Project

General

Profile

Actions

Bug #15825

open

KEA server ignores DHCPREQUEST containing an invalid FQDN

Added by Serge Caron about 1 month ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Category:
DHCP (IPv4)
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.7.2
Affected Architecture:

Description

The soon to be deprecated ISC DHCP server issues a warning regarding malformed FQDN names in the DHCP request:

Nov 5 17:31:54 dhcpd 5567 DHCPDISCOVER from 00:1c:e8:01:6b:44 via em0.66
Nov 5 17:31:55 dhcpd 5567 DHCPOFFER on 192.168.66.129 to 00:1c:e8:01:6b:44 via em0.66
Nov 5 17:31:55 dhcpd 5567 label length exceeds 63 in fqdn option
Nov 5 17:31:55 dhcpd 5567 DHCPREQUEST for 192.168.66.129 (192.168.66.1) from 00:1c:e8:01:6b:44 via em0.66
Nov 5 17:31:55 dhcpd 5567 DHCPACK on 192.168.66.129 to 00:1c:e8:01:6b:44 via em0.66

The newer KEA DHCP server rejects such DHCP requests and the offending unit keeps looping trying to get a lease:

Nov 5 17:22:14 kea-dhcp4 85441 INFO [kea-dhcp4.leases.0x12ba1fc17400] DHCP4_LEASE_ADVERT [hwtype=1 00:1c:e8:01:6b:44 ], cid=[no info], tid=0x22334458: lease 192.168.66.129 will be advertised
Nov 5 17:23:53 kea-dhcp4 85441 INFO [kea-dhcp4.dhcpsrv.0x12ba1fc17400] EVAL_RESULT Expression pool_opt1_0 evaluated to 1
Nov 5 17:23:53 kea-dhcp4 85441 INFO [kea-dhcp4.leases.0x12ba1fc17400] DHCP4_LEASE_ADVERT [hwtype=1 00:1c:e8:01:6b:44 ], cid=[no info], tid=0x22334458: lease 192.168.66.130 will be advertised
Nov 5 17:26:34 kea-dhcp4 85441 INFO [kea-dhcp4.dhcpsrv.0x12ba1fc17400] EVAL_RESULT Expression pool_opt1_0 evaluated to 1
Nov 5 17:26:34 kea-dhcp4 85441 INFO [kea-dhcp4.leases.0x12ba1fc17400] DHCP4_LEASE_ADVERT [hwtype=1 00:1c:e8:01:6b:44 ], cid=[no info], tid=0x22334458: lease 192.168.66.131 will be advertised
Nov 5 17:29:14 kea-dhcp4 85441 INFO [kea-dhcp4.dhcpsrv.0x12ba1fc17400] EVAL_RESULT Expression pool_opt1_0 evaluated to 1
Nov 5 17:29:14 kea-dhcp4 85441 INFO [kea-dhcp4.leases.0x12ba1fc17400] DHCP4_LEASE_ADVERT [hwtype=1 00:1c:e8:01:6b:44 ], cid=[no info], tid=0x22334458: lease 192.168.66.132 will be advertised

I believe the KEA server error code is DHCP4_CLIENT_HOSTNAME_MALFORMED although I have no way of setting the debug log level at 50 or 55.

In this case, the unit is some firmware contained in a Cummins generator and there is no chance of updating the darn thing ;-(. Attached is a PCAP capture and PDF dump of the four DHCP psackets.

Is there a setting preventing such mundane rejects ?


Files

CumminsGenerator.pcap (1.45 KB) CumminsGenerator.pcap Packet capture of the DHCP transaction Serge Caron, 11/07/2024 03:19 PM
CuminsGenerator.pdf (147 KB) CuminsGenerator.pdf WireShark dump of the DHCP transaction Serge Caron, 11/07/2024 03:19 PM
Unexpected_token.jpg (110 KB) Unexpected_token.jpg Serge Caron, 11/08/2024 06:27 PM
Actions #1

Updated by Christian McDonald about 1 month ago

  • Assignee set to Christian McDonald

The PCAP shows the complete DORA exchange, with a lease being offered to the client. It is possible that the client is expecting the FQDN option to be passed-through unmodified, which presumably is what ISC DHCPD is doing. A PCAP of that exchange would be helpful. If Kea is unable to parse the FDQDN or hostname option in the client request, the option(s) won't be added to the response.

