Latest lease entry not the one offered to the client

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Latest lease entry not the one offered to the client

ksladic
Hi.

I did not manage to find any related discussion, so I'd like to ask this:

Using ISC DHCP 4.3.5 server and client.
DHCP server has these two entries in its dhcpd.leases (first lease at line 106, second at line 205):

lease 1.1.1.17 {
  starts 4 2020/08/13 00:40:24;
  ends 0 2020/08/23 00:40:24;
  tstp 0 2020/08/23 00:40:24;
  cltt 4 2020/08/13 00:40:24;
  binding state active;
  next binding state free;
  rewind binding state free;
  hardware ethernet 00:0d:ca:00:0f:dd;
  set lease_mac = "0:d:ca:0:f:dd";
}
lease 1.1.1.28 {
  starts 4 2020/08/13 03:03:13;
  ends 0 2020/08/23 03:03:13;
  tstp 0 2020/08/23 03:03:13;
  cltt 4 2020/08/13 03:03:13;
  binding state active;
  next binding state free;
  rewind binding state free;
  hardware ethernet 00:0d:ca:00:0f:dd;
  set lease_mac = "0:d:ca:0:f:dd";
}

This made me think that 1.1.1.28 is the newest lease and should be the valid one for the client.
But if I do renew on the client it is being offered 1.1.1.17 (timestamps are in different zone, port is custom):

Aug 13 21:10:39 (none) daemon.info dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 17787
Aug 13 21:10:39 (none) daemon.info dhclient: DHCPACK from 1.1.1.1
Aug 13 21:10:41 (none) daemon.info dhclient: bound to 1.1.1.17 -- renewal in 392208 seconds.

Since some of my applications rely on knowing valid DHCP client IPs, this is a problem.

I'd like to ask if that is a known issue or there may be something related to my network or DHCP config?
Am I misinterpreting the dhcpd.leases file? I thought DHCP server appends most recent leases at the end?

Thank you very much any help is much appreciated.

RegK


_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Latest lease entry not the one offered to the client

Simon Hobson
Klemen Sladic <[hidden email]> wrote:

> Using ISC DHCP 4.3.5 server and client.
> DHCP server has these two entries in its dhcpd.leases (first lease at line 106, second at line 205):
>
> lease 1.1.1.17 {
>   starts 4 2020/08/13 00:40:24;
>   ends 0 2020/08/23 00:40:24;
>   tstp 0 2020/08/23 00:40:24;
>   cltt 4 2020/08/13 00:40:24;
>   binding state active;
>   next binding state free;
>   rewind binding state free;
>   hardware ethernet 00:0d:ca:00:0f:dd;
>   set lease_mac = "0:d:ca:0:f:dd";
> }
> lease 1.1.1.28 {
>   starts 4 2020/08/13 03:03:13;
>   ends 0 2020/08/23 03:03:13;
>   tstp 0 2020/08/23 03:03:13;
>   cltt 4 2020/08/13 03:03:13;
>   binding state active;
>   next binding state free;
>   rewind binding state free;
>   hardware ethernet 00:0d:ca:00:0f:dd;
>   set lease_mac = "0:d:ca:0:f:dd";
> }

OK, the first observation is that neither has a client-ID - first thing anyone looks for is difference in Client-ID as that makes them different clients as far as the server is concerned.

> This made me think that 1.1.1.28 is the newest lease and should be the valid one for the client.

No, BOTH are valid for the client. Position in the file only matters where there are duplicate entries for an address - e.g. an address has been renewed and a new lease record written out.

> But if I do renew on the client it is being offered 1.1.1.17 (timestamps are in different zone, port is custom):
>
> Aug 13 21:10:39 (none) daemon.info dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 17787
> Aug 13 21:10:39 (none) daemon.info dhclient: DHCPACK from 1.1.1.1
> Aug 13 21:10:41 (none) daemon.info dhclient: bound to 1.1.1.17 -- renewal in 392208 seconds.

So, what address did the client request ? The client can request any address, and normally if it's available then the server will lease it - it's one way a DoD attack can be done. If the client requested 1.1.1.17 then what you are seeing is normal operation.

> Since some of my applications rely on knowing valid DHCP client IPs, this is a problem.

In the general case, you need to allow for a client having more than one address leased.

> Am I misinterpreting the dhcpd.leases file? I thought DHCP server appends most recent leases at the end?

As above, you are misinterpreting the leases file.
When a lease file cleanup is done, the leases will be written out in an undocumented order - which appears to be by IP address. When **UPDATES** to leases are done, then the new version is appended to the file - so if you see two entries for the same lease then the later one in the file is the current one.

Simon

_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Latest lease entry not the one offered to the client

ksladic
Hi Simon.

Thank you very much for detailed explanation.
I actually thought that MAC address is unique enough to identify a client,
but it obviously isn't.

Since I use only one DHCP client on each interface (MAC), I think that
introducing DUID (dhclient -i) will solve my problem.
I should not get to a state of DHCP server thinking there are multiple
clients on a single MAC. And I think client will keep its generated DUID as
long as dhclient.leases is not deleted.

