dhcpd responding to unicast?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

dhcpd responding to unicast?

Martin Garbe
Hello everybody,

we are operating a mesh network and want to enable DHCPv6 in it. We have
not hierarchical network structure. DHCPv6 should not be flooded in the
network. I see two ways for doing so:

1) Implement DHCPv6 Relay Agents on all nodes. Here a node sends the
DHCPv6 solicit to a neighbor node and this node relays the traffic to
DHCP server via unicast. But here we need a relay service on all nodes.

2) Sending the DHCPv6 solicit message via unicast to DHCP server. Do not
use multicast.

My favorit is way 2). After some tests it looks like ISC dhcpd 4.2.2 is
not supporting this operation mode. I get the log messages in dhcpd:
----------
Solicit message from fe80::5054:ff:fe27:b6ae port 546, transaction ID
0x89332000
Discarding Solicit from fe80::5054:ff:fe27:b6ae; packet sent unicast
(CLIENTID 00:01:00:01:1d:d3:87:19:52:54:00:27:b6:ae)
-----------

Or am I missing something here?
I am asking because in RFC3315 there is stated in section 1.1.
-----
Once the client has determined the address of a server, it may under
   some circumstances send messages directly to the server using
   unicast.
------
Our scenario here is one of these "some circumstances".

Does anybody has information whether unicast-only mode is supported by
ISC dhcpd?

Thanks,
Martin
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: dhcpd responding to unicast?

Simon Hobson
Martin Garbe <[hidden email]> wrote:

> Once the client has determined the address of a server

How does an unconfigured client know this ?


> , it may under
>   some circumstances send messages directly to the server using
>   unicast.
> ------
> Our scenario here is one of these "some circumstances".

Actually, I don't think your situation is one of those circumstances envisaged.

In the IPv4 world, once a client is configured (which requires broadcast packets), then it may unicast packets (eg to renew a lease) to the server - it knows the server address because it's part of the information supplied to it. I'm not familiar enough with IPv6 to say if this is (effectively) the same.



_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: dhcpd responding to unicast?

Martin Garbe
On 11/10/2015 11:07 AM, Simon Hobson wrote:
> Martin Garbe <[hidden email]> wrote:
>
>> Once the client has determined the address of a server
>
> How does an unconfigured client know this ?

With IPv6 devices can have many IP addresses. When clients have
predefined private IPs (ULA) they can communicate with each other. But
these IPs are not routable in the Internet. We want to use DHCPv6 to
assign dynamic public IPs.

>
>
>> , it may under
>>   some circumstances send messages directly to the server using
>>   unicast.
>> ------
>> Our scenario here is one of these "some circumstances".
>
> Actually, I don't think your situation is one of those circumstances envisaged.
>
> In the IPv4 world, once a client is configured (which requires broadcast packets), then it may unicast packets (eg to renew a lease) to the server - it knows the server address because it's part of the information supplied to it. I'm not familiar enough with IPv6 to say if this is (effectively) the same.

For IPv6 it is similar. Only broadcast is substituted by multicast.
It seems that the cited words from RFC can be interpreted in very
different ways. The usual syntax-semantic problem :)

I am/was assuming that implementing unicast-only support should be easy.
For what reason does the dhcpd not accept unicast traffic for initial
requests? In which situations is this a problem?

Kind regards,
Martin
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: dhcpd responding to unicast?

Simon Hobson
Martin Garbe <[hidden email]> wrote:

>>> Once the client has determined the address of a server
>>
>> How does an unconfigured client know this ?
>
> With IPv6 devices can have many IP addresses. When clients have
> predefined private IPs (ULA) they can communicate with each other. But
> these IPs are not routable in the Internet. We want to use DHCPv6 to
> assign dynamic public IPs.

You missed the question. How does the unconfigured client know the address of the server ?

> I am/was assuming that implementing unicast-only support should be easy.
> For what reason does the dhcpd not accept unicast traffic for initial
> requests? In which situations is this a problem?

I don't know that it doesn't, and I'd guess that it might actually accept unicast traffic. But still, you have the problem that to send unicast to the server you need to know it's address - and if you know its address then you are half way to not needing DHCP anyway.


For sniffing traffic, my preferred tool is wireshark (or it's command line twin, tshark)

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: dhcpd responding to unicast?

sthaug
> > With IPv6 devices can have many IP addresses. When clients have
> > predefined private IPs (ULA) they can communicate with each other. But
> > these IPs are not routable in the Internet. We want to use DHCPv6 to
> > assign dynamic public IPs.
>
> You missed the question. How does the unconfigured client know the address of the server ?

The DHCPv6 specification (RFC 3315) is very clear that a regular
4-message exchange (when the client doesn't know the server) starts with
the client sending to a specific multicast address - see

https://tools.ietf.org/html/rfc3315#section-1.3

"To request the assignment of one or more IPv6 addresses, a client first
locates a DHCP server and then requests the assignment of addresses and
other configuration information from the server.  The client sends a
Solicit message to the All_DHCP_Relay_Agents_and_Servers address to find
available DHCP servers."

As far as I can see this is the *only* way to obtain an address using
DHCPv6 (the 2-message exchange, RFC 3315 section 1.2, is meant for
situations "When a DHCP client does not need to have a DHCP server
assign it IP addresses...").

> > I am/was assuming that implementing unicast-only support should be easy.
> > For what reason does the dhcpd not accept unicast traffic for initial
> > requests? In which situations is this a problem?

