Project

General

Profile

Actions

Bug #10666

closed

DHCP Server sends NAK messages for declined offers

Added by Alfredo Pironti over 4 years ago. Updated over 4 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
DHCP (IPv4)
Target version:
-
Start date:
06/15/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:
All

Description

Test Scenario:

pfSense is configured to host two DHCP servers on the same network segment. Namely, configure two interfaces on the same LAN segment (they can have disjoint addresses in different subnets, just need to be on the same broadcast domain, e.g. same switch, or same VLAN), then on each interface set up a DHCP server, we'll call them DHCP_1 and DHCP_2. Configure DHCP_1 with at least one entry in the MAC Allow field, so that your test client won't receive an offer from DHCP_1.

Let your DHCP client start the DISCOVERY process. DHCP_1 will see the discovery, and not send an offer; DHCP_2 will see the discovery, and will send an offer.

The test client will answer accepting DHCP_2 offer, namely sending a broadcast REQUEST packet, with DHCP_2 server identifier as selected server. According to RFC 2131, Sec 3.1.4, this is implicit decline for any other DHCP server (in fact, DHCP_1 didn't even make an offer).

At this point, the reported bug kicks in: DHCP_1 will parse the client REQUEST packet as if it was addressed to DHCP_1, and will answer with a NAK message, which should have never been sent.

Note that many clients still operate correctly: they will ignore DHCP_1's NAK message (it comes from a server they didn't select), and when DHCP_2's ACK message will arrive, they'll get the IP address configured. However, some clients follows RFC 2131, Sec 3.1.5 strictly: "If the client receives a DHCPNAK message, the client restarts the configuration process." Some clients don't check the source of the NAK message, and hence enter into a DHCP loop.

Proposed fix: in pfSense DHCP server, when a REQUEST message is parsed, it is considered a decline if it is for a different DHCP server identifier, hence no action is taken and no NAK message is sent.

Actions

Also available in: Atom PDF