Actions #2

Updated by Jim Pingle about 1 month ago

Looks like lenient-option-parsing might help this, could make that a global option maybe.

https://kea.readthedocs.io/en/kea-2.6.1/arm/dhcp4-srv.html#lenient-option-parsing

Starting with Kea version 2.5.8, this parsing is extended to silently ignore FQDN (81) options with some invalid domain names.

Actions #3

Updated by Serge Caron about 1 month ago

Christian, the PCAP was provided to show the complete exchange, regardless of the DHCP server.

Look at the FQDN option in the DHCP request: the manufacturer's intent is to name the device "generator" but the option is malformed as indicated in the WireShark dump:
Option: (81) Client Fully Qualified Domain Name
Length: 9
Flags: 0x67, Encoding, Server overrides, Server
0110 .... = Reserved flags: 0x6
.... 0... = Server DDNS: Some server updates
.... .1.. = Encoding: Binary encoding
.... ..1. = Server overrides: Override
.... ...1 = Server: Server
A-RR result: 101
PTR-RR result: 110
[Malformed Packet: DHCP/BOOTP]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]

The request comes from the device, not KEA.

Actions #4

Updated by Christian McDonald about 1 month ago

Serge Caron wrote in #note-3:

Christian, the PCAP was provided to show the complete exchange, regardless of the DHCP server.

Ah okay, than it might be useful to enable lenient-option-parsing

You can test by executing the following one-liner while Kea is running:

echo '{"command":"config-get"}' | nc -U /var/run/kea4-ctrl-socket | jq 'del(.arguments.hash) | del(.result) | .arguments.Dhcp4 += {"compatibility": {"lenient-option-parsing": true}} | .command = "config-set"' | nc -U /var/run/kea4-ctrl-socket

This will modify the running config without restarting Kea. Try obtaining a lease again. Restarting Kea will revert this change.

You can also run this one-liner to enable DEBUG logging:

echo '{"command":"config-get"}' | nc -U /var/run/kea4-ctrl-socket | jq 'del(.arguments.hash) | del(.result) | .arguments.Dhcp4.loggers[0].debuglevel = 55 | .arguments.Dhcp4.loggers[0].severity = "DEBUG" | .command = "config-set"' | nc -U /var/run/kea4-ctrl-socket

Actions #5

Updated by Serge Caron about 1 month ago

Hello Christian,

I have a second installation with the same Cummins generator. I reassigned the VLAN so that the lease is treated by a pfSense 2.7.2 installation.

I can verify that KEA DHCP is running using ps -awx -l from the SSH console (option 8):
0 43942 1 1 20 0 56680 25048 select S - 0:02.64 /usr/local/sbin/kea-dhcp4 -c /usr/local/etc/kea/kea-dhcp4.

Your one-liner has no effect.

In the console environment, I get "jq: command not found":
[2.7.2-RELEASE][]/root: echo '{"command":"config-get"}' | nc -U /var/run/kea4-ctrl-socket | jq 'del(.arguments.hash) | del(.result) | .arguments.Dhcp4 += {"compatibility": {"lenient-option-parsing": true}} | .command = "config-set"' | nc -U /var/run/kea4-ctrl-socket

[2.7.2-RELEASE][]/root: echo '{"command":"config-get"}' | nc -U /var/run/kea4-ctrl-socket | jq 'del(.arguments.hash) | del(.result) | .arguments.Dhcp4 += {"compatibility": {"lenient-option-parsing": true}} | .command = "config-set"' | nc -U /var/run/kea4-ctrl-socket
jq: Command not found.

