Trying to grasp RFC 3011, using ISC DHCP and Cisco ASA
Nick Ellson
Nick.Ellson at pgn.com
Thu Dec 11 19:04:06 UTC 2008
I have added your comments to the case notes, and my request to Cisco. Thanks again for all your help! :)
Nick
Nick Ellson
CCIE# 20018
Infrastructure Specialist
PGE, Network Operations Center
7 am - 4 pm, Pacific M-F
Personal: (503) 464-2995
Network Trouble: (503) 464-8754
"Educating Layer 8, one user at a time."
-----Original Message-----
From: dhcp-users-bounces at lists.isc.org [mailto:dhcp-users-bounces at lists.isc.org] On Behalf Of David W. Hankins
Sent: Thursday, December 11, 2008 10:55 AM
To: Users of ISC DHCP
Subject: Re: Trying to grasp RFC 3011, using ISC DHCP and Cisco ASA
On Thu, Dec 11, 2008 at 10:44:10AM -0800, Nick Ellson wrote:
> In a customer environment where, a DHCP Offer message sent from a DHCP Server to the ASA may take a different path than the DHCP Discover message sent by the ASA may run into issues. RFC 3011 ensures that the DHCP Offer message will be sent back to the same ASA interface it came from.
If this is new work, then I'd lean towards RFC 3527, as that is a
relay agent info option, and it is far less "weird" for a relay agent
to insert that option than for it to insert 125.
Having a relay agent use 3011 in this way breaks DHCP authentication,
which although it isn't well deployed today, might be someday. The
options space other than option 82 is signed client<-->server, so a
relay that adjusts the packet contents other than to append option 82
will break the signature.
--
Ash bugud-gul durbatuluk agh burzum-ishi krimpatul.
Why settle for the lesser evil? https://secure.isc.org/store/t-shirt/
--
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
More information about the dhcp-users
mailing list