ISC DHCP Users

Multiple chrooted dhcp servers for vlans on Linux?

classic Classic list List threaded Threaded
12 messages Options
stevel_isc
Reply | Threaded
Open this post in threaded view
|

Multiple chrooted dhcp servers for vlans on Linux?

stevel_isc

The goal is to have multiple chrooted dhcpd processes, one for each of four vlans, such that a compromise of a more public one won’t affect a more private one.

 

Server version is isc-dhcpd-4.3.3-P1 and Linux is a recent install of Debian.

 

I’ve got them all running but looking at dhcpd processes in netstat I don’t think it’ll actually work in practice. 

 

Even though each one is specified to a particular vlan interface they all appear to be listening to 0.0.0.0 and I see nothing visible differentiating them.

 

Are they really all listing on every vlan, and does that mean incoming requests over one vlan will be handled by whatever server happens to grab the request (3 out of 4 chance it’s the wrong one)?

 


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Cuttler, Brian (HEALTH)
Reply | Threaded
Open this post in threaded view
|

RE: Multiple chrooted dhcp servers for vlans on Linux?

Cuttler, Brian (HEALTH)

Don’t you want to use virtual network interfaces, bind each dhcp to one of those and use different helper addresses for each vlan/network range?

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Friday, February 26, 2016 1:52 PM
To: [hidden email]
Subject: Multiple chrooted dhcp servers for vlans on Linux?

 

The goal is to have multiple chrooted dhcpd processes, one for each of four vlans, such that a compromise of a more public one won’t affect a more private one.

 

Server version is isc-dhcpd-4.3.3-P1 and Linux is a recent install of Debian.

 

I’ve got them all running but looking at dhcpd processes in netstat I don’t think it’ll actually work in practice. 

 

Even though each one is specified to a particular vlan interface they all appear to be listening to 0.0.0.0 and I see nothing visible differentiating them.

 

Are they really all listing on every vlan, and does that mean incoming requests over one vlan will be handled by whatever server happens to grab the request (3 out of 4 chance it’s the wrong one)?

 


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Anderson, Charles R
Reply | Threaded
Open this post in threaded view
|

Re: Multiple chrooted dhcp servers for vlans on Linux?

Anderson, Charles R
In reply to this post by stevel_isc
This won't work unless you use separate full virtual machines...

You could make it work on a single machine maybe, but you'd need to
recompile the dhcpd with USE_SOCKETS.  Then dhcpd will only work to
serve remote clients via a relay agent, not local clients directly
connected to the same VLAN as the server.  This is because local
clients must be served via a raw socket rather than a normal udp
socket.  The reason is that responses to local, on-link clients must
contain specific IP headers and MAC address headers that cannot be set
via a regular udp socket, such as the all-ones broadcast address.  I
may have the exact details wrong, but that is the gist of it.

On Fri, Feb 26, 2016 at 10:51:41AM -0800, [hidden email] wrote:

> The goal is to have multiple chrooted dhcpd processes, one for each of four
> vlans, such that a compromise of a more public one won't affect a more
> private one.
>
>  
>
> Server version is isc-dhcpd-4.3.3-P1 and Linux is a recent install of
> Debian.
>
>  
>
> I've got them all running but looking at dhcpd processes in netstat I don't
> think it'll actually work in practice.  
>
>  
>
> Even though each one is specified to a particular vlan interface they all
> appear to be listening to 0.0.0.0 and I see nothing visible differentiating
> them.
>
>  
>
> Are they really all listing on every vlan, and does that mean incoming
> requests over one vlan will be handled by whatever server happens to grab
> the request (3 out of 4 chance it's the wrong one)?
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Muhammad Faisal
Reply | Threaded
Open this post in threaded view
|

Re: Multiple chrooted dhcp servers for vlans on Linux?

Muhammad Faisal
  In case of different subnets on single interface the relay agents is a
mandatory requirement. You can then segregate subnets per agent IP in
the dhcp scope.

