dhcpinform or dhcprequest
Shawn Holland
sholland at sandara.ca
Wed Sep 2 23:33:53 UTC 2009
On Wed, 2009-09-02 at 15:46 -0700, David W. Hankins wrote:
> On Wed, Sep 02, 2009 at 05:22:54PM +0200, Tom Schmitt wrote:
> > Sadly I have not much hope that the vendor will change anything: The Client is a HP workstation with Windows XP and Microsoft is not well known for changing their software based on a request from a single person.
>
> the windows XP client is not known to behave as you describe, sending
> a DHCPINFORM in lieu of a DHCPREQUEST...
>
> quite the opposite, it is well known to renew at the correct time.
>
> the DHCPINFORM packets a client sends aren't based on lease time
> expiration, but rather are a random delayed window after bootup, when
> the Microsoft Industry Updater ("automatic updates") tries to check
> for patches. the MIU wants the unofficial "WPAD" option to try local
> http proxies first.
>
> you can suppress the DHCPINFORM packets at DHCPREQUEST time by sending
> a 'poison pill' wpad option contents. windows caches this poison pill
> and will not send a DHCPINFORM when the MIU starts up. this also
> stops the client from trying to locate proxies by DNS or other methods,
> and so it is in general a good idea if you aren't actually using WPAD.
>
> although it's not impossible for an attacker to insert a WPAD option
> at DHCP time, succeeding in giving a poison pill means it is impossible
> for an attacker to succeed via any other WPAD transport mechanism...a
> net gain.
>
> i've considered including it in our example dhcpd.conf, except that
> this raises questions about how we would document the option. the
> only reference that describes the option is an expired I-D.
>
>
> anyway.
>
> the only time i've ever heard of a similar situation was with
> failover servers in early 3.0.x, where the client was processed by both
> servers, so ddns updates were performed (identically) by both servers.
>
> the bug comes when the servers record inconsistent lease times, and
> the client binds to the longer lease time of the two. the early lease
> time comes, and in expiring the lease the server tears down ddns
> state. but we fixed this long ago, such that expiration events are
> only processed when both servers agree the lease has expired.
>
> so you are probably a victim to some unusual order of operations that
> causes the servers to agree that the client has been given a shorter
> lease time than it has bound to...
>
You can confirm what the client is being offered by looking at the offer
packet in tcpdump.
eg.
tcpdump -nes0 -i eth0 ether host 00:24:36:37:6c:d0 -vv
Discover packet:
20:22:53.506604 00:24:36:37:6c:d0 > ff:ff:ff:ff:ff:ff, ethertype IPv4
(0x0800), length 342: (tos 0x0, ttl 255, id 27835, offset 0, flags
[none], proto UDP (17), length 328) 0.0.0.0.68 > 255.255.255.255.67:
[udp sum ok] BOOTP/DHCP, Request from 00:24:36:37:6c:d0, length 300, xid
0xa8d69d36, Flags [none] (0x0000)
Client-Ethernet-Address 00:24:36:37:6c:d0
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Parameter-Request Option 55, length 6:
Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
Option 119, Option 252
MSZ Option 57, length 2: 1500
Client-ID Option 61, length 7: ether 00:24:36:37:6c:d0
Lease-Time Option 51, length 4: 7776000
Offer Packet:
20:22:54.004086 00:02:b3:e7:61:86 > 00:24:36:37:6c:d0, ethertype IPv4
(0x0800), length 342: (tos 0x10, ttl 16, id 0, offset 0, flags [none],
proto UDP (17), length 328) 10.2.0.1.67 > 10.2.255.254.68: [udp sum ok]
BOOTP/DHCP, Reply, length 300, xid 0xa8d69d36, Flags [none] (0x0000)
Your-IP 10.2.255.254
Client-Ethernet-Address 00:24:36:37:6c:d0
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Offer
Server-ID Option 54, length 4: 10.2.0.1
Lease-Time Option 51, length 4: 5
Subnet-Mask Option 1, length 4: 255.255.0.0
Default-Gateway Option 3, length 4: 10.2.0.1
Domain-Name-Server Option 6, length 4: 10.2.0.1
Domain-Name Option 15, length 10: "sandara.ca"
You should see the lease time (Option 51) in seconds. In my example 5
seconds.
If you look at the dhcpd.leases file it will confirm the lease time
offered
lease 10.2.255.254 {
starts 3 2009/09/02 23:24:08;
ends 3 2009/09/02 23:24:13;
tstp 3 2009/09/02 23:24:13;
binding state free;
hardware ethernet 00:24:36:37:6c:d0;
uid "\001\000$67l\320";
}
Now you should know exactly what was offered and be able to guess when
the client will request next.
--
Regards,
Shawn Holland
Sandara Technologies Ltd.
More information about the dhcp-users
mailing list