[Dnsmasq-discuss] dnsmasq ignoring some clients
Simon Kelley
simon at thekelleys.org.uk
Thu Oct 2 20:31:36 BST 2008
Chris Marget wrote:
> On Thu, 2 Oct 2008, Simon Kelley wrote:
>
>>Chris Marget wrote:
>>
>>
>>> Option: (t=50,l=4) Requested IP Address = 255.255.255.255
>>> Option: (50) Requested IP Address
>>> Length: 4
>>> Value: FFFFFFFF
>>
>> ^^^^^^^^
>>The client is asking for IP address 255.255.255.255, that doesn't look
>>right at all. A server identifier of 1.2.3.4 looks suspicious too, is
>>that the IP address of you DHCP server?
>
>
> Hi Simon. Thank you for your attention.
>
> Here's the scoop. the client is a disk image of a pre-installed linux
> system. I got it here: http://jailtime.org/download:centos:v5.2
>
> It's a pre-built "drop into your xvm engine" kind of thing, and comes
> with the baggage of the environment of the guy who built it.
>
> So, yes, the client is very confused about his environment.
>
> I agree that asking for 255.255.255.255 is somewhat strange, but
> shouldn't dnsmasq NAK this request just like any other transplanted
> client?
>
> My other DHCP server (ISC - running on a different box) serves this
> client just fine. The authoritative statement is required, of course.
> Here's the transaction according to the ISC server's debug output:
>
> DHCPREQUEST for 255.255.255.255 (1.2.3.4) from 00:16:3e:11:11:11 via nge0: wrong network.
> DHCPNAK on 255.255.255.255 to 00:16:3e:11:11:11 via nge0
> DHCPDISCOVER from 00:16:3e:11:11:11 via nge0
> DHCPOFFER on 192.168.1.81 to 00:16:3e:11:11:11 via nge0
> DHCPREQUEST for 192.168.1.81 (192.168.1.8) from 00:16:3e:11:11:11 via nge0
> DHCPACK on 192.168.1.81 to 00:16:3e:11:11:11 via nge0
>
>
Hand-running the first request packet through the dnsmasq code reveals
that it's being ignored because the server-identifier (1.2.3.4) doesn't
match. RFC-2131 compliant behaviour is to silently ignore any DHCP
packets which don't have a correct server-id so in the simple case
that's correct.
Life is made more complicated because the --dhcp-authoritative flag is
set, which says, essentially "violate the RFC in a way which provides
more useful behaviour on a network with only one DHCP server." For
dnsmasq that means accept DHCPREQUEST for clients in INIT-REBOOT
RENEWING or REBINDING state, even if they don't have an existing lease.
It doesn't have any effect when a client is in SELECTING state, which
yours, bizarrely, seems to be. It looks like ISC have done things
differently, and NAK SELECTING clients with mismatched server-ids when
in authoritative mode.
Since all of this behaviour violates the RFC by design, there's no
standard to say who is right. Clearly the ISC behaviour is better in
this case, but it's fairly dangerous since it's NAKing a broadcast
packet. If there really was another server out there which could respond
to the broadcast, then not staying silent will mess things up.
It's not clear to me if a behaviour change for dnsmasq makes sense. Any
contributions from the list would be welcome. Maybe I'll take this to
the mailing list where the IETF DHCP gods hang out.
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list