Relay agents, NAT, and offers to giaddr
mcr at sandelman.ottawa.on.ca
Fri Sep 15 01:59:34 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Chris" == Chris De Young <chd at chud.net> writes:
Chris> My questions is: is the server *required* to send the offer
Chris> back to the address in giaddr (in which case this
Chris> architecture is fundamentally flawed?), or can it be
Chris> configured to send the offer to the source IP address in the
Chris> forwarded discover packet that it received instead (which has
Chris> been natted to public space by then and so is reachable)?
It seems that the specification does not permit the server this
option. In these days of NAT, this seems unfortunate.
Section 4.1 of rfc2131 says:
If the 'giaddr' field in a DHCP message from a client is non-zero,
the server sends any return messages to the 'DHCP server' port on the
BOOTP relay agent whose address appears in 'giaddr'. If the 'giaddr'
Note absense of SHOULD/MUST language, although it is there for the DHCPNAK.
(section 3.2, page 18, second paragraph).
I would note that devices such as the linksys wrt54gl can be reflashed
with "openwrt", and not only will that let you run a dhcp relay on the
border router, but you could also secure the relay/dhcp server
communication with IPsec, which is highly recommended.
] Bear: "Me, I'm just a the shape of a bear." | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the dhcp-users