Configuring DHCP for APC UPS "cookies"

Timothe Litt litt at acm.org
Fri Mar 28 13:31:39 UTC 2014


I just configured DHCPD for an APC UPS network management card (9617), 
which requires a magic cookie in the offer.

Prior to doing this, I did a web search, and came up with a number of 
suggestions that were simply wrong, including one posted here.

This post is simply to document what DOES work for the benefit of future 
searchers. No help or reply is required.

APC UPS network management cards, by default, want an option 43 with a 
'magic cookie' in DHCP offers; otherwise the offer is ignored. Option 43 
is 'vendor-encapsulated options', which is a list of substrings with a 
code, length and value.  The meanings are specific to a given vendor.  
The APC magic cookie is code 1, length 4, value '1APC'.

To generate this only for APC requests, we use the 
vendor-class-identifier included in the DISCOVER to generate a class:

class "vendor-id" {
     match option vendor-class-identifier;
}

Next, we define the format of the vendor-encapsulated-options string 
expected by APC.
Code width and length are in bytes.

option space APC code width 1 length width 1;

The APC 'cookie' option is code 1, the data format is 'text"
option APC.cookie code 1 = text;

Subclass the vendor-id to match only APC devices & include the option 
for them

subclass "vendor-id" "APC" {
     vendor-option-space APC;
     option APC.cookie "1APC"; # This starts with the digit "1"
}


To get the requested vendor-class-id in the .leases file:
set vendor-string = option vendor-class-identifier;

All this can (but needn't) be done in global scope.

Note that the requirement for the cookie can be turned off in the 
management card GUI, but it is useful to prevent the UPC from being 
captured by a rogue server.  (Of course the cookie value is well-known, 
so this doesn't help with a malicious server.)

Also note that by default the card also tries BOOTP - actually, tries 
BOOTP first - it will boot faster if you tell it to use DHCP only.

Finally, you might not want to use DHCP at all - especially if the UPS 
powers your DHCP server (s)!

-- 
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5159 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20140328/280c982a/attachment.bin>


More information about the dhcp-users mailing list