Trying to grasp RFC 3011, using ISC DHCP and Cisco ASA

David W. Hankins David_Hankins at
Thu Dec 11 18:54:36 UTC 2008

On Thu, Dec 11, 2008 at 10:44:10AM -0800, Nick Ellson wrote:
> In a customer environment where, a DHCP Offer message sent from a DHCP Server to the ASA may take a different path than the DHCP Discover message sent by the ASA may run into issues. RFC 3011 ensures that the DHCP Offer message will be sent back to the same ASA interface it came from.

If this is new work, then I'd lean towards RFC 3527, as that is a
relay agent info option, and it is far less "weird" for a relay agent
to insert that option than for it to insert 125.

Having a relay agent use 3011 in this way breaks DHCP authentication,
which although it isn't well deployed today, might be someday.  The
options space other than option 82 is signed client<-->server, so a
relay that adjusts the packet contents other than to append option 82
will break the signature.

Ash bugud-gul durbatuluk agh burzum-ishi krimpatul.
Why settle for the lesser evil?
David W. Hankins	"If you don't do it right the first time,
Software Engineer		     you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <>

More information about the dhcp-users mailing list