Relay agent IP is option routers in dhcpd

--
Thanks
F.



------ Original Message ------
From: "Chuck Anderson" <[hidden email]>
To: [hidden email]
Sent: 2/27/2016 1:22:23 AM
Subject: Re: Multiple chrooted dhcp servers for vlans on Linux?

>This won't work unless you use separate full virtual machines...
>
>You could make it work on a single machine maybe, but you'd need to
>recompile the dhcpd with USE_SOCKETS.  Then dhcpd will only work to
>serve remote clients via a relay agent, not local clients directly
>connected to the same VLAN as the server.  This is because local
>clients must be served via a raw socket rather than a normal udp
>socket.  The reason is that responses to local, on-link clients must
>contain specific IP headers and MAC address headers that cannot be set
>via a regular udp socket, such as the all-ones broadcast address.  I
>may have the exact details wrong, but that is the gist of it.
>
>On Fri, Feb 26, 2016 at 10:51:41AM -0800, [hidden email] wrote:
>>  The goal is to have multiple chrooted dhcpd processes, one for each
>>of four
>>  vlans, such that a compromise of a more public one won't affect a
>>more
>>  private one.
>>
>>
>>
>>  Server version is isc-dhcpd-4.3.3-P1 and Linux is a recent install of
>>  Debian.
>>
>>
>>
>>  I've got them all running but looking at dhcpd processes in netstat I
>>don't
>>  think it'll actually work in practice.
>>
>>
>>
>>  Even though each one is specified to a particular vlan interface they
>>all
>>  appear to be listening to 0.0.0.0 and I see nothing visible
>>differentiating
>>  them.
>>
>>
>>
>>  Are they really all listing on every vlan, and does that mean
>>incoming
>>  requests over one vlan will be handled by whatever server happens to
>>grab
>>  the request (3 out of 4 chance it's the wrong one)?
>_______________________________________________
>dhcp-users mailing list
>[hidden email]
>https://lists.isc.org/mailman/listinfo/dhcp-users

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
stevel_isc
Reply | Threaded
Open this post in threaded view
|

RE: Multiple chrooted dhcp servers for vlans on Linux?

stevel_isc
In reply to this post by Anderson, Charles R
Thank you both for the replies.

I was afraid of this, but pretty much expected that was the case.

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Chuck Anderson
Sent: Friday, February 26, 2016 12:22 PM
To: [hidden email]
Subject: Re: Multiple chrooted dhcp servers for vlans on Linux?

This won't work unless you use separate full virtual machines...

You could make it work on a single machine maybe, but you'd need to
recompile the dhcpd with USE_SOCKETS.  Then dhcpd will only work to
serve remote clients via a relay agent, not local clients directly
connected to the same VLAN as the server.  This is because local
clients must be served via a raw socket rather than a normal udp
socket.  The reason is that responses to local, on-link clients must
contain specific IP headers and MAC address headers that cannot be set
via a regular udp socket, such as the all-ones broadcast address.  I
may have the exact details wrong, but that is the gist of it.

On Fri, Feb 26, 2016 at 10:51:41AM -0800, [hidden email] wrote:
> The goal is to have multiple chrooted dhcpd processes, one for each of
four

> vlans, such that a compromise of a more public one won't affect a more
> private one.
>
>  
>
> Server version is isc-dhcpd-4.3.3-P1 and Linux is a recent install of
> Debian.
>
>  
>
> I've got them all running but looking at dhcpd processes in netstat I
don't
> think it'll actually work in practice.  
>
>  
>
> Even though each one is specified to a particular vlan interface they all
> appear to be listening to 0.0.0.0 and I see nothing visible
differentiating
> them.
>
>  
>
> Are they really all listing on every vlan, and does that mean incoming
> requests over one vlan will be handled by whatever server happens to grab
> the request (3 out of 4 chance it's the wrong one)?
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Alex Bligh
Reply | Threaded
Open this post in threaded view
|

Re: Multiple chrooted dhcp servers for vlans on Linux?

