DHCPv4 Relay Agent Option 82
DHCP option 82 is a security feature
that enables the relay agent to prevent DHCP client requests from untrusted sources. You can
configure the relay agent to add option 82 information to DHCP requests from clients before
forwarding the requests to the DHCP server.
Option 82 overview
Option 82 allows the DHCP server to
select a sub-range in the DHCP server address pool. The DHCP server echos the option
82 in the DHCP reply packet. The DHCP relay agent validates and removes the option
82 information, and then sends the response to the DHCP client.
Adding option 82 to the DHCP client
helps address the following security issues:
- Allows the relay agent to
identify the circuit to which to forward replies.
- Prevents DHCP IP address exhaustion
attacks. IP address exhaustion occurs when an attacker requests all
available IP addresses from a DHCP server by sending requests with fake
client MAC addresses.
- Prevents permanently
assigning an IP address to a particular user or modem.
- Prevents spoofing of client
identifier fields used to assign IP addresses.
- Prevents denial of service (DoS)
attacks.
Relay agent operation with Option 82 enabled
When Option 82 is enabled, the relay
agent performs the following actions:
- If the client receives a DHCP packet
with the GIADDR field set to zero, but with the Option 82 already present, the
relay agent discards the packet and increments the error count.
- If the client receives a DHCP packet
with the GIADDR field set to a GIADDR implemented by the local agent, the packet
is discarded.
- Adds the IP address of the relay agent
(in the GIADDR field).
- Inserts the Option 82 information as
the last option in a request packet. Option 82 information contains the remote
ID sub-option and the circuit ID sub-option.
- Relays the packet to the DHCP server.
- Removes Option 82 from the received
packets from the DHCP server after validation.
- Forwards the packet to the client.
Configuration considerations
Consider the following when you configure option 82:
- If the relay agent is configured over a Ve interface, the remote-id will be the
ifindex of the Ve interface, and the broadcast replies from the server are
flooded to all the tagged interfaces configured in the Ve.
- The relay agent does not monitor the client requests during the renewal phase.
Also, the device forwards request packets with a non-zero GIADDR from a
different relay agent.
- You cannot configure each sub-option separately. Enabling Option 82 enables the
insertion of the circuit ID and remote ID sub-options.
- DHCP relay Option 82 can be enabled or disabled globally. You cannot enable or
disable this option at the interface level.
Option 82 sub-options
The DHCP Relay Agent Information Option is a container option for specific
agent-supplied sub-options. The relay agent information option has the following
format.
| Code |
Len |
Agent Information Field
|
| 82 |
N |
i1 |
i2 |
i3 |
i4 |
... |
iN |
Note
The length N represents the total number of octets in the Agent Information Field.
The Agent Information field consists of a sequence of SubOpt/Length/Value tuples for
each sub-option.
Table 1. Agent remote ID sub-option
|
Sub-option type
(1 byte)
|
Length
(1 byte)
|
VLAN ID
(2 bytes)
|
MAC address
(6 bytes)
|
| 2 |
8 |
|
|
Table 2. Relay agent circuit ID sub-option
| Sub-option type (1 byte)
|
Length (1 byte)
|
VLAN ID <string> (4 bytes)
|
IF-description string (4 bytes)
|
| 2 |
68 |
|
|
Note
The circuit ID is a combination of
the VLAN-ID and the interface description string. If the interface description is
not configured, the default string “ Extremenetworks" is used in the circuit ID.
