Relay agents, NAT, and offers to giaddr

Michael Richardson mcr at sandelman.ottawa.on.ca
Fri Sep 15 01:59:34 UTC 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Chris" == Chris De Young <chd at chud.net> writes:
    Chris> My questions is: is the server *required* to send the offer
    Chris> back to the address in giaddr (in which case this
    Chris> architecture is fundamentally flawed?), or can it be
    Chris> configured to send the offer to the source IP address in the
    Chris> forwarded discover packet that it received instead (which has
    Chris> been natted to public space by then and so is reachable)?

  It seems that the specification does not permit the server this
option.  In these days of NAT, this seems unfortunate.
  Section 4.1 of rfc2131 says:

   If the 'giaddr' field in a DHCP message from a client is non-zero,
   the server sends any return messages to the 'DHCP server' port on the
   BOOTP relay agent whose address appears in 'giaddr'. If the 'giaddr'

  Note absense of SHOULD/MUST language, although it is there for the DHCPNAK.
(section 3.2, page 18, second paragraph).

  I would note that devices such as the linksys wrt54gl can be reflashed
with "openwrt", and not only will that let you run a dhcp relay on the
border router, but you could also secure the relay/dhcp server
communication with IPsec, which is highly recommended.

- -- 
]            Bear: "Me, I'm just a the shape of a bear."        |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRQoJBYCLcPvd0N1lAQL8Pwf/bnK53lLHhUVIHa2craF4qUjCm8jH/h5t
YBz2icQPjfryCc8Qa7YT2pZRnyRLuElJY0mrGfE1c5Yn5VijwvLo+aZ/ULOWvBh6
moMDKFLnJB/p8f9bZAJHG8hEBhW+Smg+fbqryEXRiU5qWX+Io6AW+03t9bYMhGmm
HYyVYRwTUaM43PAbsE+6O5/zJcY2lycY/QkcbnTtPy6k+LH7D7c36PkVo54RFvbv
bl+bCKTzHAgXZ795rTP6psi+Ai/uh5OmuxaLroC6HoQKGF356Mbeuq+atHME3L+d
V0iOTGWfDlOyJ0BusLDBy8umUvUGw84nyuAmWRmTu2mButo5pfFlUg==
=ZaB/
-----END PGP SIGNATURE-----

More information about the dhcp-users mailing list