Alex Bligh
In reply to this post by Anderson, Charles R

On 26 Feb 2016, at 20:22, Chuck Anderson <[hidden email]> wrote:

> This won't work unless you use separate full virtual machines...

I believe you could also use multiple containers, bridges and veth
interfaces (assuming Linux). Bridge the veth interfaces with
each of the VLANs concerned.

--
Alex Bligh




_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Simon Hobson
Reply | Threaded
Open this post in threaded view
|

Re: Multiple chrooted dhcp servers for vlans on Linux?

Simon Hobson
In reply to this post by Anderson, Charles R
Chuck Anderson <[hidden email]> wrote:

> You could make it work on a single machine maybe, but you'd need to
> recompile the dhcpd with USE_SOCKETS.  Then dhcpd will only work to
> serve remote clients via a relay agent, not local clients directly
> connected to the same VLAN as the server.  This is because local
> clients must be served via a raw socket rather than a normal udp
> socket.  The reason is that responses to local, on-link clients must
> contain specific IP headers and MAC address headers that cannot be set
> via a regular udp socket, such as the all-ones broadcast address.  I
> may have the exact details wrong, but that is the gist of it.

I think it's a bit more subtle than that.
In principle, you should be able to bind different services to different VLANs. I don't really know much about it, but from comments on here it seems like the way dhcpd accesses the packets, any instance gets to see packets for all VLANs.

I do know that when sniffing packets, things don't work quite like VLAN interfaces should do in theory.
I've just checked, when using wireshark (actually tshark), if I use a VLAN interface I see traffic for just that VLAN. But if I look at the parent interface, I also see traffic for the VLANs it hosts - I don't know if it's tshark stripping the VLAN tags or what, but I see the packets from the VLAN interfaces shown untagged.



On 26 Feb 2016, at 20:39, Muhammad Faisal <[hidden email]> wrote:

> In case of different subnets on single interface the relay agents is a mandatory requirement. You can then segregate subnets per agent IP in the dhcp scope.
>
> Relay agent IP is option routers in dhcpd

No it isn't, it's a different field in the packet - "Gateway Interface Address".
"option routers" is the list of routers to be given to the client - it is in no way linked to the relay agent.
The only reason they are usually the same is simply that a convenient place to put a relay agent is .. in the router serving the network. It does not have to be, and a relay agent can be put in any device with an interface on the physical network (technically "broadcast domain").

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
stevel_isc
Reply | Threaded
Open this post in threaded view
|

RE: Multiple chrooted dhcp servers for vlans on Linux?

stevel_isc
In reply to this post by Alex Bligh
Ok, another idea.  What about each of the servers using a different port and
using iptables for redirecting?

For example:
  dhcp server for eth0.2 listening on 672
  dhcp server for eth0.3 listening on 673
  dhcp server for eth0.4 listening on 674
  dhcp server for eth0.5 listening on 675

Then, iptables rules for mapping requests:
  (to:67 via eth0.2) -> (to:672)
  (to:67 via eth0.3) -> (to:673)
  (to:67 via eth0.4) -> (to:674)
  (to:67 via eth0.5) -> (to:675)

And replies:
  (from:672) -> (via eth0.2 from:67)
  (from:673) -> (via eth0.3 from:67)
  (from:674) -> (via eth0.4 from:67)
  (from:675) -> (via eth0.5 from:67)

I'm not an expert on iptables but I *think* it can do this.  Is there
something about dhcpd's low level access that would prevent it?

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Alex Bligh
Sent: Friday, February 26, 2016 12:44 PM
To: Users of ISC DHCP
Subject: Re: Multiple chrooted dhcp servers for vlans on Linux?


On 26 Feb 2016, at 20:22, Chuck Anderson <[hidden email]> wrote:

> This won't work unless you use separate full virtual machines...

