DHCP server issues in cloud data center environment

sscdvp at gmail.com sscdvp at gmail.com
Thu Mar 6 22:04:22 UTC 2014 

You are rising a topic of large importance. Taking into account the cloud
technologies growing exponentially.

Overlapped IP ranges could be accomplished by IPv4 private ranges behind
the NAT (central overall IP pool).
DHCP server could allocate private IP addresses to network interfaces of
virtual machines.
Virtual machines could be gathered in logical groups by using VLANs. Each
group has its own VID passed in L2 DHCP packets to DHCP server. ISC DHCP
software could read L2 header if using DLPI. Each network interface has
already an unique ID - MAC address which could be presented as DHCP CID on
DHCP layer.
The scheme could be bound to combination VID + DHCP CID. This gives some
flexibility of IP allocation but couldn't secure from malicious user who
modifies its own IP address to neighbor's IP. and thus creating flaw.
Or you could use VID + DHCP Option 82 (RFC 3046) if it is supported in
virtual network stack of your hypervisor.
It has an advantage that relay agent (e.g. virtual switch) is responsible
for insertion of unique Option 82 per port, end user has no control over
it, and so the scheme gains more security.
Opensolaris OE family supports virtual switching (etherstub) with some kind
of snooping protection
(ip-spoofing,mac-spoofing,dhcp-spoofing etc). It also has CID support but
lacks Relay Agent Information Option, at least for now...
I heard that Cisco NEXUS 1000V virtual switch supports both DHCP Option 82
and DHCP snooping which prevents IP address spoofing.

I rather think you should dig into DHCP Option 82 direction.

Regards,
Serghei Samsi


2014-03-05 9:12 GMT+02:00 Liang LR Rong <jet.rongl at cn.ibm.com>:

> Hi DHCP Hackers,
>
> I am currently working on a project which requires DHCP server to be
> multi-tenant aware in cloud data center environment.
>
> What I mean ``multi-tenant aware'' here is that each tenant has a virtual
> network by utilizing some network virtualization technology. There will be
> thousands of tenants in a cloud data center. Thus, thousands of virtual
> networks operated by each tenant separately.
>
> The requirement is that to save TCO, we should provision one DHCP server
> (running a single DHCPd instance) to service many tenants. But, the IP
> address spaces are likely to be overlapped for those tenants. So, the point
> is that is there any solution or workaround to make the ISC DHCP server to
> allocate IP address for each tenant separately and these IP address are
> overlapped when look from the overall address pool?
>
> Best regards,
>
> Jet Rong(荣亮)
> Software Engineer, System Networking
> China Systems and Technology Lab (CSTL), IBM Wuxi
> 5 floor,A1# building, No.55 Xiuxi Road, Binhu District, Wuxi, China, 214125
> 无锡市滨湖区绣溪路55号A1楼5F, 214125
> Email: rliangwx at cn.ibm.com
>
> _______________________________________________
> dhcp-hackers mailing list
> dhcp-hackers at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-hackers
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-hackers/attachments/20140307/288d5e3d/attachment.html>

More information about the dhcp-hackers mailing list