Regarding lease file cleanup:
1. Does it remove all expired leases?
2. Does it remove duplicate leases ... keeping only last valid one?
3. In general (before or after lease file cleanup) if I would like to find
the latest valid leased IP for a client, is it best to go through whole file
and pick valid lease with latest timestamp? Because as I understand I can
not rely on the order of leases in the file.

Even if you don't have time to answer my additional questions, I really
appreciate your first reply.
It helped me a lot.

Thanks,
Klemen



--
Sent from: http://isc-dhcp-users.2343191.n4.nabble.com/
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Latest lease entry not the one offered to the client

Niall O'Reilly

I haven't seen follow-up to this yet, so here is my tuppence-worth.

On 18 Aug 2020, at 4:07, ksladic wrote:

Regarding lease file cleanup:
1. Does it remove all expired leases?

No, because removing them would not be consistence with the
service definition:

"The
allocation mechanism (the collection of DHCP servers) guarantees not
to reallocate that address within the requested time and attempts to
return the same network address each time the client requests an
address
." (My emphasis)

This means that an expired lease should be retained for use in case the
client ever requests it again.

  1. Does it remove duplicate leases ... keeping only last valid one?

Yes, but a lease is identified for this purpose by its IP address,
not by any property of the client, such as MAC address or UUID,
or so I recall.

It follows that an expired lease which, because of depletion of the
lease pool, is assigned to a different client, may lose its association
with an earlier client.

  1. In general (before or after lease file cleanup) if I would like to find the latest valid leased IP for a client, is it best to go through whole file and pick valid lease with latest timestamp? Because as I understand I can not rely on the order of leases in the file.

It's easy but tedious to write a script to do this. I may have one which was
once in production in some backup somewhere, but you can probably code one
faster than I could find it again.

I hope this helps.

Niall O'Reilly


_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Latest lease entry not the one offered to the client

glenn.satchell
Just to add to Niall's useful reply, the lease file format is documented
in the dhcpd.leases(5) man page.

regards,
-glenn

On 2020-08-26 19:58, Niall O'Reilly wrote:

> I haven't seen follow-up to this yet, so here is my tuppence-worth.
>
> On 18 Aug 2020, at 4:07, ksladic wrote:
>
>> Regarding lease file cleanup:
>> 1. Does it remove all expired leases?
>
> No, because removing them would not be consistence with the
> service definition [1]:
>
> "The
> allocation mechanism (the collection of DHCP servers) guarantees not
> to reallocate that address within the requested time and attempts to
> return the same network address each time the client requests an
> address." (My emphasis)
>
> This means that an expired lease should be retained for use in case
> the
> client ever requests it again.
>
>> * Does it remove duplicate leases ... keeping only last valid one?
>
> Yes, but a lease is identified for this purpose by its IP address,
> not by any property of the client, such as MAC address or UUID,
> or so I recall.
>
> It follows that an expired lease which, because of depletion of the
> lease pool, is assigned to a different client, may lose its
> association
> with an earlier client.
>
>> * In general (before or after lease file cleanup) if I would like
>> to find the latest valid leased IP for a client, is it best to go
>> through whole file and pick valid lease with latest timestamp?
>> Because as I understand I can not rely on the order of leases in the
>> file.
>
> It's easy but tedious to write a script to do this. I may have one
> which was
> once in production in some backup somewhere, but you can probably code
> one
> faster than I could find it again.
>
> I hope this helps.
>
> Niall O'Reilly
>
> Links:
> ------
> [1] https://tools.ietf.org/html/rfc2131#section-2.2
> _______________________________________________
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
> dhcp-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/dhcp-users
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Latest lease entry not the one offered to the client

ksladic
In reply to this post by Niall O'Reilly
Thank you very much Niall.

Your explanation is very useful and answered my open questions.
I made a shell script that parses the file to do what I need.

Regards,
Klemen

On Wed, Aug 26, 2020 at 9:59 PM Niall O'Reilly <[hidden email]> wrote:

I haven't seen follow-up to this yet, so here is my tuppence-worth.

On 18 Aug 2020, at 4:07, ksladic wrote:

Regarding lease file cleanup:
1. Does it remove all expired leases?

No, because removing them would not be consistence with the
service definition:

"The
allocation mechanism (the collection of DHCP servers) guarantees not
to reallocate that address within the requested time and attempts to
return the same network address each time the client requests an
address
." (My emphasis)

This means that an expired lease should be retained for use in case the
client ever requests it again.

  1. Does it remove duplicate leases ... keeping only last valid one?

Yes, but a lease is identified for this purpose by its IP address,
not by any property of the client, such as MAC address or UUID,
or so I recall.

It follows that an expired lease which, because of depletion of the
lease pool, is assigned to a different client, may lose its association
with an earlier client.

  1. In general (before or after lease file cleanup) if I would like to find the latest valid leased IP for a client, is it best to go through whole file and pick valid lease with latest timestamp? Because as I understand I can not rely on the order of leases in the file.

It's easy but tedious to write a script to do this. I may have one which was
once in production in some backup somewhere, but you can probably code one
faster than I could find it again.

I hope this helps.

Niall O'Reilly

_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users