RFC 3315 explicitly prohibits it:

https://tools.ietf.org/html/rfc3315#section-15

"A server MUST discard any Solicit, Confirm, Rebind or
Information-request messages it receives with a unicast destination
address."

A client can only send unicast messages to the server if it has
received a Server Unicast option from the server:

https://tools.ietf.org/html/rfc3315#section-16

"When a client sends a DHCP message directly to a server using unicast
(after receiving the Server Unicast option from that server), the source
address in the header of the IP datagram ..."

and https://tools.ietf.org/html/rfc3315#section-18.1

"If the client has a source address of sufficient scope that can be used
by the server as a return address, and the client has received a Server
Unicast option (section 22.12) from the server, the client SHOULD
unicast any Request, Renew, Release and Decline messages to the server."

Furthermore, in sections 18.2.1 - 18.2.7 there is very explicit language
of the form "When the server receives a XXX message via unicast from a
client to which the server has not sent a unicast option, the server
discards the XXX message and responds with a Reply message containing a
Status Code option with the value UseMulticast ..."

So - my reading of RFC 3315 is that DHCPv6 is only meant to use unicast
in very limited circumstances.

The RELNOTES documentation for ISC DHCP 4.3.3 says

"The server will now reject unicast Request, Renew, Decline, and Release
messages from a client unless the server would have sent that client the
dhcp6.unicast option.  This behavior is in compliance with paragraph 1
in each of the sections 18.2,1, 18.2.3, 18.2.6, and 18.2.7 of RFC
3315. Prior to this, the server would simply accept the messages.  Now,
in order for the server to accept such a message, the server
configuration must include the dhcp6.unicast option either globally or
within the shared network to which the requested lease belongs."

So that's how you can get ISC DHCP to support DHCPv6 unicast messages.

Steinar Haug, Nethelp consulting, [hidden email]
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: dhcpd responding to unicast?

Martin Garbe
Hello Steinar,

thanks for this very detailed explanation. That makes the situation
perfectly clear.

Thanks you very much,
Martin

On 11/11/2015 09:36 AM, [hidden email] wrote:

>>> With IPv6 devices can have many IP addresses. When clients have
>>> predefined private IPs (ULA) they can communicate with each other. But
>>> these IPs are not routable in the Internet. We want to use DHCPv6 to
>>> assign dynamic public IPs.
>>
>> You missed the question. How does the unconfigured client know the address of the server ?
>
> The DHCPv6 specification (RFC 3315) is very clear that a regular
> 4-message exchange (when the client doesn't know the server) starts with
> the client sending to a specific multicast address - see
>
> https://tools.ietf.org/html/rfc3315#section-1.3
>
> "To request the assignment of one or more IPv6 addresses, a client first
> locates a DHCP server and then requests the assignment of addresses and
> other configuration information from the server.  The client sends a
> Solicit message to the All_DHCP_Relay_Agents_and_Servers address to find
> available DHCP servers."
>
> As far as I can see this is the *only* way to obtain an address using
> DHCPv6 (the 2-message exchange, RFC 3315 section 1.2, is meant for
> situations "When a DHCP client does not need to have a DHCP server
> assign it IP addresses...").
>
>>> I am/was assuming that implementing unicast-only support should be easy.
>>> For what reason does the dhcpd not accept unicast traffic for initial
>>> requests? In which situations is this a problem?
>
> RFC 3315 explicitly prohibits it:
>
> https://tools.ietf.org/html/rfc3315#section-15
>
> "A server MUST discard any Solicit, Confirm, Rebind or
> Information-request messages it receives with a unicast destination
> address."
>
> A client can only send unicast messages to the server if it has
> received a Server Unicast option from the server:
>
> https://tools.ietf.org/html/rfc3315#section-16
>
> "When a client sends a DHCP message directly to a server using unicast
> (after receiving the Server Unicast option from that server), the source
> address in the header of the IP datagram ..."
>
> and https://tools.ietf.org/html/rfc3315#section-18.1
>
> "If the client has a source address of sufficient scope that can be used
> by the server as a return address, and the client has received a Server
> Unicast option (section 22.12) from the server, the client SHOULD
> unicast any Request, Renew, Release and Decline messages to the server."
>
> Furthermore, in sections 18.2.1 - 18.2.7 there is very explicit language
> of the form "When the server receives a XXX message via unicast from a
> client to which the server has not sent a unicast option, the server
> discards the XXX message and responds with a Reply message containing a
> Status Code option with the value UseMulticast ..."
>
> So - my reading of RFC 3315 is that DHCPv6 is only meant to use unicast
> in very limited circumstances.
>
> The RELNOTES documentation for ISC DHCP 4.3.3 says
>
> "The server will now reject unicast Request, Renew, Decline, and Release
> messages from a client unless the server would have sent that client the
> dhcp6.unicast option.  This behavior is in compliance with paragraph 1
> in each of the sections 18.2,1, 18.2.3, 18.2.6, and 18.2.7 of RFC
> 3315. Prior to this, the server would simply accept the messages.  Now,
> in order for the server to accept such a message, the server
> configuration must include the dhcp6.unicast option either globally or
> within the shared network to which the requested lease belongs."
>
> So that's how you can get ISC DHCP to support DHCPv6 unicast messages.
>
> Steinar Haug, Nethelp consulting, [hidden email]
> _______________________________________________
> dhcp-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/dhcp-users
>

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users