multiple interfaces dhcp relay with domain separation

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

multiple interfaces dhcp relay with domain separation

IMMO WETZEL

Hi,

 

we do have the requirement to start the daemon twice or more to host different relays on the same machine.

 

Source net on eth1 should be served from Server A and eth2 from Server B. But currently only on daemon is able to run and would always send the relayed discover to all Servers..

Usually not a problem in a controlled environment but it’s not. And even we 32 of these different Servers/networks its going to be worse. Also Security is an issue than.

 

Why not running the daemon twice with defined iu/id/server settings ? Its possible with docker based seperation but why ?

 

Further more I would suggest to have an exclude list or mode where only per id and iu defined interfaces will be shown in the “not daemon mode” or called debug mode.

 

 

Mit freundlichen Grüßen / With kind regards

 

Immo Wetzel

 

Phone: +49 3834 5352 823 | Mobile: +49 151 147 29 225 | Skype: immo_wetzel_adtran

PGP-Fingerprint: 7313 7E88 4E19 AACF 45E9 E74D EFF7 0480 F4CF 6426

 

 

 


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: multiple interfaces dhcp relay with domain separation

Simon Hobson
IMMO WETZEL <[hidden email]> wrote:

> Source net on eth1 should be served from Server A and eth2 from Server B. But currently only on daemon is able to run and would always send the relayed discover to all Servers..
> Usually not a problem in a controlled environment but it’s not. And even we 32 of these different Servers/networks its going to be worse. Also Security is an issue than.
>  
> Why not running the daemon twice with defined iu/id/server settings ?

I suspect the issue is down to assumptions made many years ago when networking was "simpler".

The relay agent MUST use raw sockets on the client side interface, and I AIUI it also uses raw sockets on the server side partly because "that's the way the networking was done", and partly because it allows the same interface to be easily used for both clients and server. Even without raw sockets, you would still only be able to use one instance as the ports used are fixed. Back when the current software was designed, these choices were logical - as I say, networking was "simpler".

To run multiple instances in the manner you want, you would need to have the agent a) use the hosts packet interface on the server side, and b) bind to a different address to resolve the fixed port problem.

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users