Relay agents, NAT, and offers to giaddr

Michael Richardson mcr at
Fri Sep 15 01:59:34 UTC 2006

Hash: SHA1

>>>>> "Chris" == Chris De Young <chd at> writes:
    Chris> My questions is: is the server *required* to send the offer
    Chris> back to the address in giaddr (in which case this
    Chris> architecture is fundamentally flawed?), or can it be
    Chris> configured to send the offer to the source IP address in the
    Chris> forwarded discover packet that it received instead (which has
    Chris> been natted to public space by then and so is reachable)?

  It seems that the specification does not permit the server this
option.  In these days of NAT, this seems unfortunate.
  Section 4.1 of rfc2131 says:

   If the 'giaddr' field in a DHCP message from a client is non-zero,
   the server sends any return messages to the 'DHCP server' port on the
   BOOTP relay agent whose address appears in 'giaddr'. If the 'giaddr'

  Note absense of SHOULD/MUST language, although it is there for the DHCPNAK.
(section 3.2, page 18, second paragraph).

  I would note that devices such as the linksys wrt54gl can be reflashed
with "openwrt", and not only will that let you run a dhcp relay on the
border router, but you could also secure the relay/dhcp server
communication with IPsec, which is highly recommended.

- -- 
]            Bear: "Me, I'm just a the shape of a bear."        |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Finger me for keys


More information about the dhcp-users mailing list