[Dnsmasq-discuss] Tag requests for a DHCP address from devices using a Locally Administered MAC address

Sun Jul 26 21:23:51 BST 2020

On Sun, Jul 26, 2020 at 12:37:32PM -0700, dev at lutean.com wrote:
> From: Vladislav Grishenko Sent: July 26, 2020 8:04 AM
> > From: Pali Rohar Sent: Sunday, July 26, 2020 7:20 PM
> > On Sunday 26 July 2020 15:35:24 Geert Stappers wrote:
> > > On Sun, Jul 26, 2020 at 06:07:52AM -0700, dev at lutean.com wrote:
> > > > On Sunday 26 July 2020 Geert Stappers wrote:
> > > > > On Sun, Jul 26, 2020, dev at lutean.com wrote:
> > > > > > 
> > > > > > > In my testing these devices use a MAC address with the LAA bit 
> > > > > > > set (2nd least significant bit of the first byte of the MAC). It 
> > > > > > > restricts this to host addresses (least significant bit is set to 0).
> > > > > > 
> > > > > > Speaks about two bits
> > > > > > 
> > > > > > 
> > > > > > > This patch detects MAC addresses with this bit set and tags the 
> > > > > > > request with the tag "laa-address". This would allow other rules 
> > > > > > > to decide what to do with these requests (such as ignoring them).
> > > > > > 
> > > > > > Speaks about one bit
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > Speaking about bits, see https://en.wikipedia.org/wiki/MAC_address#/media/File:MAC-48_Address.svg
> > > > > > for the "exploded view"
> > > > > > 
> > > > > 
> > > > > https://en.wikipedia.org/wiki/MAC_address#Unicast_vs._multicast
> > > > > 
> > > > > The reason two bits are tested is because:
> > > > > - one bit is the UAA / LAA bit
> > > > > - one bit is the unicast / multicast bit
> > > > > 
> > > > > so this patch wouldn't tag LAA multicast MAC addresses should those 
> > > > > happen to be in use somewhere.
> > > > > 
> > > > > So specifically a device with an LAA unicast MAC address would get a 
> > > > > tag. This requires testing two bits.
> > > > > 
> > > > 
> > > > OK, thanks for elaborating
> > > 
> > > I think that big misunderstanding comes from commit message which says
> > > that one bit (LAA) is tested, but in patch itself are tested two bits.
> > > 
> > > I guess that fixing commit message to properly describe that testing
> > > both bits (and which) are needed should be enough.
> > > 
> > > Anyway, I'm not sure if 'laa-address' is correct name if it is not
> > > set for every laa-address, but only for unicast laa-address.
> > > 
> > 
> > LAA stands for locally-administrated address itself, so from my opinion "laa-address" is a bit tautologic.
> > Let's use just "laa", also it ~fits already used one word tags:
> > 	"bootp"
> > 	"cpewan-id"
> > 	"dhcpv6"
> > 	"known"
> > 	"known-othernet"
> > 	<interface>
> > 
> How about this. A device showing up with an LAA gets tagged
> twice. Always with an "laa" tag, but also with one of "laa-unicast"
> or "laa-multicast".
> 
> If someone wanted to block devices, it would be easy with
> 
> # Block all LAA-presenting devices
> dhcp-ignore=tag:laa
> 
> # Block unicast LAA-presenting devices
> dhcp-ignore=tag:laa-unicast
> 
> diff --git a/src/rfc2131.c b/src/rfc2131.c
> index fc54aab..b9da511 100644
> --- a/src/rfc2131.c
> +++ b/src/rfc2131.c
> @@ -93,7 +93,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
>    unsigned char *agent_id = NULL, *uuid = NULL;
>    unsigned char *emac = NULL;
>    int vendor_class_len = 0, emac_len = 0;
> -  struct dhcp_netid known_id, iface_id, cpewan_id;
> +  struct dhcp_netid known_id, iface_id, cpewan_id, laa_id, laa_cast_id;
>    struct dhcp_opt *o;
>    unsigned char pxe_uuid[17];
>    unsigned char *oui = NULL, *serial = NULL;
> @@ -114,6 +114,32 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
>    if (mess->htype == 0 && mess->hlen != 0)
>      return 0;
>  
> +  /* Check if sender has a Locally-Administered ethernet Address and set a tag if so. */
> +  if (mess->htype == ARPHRD_ETHER)
> +  {
> +    /* Locally Administered Addresses (LAA) have the 2nd LSb of the first address byte set */
> +    if ((mess->chaddr[0] & 2) == 2)
> +    {
> +      laa_id.net = "laa";
> +      laa_id.next = netid;
> +      netid = &laa_id;
> +
> +      /* Check if this is a unicast or multicast LAA. Also set a tag
> +         for the type of LAA. So a device with an LAA will have two tags
> +         "laa" and either "laa-multicast" or "laa-unicast" */
> +      if ((mess->chaddr[0] & 1) == 1)
> +      {
> +        laa_cast_id.net = "laa-multicast";
> +      }
> +      else
> +      {
> +        laa_cast_id.net = "laa-unicast";
> +      }
> +      laa_cast_id.next = netid;
> +      netid = &laa_cast_id;
> +    }
> +  }
> +
>    /* check for DHCP rather than BOOTP */
>    if ((opt = option_find(mess, sz, OPTION_MESSAGE_TYPE, 1)))
>      {

That revisited patch  solves the main problem I had with previous
version.

I think the next version should also update the manual page
and have the verbatim text for the commit message.

Groeten
Geert Stappers
-- 
Silence is hard to parse