Project

General

Profile

Actions

Bug #14604

open

Bugs in dhclient implementation according to RFC 2131

Added by Nazar Mokrynskyi over 1 year ago. Updated over 1 year ago.

Status:
New
Priority:
High
Category:
DHCP (IPv4)
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.7.0
Affected Architecture:
All

Description

I had issues with one of the ISPs on pfSense and after talking to their tech support and observing what is happening I believe there are bugs in dhclient used by pfSense.
It is likely an upstream issue, but I don't use FreeBSD, so I report it here.
This is what triggers https://redmine.pfsense.org/issues/14237 (which I believe is a buggy gateway groups implementation in pfSense and is a distinct issue, this one is just one way to trigger it, but maybe not the only one).

Dump of communication between pfSense and DHCP server of ISP is also attached.
The issue happened on 2.6.x and still happens on 2.7.0 that I'm currently running.

Below is basically an English translation of the response from IPS support representative.

The first thing that is believed to be handling DHCPDISCOVER. According to RFC 2131:
The client begins in INIT state and forms a DHCPDISCOVER message.
The client SHOULD wait a random time between one and ten seconds to
desynchronize the use of DHCP at startup.

So client must wait for DHCPOFFER up to 10 seconds. During this time client can receive answers from multiple DHCP servers and pick settings it prefers.

The other issue is that according to RFC 2131 Unicast request Request Renew must be done between T1 and T2. Time approximately equal tothe lease time
(with slight random offset) - T1 timer. pfSense's dhclient only uses T2 (0.85*lease time), this is not quite correct, request according to T2 timer is usually
done in case first request to extend lease failed (depends on implementation and DHCP client settings). According to RFC after T2 time client must switch to
REBINDING and make boardcast request, which is what happened. If cient doesn't send request/doesn't receive response within lease time then settings must be
cleared and procedure of obtaining IP address start over.
Current lease time is 10 minutes (600 seconds).
Separately sometimes dhclient doesn't send DHCPREQUEST within lease time, for instance record #34 and 37, between then there was more than 600 seconds and
procedure to get IP address started over, which is when Internet access was temporarily lost.


Files

packetcapture-vtnet1-20230705002009.pcap (69.9 KB) packetcapture-vtnet1-20230705002009.pcap Packet capture of dhclient communicating with DHCP server of ISP Nazar Mokrynskyi, 07/23/2023 02:08 PM
Actions

Also available in: Atom PDF