I believe you could also use multiple containers, bridges and veth
interfaces (assuming Linux). Bridge the veth interfaces with
each of the VLANs concerned.

--
Alex Bligh




_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Anderson, Charles R
Reply | Threaded
Open this post in threaded view
|

Re: Multiple chrooted dhcp servers for vlans on Linux?

Anderson, Charles R
Won't work.  Raw sockets aren't subject to iptables rules.  But maybe
if there IS a filtering mechanism that works with raw sockets, it
could work.  I don't know if there is (ebtables?).

On Fri, Feb 26, 2016 at 01:55:11PM -0800, [hidden email] wrote:

> Ok, another idea.  What about each of the servers using a different port and
> using iptables for redirecting?
>
> For example:
>   dhcp server for eth0.2 listening on 672
>   dhcp server for eth0.3 listening on 673
>   dhcp server for eth0.4 listening on 674
>   dhcp server for eth0.5 listening on 675
>
> Then, iptables rules for mapping requests:
>   (to:67 via eth0.2) -> (to:672)
>   (to:67 via eth0.3) -> (to:673)
>   (to:67 via eth0.4) -> (to:674)
>   (to:67 via eth0.5) -> (to:675)
>
> And replies:
>   (from:672) -> (via eth0.2 from:67)
>   (from:673) -> (via eth0.3 from:67)
>   (from:674) -> (via eth0.4 from:67)
>   (from:675) -> (via eth0.5 from:67)
>
> I'm not an expert on iptables but I *think* it can do this.  Is there
> something about dhcpd's low level access that would prevent it?
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Alex Bligh
> Sent: Friday, February 26, 2016 12:44 PM
> To: Users of ISC DHCP
> Subject: Re: Multiple chrooted dhcp servers for vlans on Linux?
>
>
> On 26 Feb 2016, at 20:22, Chuck Anderson <[hidden email]> wrote:
>
> > This won't work unless you use separate full virtual machines...
>
> I believe you could also use multiple containers, bridges and veth
> interfaces (assuming Linux). Bridge the veth interfaces with
> each of the VLANs concerned.
>
> --
> Alex Bligh
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
stevel_isc
Reply | Threaded
Open this post in threaded view
|

RE: Multiple chrooted dhcp servers for vlans on Linux?

stevel_isc
Bummer.  

I had high hopes since firehol has a helper for dhcp and does appear to be
setting an accept rule for "udp spt:bootpc dpt:bootps".  

I've never actually checked to see if dropping the rule would still let dhcp
function though.

At least I'm getting a good education on dhcp and iptables, thank you!

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Chuck Anderson
Sent: Friday, February 26, 2016 2:52 PM
To: [hidden email]
Subject: Re: Multiple chrooted dhcp servers for vlans on Linux?

Won't work.  Raw sockets aren't subject to iptables rules.  But maybe
if there IS a filtering mechanism that works with raw sockets, it
could work.  I don't know if there is (ebtables?).

On Fri, Feb 26, 2016 at 01:55:11PM -0800, [hidden email] wrote:
> Ok, another idea.  What about each of the servers using a different port
and

