High ram-usage with multiple /16 ipv4 networks

Simon Hobson dhcp1 at thehobsons.co.uk
Mon Apr 27 14:59:35 UTC 2015

Ruben Wisniewski <ruben at freifunk-nrw.de> wrote:

> I think a pool which got "deny all clients" should be optimised for not
> using the whole memory for nothing... since the leases will never been
> used.

I guess that's a corner case not considered. TBH, it's the first time it's come up here that I can remember.
There are other things the parser doesn't catch/prevent - but that's down to the rapidly increasing complexity of a parser when you try and cater for more and more special cases (which one might reasonably expect a competent sysadmin to deal with).

What if the admin uses "deny unknown-clients" and there aren't any "known" clients, or all the known clients have fixed IP assignments ? Same situation.

> The man-page says this:
>> If the server knows nothing about the address, it will remain silent,
>> unless the address is incorrect for the network segment to which the
>> client has been attached and the server is authoritative for that
>> network segment, in which case the server will send a DHCPNAK even
>> though it doesn't know about the address.
> Network-segment seem to be the pool-definition here, not the subnet.

No, it is the subnet.

Consider this snippet :
subnet subnet-mask {
  range ;

If a client requests (say), then this is outside the subnet and hence "the address is incorrect for the network segment to which the client has been attached".

But if a client comes along and asks for then the server will remain silent. The address is valid for the subnet, but the server "knows nothing about the address". It should **NOT** NACK it because it could be handled by another server on the network - it's not that uncommon to have different DHCP servers handling different DHCP clients.
One example is a customer network where their IP PBX runs a DCHP server which answers only their own IP phones. AFAIK the phones prefer an answer from the PBX (presumably because only those have the right information), and the PBX only responds to the phones - so the phones get to use one p[art of the subnet, while everything else uses another part running a different (Microsoft) DHCP server.

As you've surmised, if you need to NACK requests for addresses in the subnet but not in the allowed range then you need to tell the server to do that.

More information about the dhcp-users mailing list