In the "PHP shell + pfSense tools" environment (option 12), I get no reaction whatsoever.

Using the GUI "Diagnostics / Command Prompt", I get no result if the one-liner is executed as a command.

Finally, when executed as PHP, I get the error "Parse error: syntax error, unexpected token "var" in /tmp/user_code/co6bcG on line 7".

Hopefully you have a better suggestion ... or I am not subtle enough to understand your one liner ;-)

Actions #6

Updated by Christian McDonald about 1 month ago

doh, you're absolutely correct. textproc/jq is not pre-installed on 2.7.2

pkg install -y jq and try again :)

Actions #7

Updated by Serge Caron about 1 month ago

Still no joy ;-(

See parse error in screen capture "Unexpected_token.jpg".

jq installation is picture perfect. See below.

Obviously, by the time I get the error, file /tmp/user_code/pcMLr7 (or whatever) is gone and I don't have a clue of what is wrong.

-----------------------
[2.7.2-RELEASE][]/root: pkg install -y jq
Updating pfSense-core repository catalogue...
Fetching meta.conf: 0%
Fetching packagesite.pkg: 0%
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
Fetching meta.conf: 0%
Fetching packagesite.pkg: 0%
pfSense repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
jq: 1.7_1 [pfSense]

Number of packages to be installed: 1

The process will require 1 MiB more space.
345 KiB to be downloaded.
[1/1] Fetching jq-1.7_1.pkg: 100% 345 KiB 353.6kB/s 00:01
Checking integrity... done (0 conflicting)
[1/1] Installing jq-1.7_1...
[1/1] Extracting jq-1.7_1: 100%
[2.7.2-RELEASE][]/root:

Actions #8

Updated by Jim Pingle about 1 month ago

The lenient-option-parsing option won't help on CE 2.7.2 since it's on Kea 2.4.0, you'd need to be on the Plus 24.11 beta (or later) which has Kea 2.6.1 since the behavior for this option was only changed in Kea 2.5.8.

Even Plus 24.03 wouldn't work since it only has Kea 2.4.1.

Actions #9

Updated by Christian McDonald about 1 month ago

ah good catch

Actions #10

Updated by Serge Caron about 1 month ago

Looking at the 2.8.0 roadmap, I still have a chance to see a resolution in the next six months ;-)

Kind regards,

Actions #11

Updated by Serge Caron about 1 month ago

One last note on this DHCP server migration.

The packet capture in the 2.7.2 distribution correctly shows options 60 and 255 following the FQDN field (option 81). Using the medium view level, we have:

14:22:39.691577 IP (tos 0x0, ttl 64, id 5, offset 0, flags [none], proto UDP (17), length 357)
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:1c:e8:00:c3:c4, length 329, xid 0x22334456, secs 64, Flags [Broadcast]
Client-Ethernet-Address 00:1c:e8:00:c3:c4
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message (53), length 1: Request
Requested-IP (50), length 4: 192.168.166.139
Subnet-Mask (1), length 4: 255.255.255.0
Default-Gateway (3), length 4: 192.168.166.1
Domain-Name-Server (6), length 4: 192.168.166.1
Lease-Time (51), length 4: 86400
Parameter-Request (55), length 4:
Subnet-Mask (1), Default-Gateway (3), Domain-Name-Server (6), Domain-Name (15)
Server-ID (54), length 4: 192.168.166.1
FQDN (81), length 9: [ERROR: MBZ nibble 0x6 != 0] [SOE] 101/110 "erator"
Vendor-Class (60), length 30: "Cummins Home-Standby Products^J"

WireShark and the likes discard the rest of the packet following the option in error and we don't get to see the rest of the packet data.

In the case of the Cummins firmware, their FQDN field (option 81) is formatted exactly like the host name (option 12).

I do not know the prevalence of such confusions, but I have a factory full of devices manufactured over the last 20 years and I will be looking for lenient-option-parsing before I discard the obsolete ISC server.

Actions

Also available in: Atom PDF