> using iptables for redirecting?
>
> For example:
>   dhcp server for eth0.2 listening on 672
>   dhcp server for eth0.3 listening on 673
>   dhcp server for eth0.4 listening on 674
>   dhcp server for eth0.5 listening on 675
>
> Then, iptables rules for mapping requests:
>   (to:67 via eth0.2) -> (to:672)
>   (to:67 via eth0.3) -> (to:673)
>   (to:67 via eth0.4) -> (to:674)
>   (to:67 via eth0.5) -> (to:675)
>
> And replies:
>   (from:672) -> (via eth0.2 from:67)
>   (from:673) -> (via eth0.3 from:67)
>   (from:674) -> (via eth0.4 from:67)
>   (from:675) -> (via eth0.5 from:67)
>
> I'm not an expert on iptables but I *think* it can do this.  Is there
> something about dhcpd's low level access that would prevent it?
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Alex Bligh
> Sent: Friday, February 26, 2016 12:44 PM
> To: Users of ISC DHCP
> Subject: Re: Multiple chrooted dhcp servers for vlans on Linux?
>
>
> On 26 Feb 2016, at 20:22, Chuck Anderson <[hidden email]> wrote:
>
> > This won't work unless you use separate full virtual machines...
>
> I believe you could also use multiple containers, bridges and veth
> interfaces (assuming Linux). Bridge the veth interfaces with
> each of the VLANs concerned.
>
> --
> Alex Bligh
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Simon Hobson
Reply | Threaded
Open this post in threaded view
|

Re: Multiple chrooted dhcp servers for vlans on Linux?

Simon Hobson
[hidden email] wrote:

> I had high hopes since firehol has a helper for dhcp and does appear to be
> setting an accept rule for "udp spt:bootpc dpt:bootps".  
>
> I've never actually checked to see if dropping the rule would still let dhcp
> function though.

dhcpd uses two routes to/from the network.
For some packets it needs to bypass the network stack because it must handle packets to/from unconfigured clients which are done by local broadcast.
But it also deals with "ordinary" IP packets - renewals with already configured clients, relayed requests from other networks. These definitely go through the network stack outbound, and I think, in bound (but I'm not certain of that).

> At least I'm getting a good education on dhcp and iptables, thank you!

:-)

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
stevel_isc
Reply | Threaded
Open this post in threaded view
|

RE: Multiple chrooted dhcp servers for vlans on Linux?

stevel_isc
In reply to this post by Anderson, Charles R
The managed switches finally arrived today and, surprisingly, multiple
chrooted servers at least *appear* to be doing their own thing on their
own vlans.

Proper addresses are being handed out on each vlan, I see no weird packets
or delays indicated by wireshark, no unexpected responses on a no-dhcp
vlan, no obvious errors being logged.

While waiting for the switches I tried looking at the code (mostly lpf.c)
to understand it.  I have a long ways to go.  There *are* recent vlan
related code changes.

There's going to be a lot more prodding and poking at this setup to see
if I'm missing anything bad, but it's working better than expected.

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Chuck Anderson
Sent: Friday, February 26, 2016 12:22 PM
To: [hidden email]
Subject: Re: Multiple chrooted dhcp servers for vlans on Linux?

This won't work unless you use separate full virtual machines...

You could make it work on a single machine maybe, but you'd need to
recompile the dhcpd with USE_SOCKETS.  Then dhcpd will only work to
serve remote clients via a relay agent, not local clients directly
connected to the same VLAN as the server.  This is because local
clients must be served via a raw socket rather than a normal udp
socket.  The reason is that responses to local, on-link clients must
contain specific IP headers and MAC address headers that cannot be set
via a regular udp socket, such as the all-ones broadcast address.  I
may have the exact details wrong, but that is the gist of it.

On Fri, Feb 26, 2016 at 10:51:41AM -0800, [hidden email] wrote:
> The goal is to have multiple chrooted dhcpd processes, one for each of
four

> vlans, such that a compromise of a more public one won't affect a more
> private one.
>
>  
>
> Server version is isc-dhcpd-4.3.3-P1 and Linux is a recent install of
> Debian.
>
>  
>
> I've got them all running but looking at dhcpd processes in netstat I
don't
> think it'll actually work in practice.  
>
>  
>
> Even though each one is specified to a particular vlan interface they all
> appear to be listening to 0.0.0.0 and I see nothing visible
differentiating
> them.
>
>  
>
> Are they really all listing on every vlan, and does that mean incoming
> requests over one vlan will be handled by whatever server happens to grab
> the request (3 out of 4 chance it's the wrong one)?
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Free forum by Nabble Edit this page