6 automatically. It matched "roaming" >> right off. The subsequent client, ac:bc:32:d3:2a:f1, which is a valid >> "roaming" client didn't explicitly match "roaming," but it didn't get >> an address either. About 15 seconds later it matched "roaming" and got >> an address. >> >> I've put the full config, log, and pcap files up at >> http://web.stanford.edu/~riepel/dhcpv6/ >> >> Let me know when you've got them so I remove them. Thanks. >> >> -- >> Rob Riepel
  Thu, 29 Jun 2017 16:29:18 -0400 Thomas Markwalder <tmark@isc.org> - Correspondence added

Hello Rob: I have reproduced the issue and it is not related to the size of your configuration but then I didn't really think it would be. The problem is that the client classification of a packet is done BEFORE the global statements are executed for that packet. This means the classification is actually being done based on the binding variables set by previous packet. You can see this in the logs. A SOLICIT from a bad client matches because the previous packet was from a good client. The ensuing REQUEST from the bad client does not match because the variables are now based on the bad client's SOLICIT. The reason this is not an issue for your V4 configuration is because your match argument is "hardware" and that value is available directly from the packet when classification is done. The "match" clause can support expressions such as match pick_first_value(...) or match suffix(option dhcp6.client-id,6) and so forth. Those are calculated as part of the classification evaluation. You should be able to come up with expressions that will meet your needs but you would have to repeat them for each class declaration. Not as clean as what you wanted to do but the software currently won't support that. I'll continue to explore this and will keep you updated. Regards, Thomas Markwalder ISC Software Engineering
  Thu, 29 Jun 2017 18:03:53 -0400 Rob Riepel <riepel@stanford.edu> - Correspondence added
Date: Thu, 29 Jun 2017 15:03:42 -0700
To: dhcp-confidential@isc.org
Subject: Re: [ISC-Bugs #45451] [confidential] DHCPv6 client class matching bug in DHCP server 4.3.5
From: "Rob Riepel" <riepel@stanford.edu>

On Jun 29, 2017, at 1:29 PM, Thomas Markwalder via RT <dhcp-confidential@isc.org> wrote: > I have reproduced the issue and it is not related to the size of your configuration but then I didn't really think it would be. The problem is that the client classification of a packet is done BEFORE the global statements are executed for that packet. This means the classification is actually being done based on the binding variables set by previous packet. > > You can see this in the logs. A SOLICIT from a bad client matches because the previous packet was from a good client. The ensuing REQUEST from the bad client does not match because the variables are now based on the bad client's SOLICIT. Well, it all makes perfect sense now. Glad it's not a bug. > The reason this is not an issue for your V4 configuration is because your match argument is "hardware" and that value is available directly from the packet when classification is done. > > The "match" clause can support expressions such as match pick_first_value(...) or match suffix(option dhcp6.client-id,6) and so forth. Those are calculated as part of the classification evaluation. You should be able to come up with expressions that will meet your needs but you would have to repeat them for each class declaration. Not as clean as what you wanted to do but the software currently won't support that. I'll give that a go. > I'll continue to explore this and will keep you updated. Thanks. Also, consider the following: In 2009 David W. Haskins wrote, with respect to DHCPv6 and hardware addresses(*): > I'm inclined to make 'hardware ethernet ...;' just work, assuming > the client is sending either of those two types of DUID, ... Clearly that's happened. If ISC would extend that to "match hardware", all my dhcpd.conf futzing to tease the hardware address out of the clientid would be unnecessary. (And, I suspect, there would be much rejoicing.) Thank you very much for the quick turnaround and detailed explanation. -- Rob Riepel (*) https://lists.isc.org/pipermail/dhcp-users/2009-February/008463.html
Wed, 05 Jul 2017 06:34:14 -0400 Thomas Markwalder <tmark@isc.org> - Area bug changed to Other
Wed, 05 Jul 2017 06:34:14 -0400 Thomas Markwalder <tmark@isc.org> - Versions Planned 4.4.0 4.3.6b1 4.1-ESV-R15b1 added
Wed, 09 Aug 2017 06:37:03 -0400 Thomas Markwalder <tmark@isc.org> - Versions Planned 4.4.0 4.3.6b1 4.1-ESV-R15b1 changed to 4.4.0
Wed, 09 Aug 2017 06:37:03 -0400 Thomas Markwalder <tmark@isc.org> - Priority P3 Low added
Wed, 09 Aug 2017 06:37:03 -0400 Thomas Markwalder <tmark@isc.org> - Severity S3 Low added
Wed, 09 Aug 2017 06:37:03 -0400 Thomas Markwalder <tmark@isc.org> - TimeEstimated changed from (no value) to '60'
Wed, 09 Aug 2017 06:37:03 -0400 Thomas Markwalder <tmark@isc.org> - Queue changed from #8 to dhcp-public
Wed, 16 Aug 2017 19:24:59 -0400 Vicky Risk <vicky@isc.org> - Queue changed from dhcp-public to #8
Tue, 09 Jan 2018 14:25:23 -0500 Thomas Markwalder <tmark@isc.org> - Worked 30 minutes 30 minutes
Tue, 09 Jan 2018 14:25:23 -0500 Thomas Markwalder <tmark@isc.org> - Status changed from 'open' to 'review'
Tue, 09 Jan 2018 14:25:23 -0500 Thomas Markwalder <tmark@isc.org> - Queue changed from #8 to dhcp-public
Tue, 09 Jan 2018 14:25:23 -0500 Thomas Markwalder <tmark@isc.org> - Dependency by #24720: added
Thu, 11 Jan 2018 09:36:52 -0500 Francis Dupont <Francis_Dupont@isc.org> - Taken
  Thu, 11 Jan 2018 09:38:55 -0500 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added

Patch OK.
Thu, 11 Jan 2018 09:38:55 -0500 Francis Dupont <Francis_Dupont@isc.org> - Given to Thomas Markwalder <tmark@isc.org>
Fri, 12 Jan 2018 10:06:58 -0500 Thomas Markwalder <tmark@isc.org> - Version Fixed 4.4.0 4.3.7(dev) 4.1-ESV-R16(dev) added
Fri, 12 Jan 2018 10:06:58 -0500 Thomas Markwalder <tmark@isc.org> - Versions Planned 4.4.0 changed to 4.4.0 4.3.7 4.1-ESV-R16
Fri, 12 Jan 2018 10:06:59 -0500 Thomas Markwalder <tmark@isc.org> - Status changed from 'review' to 'resolved'
Fri, 12 Jan 2018 10:07:00 -0500 Thomas Markwalder <tmark@isc.org> - Dependency by #46707: added
Fri, 12 Jan 2018 10:07:00 -0500 Thomas Markwalder <tmark@isc.org> - Dependency by #46708: added