DHCP Relay-Agent 007

The secrets of an humble network service

Carsten Strotmann

Created: 2025-11-25 Tue 20:21

Agenda

  • DHCP Relay-Agent operation
  • DHCP Proxies
  • "snooping" DHCP-Agent
  • DHCP Option 54 - Server-Identifier
  • Open Source DHCP-Relay-Agents
  • References

DHCP Relay-Agent operation

DHCP Relay-Agent operation

  • Because a client machine without IP address can only communicate on the local link, the base DHCPv4 protocol is "link-local" only
  • DHCPv4 relay-agents can be used to forward DHCPv4 requests to centralised DHCPv4 server
    • DHCP relay-agents are often found in network equipment (e.g. router)
    • Dedicated "software based" relay-agents are available

DHCP Clients, Relays and Server

DHCP-Relay01.png

DHCP Clients, Relays and Server

DHCP-Relay02.png

DHCP Clients, Relays and Server

DHCP-Relay04.png

DHCP Clients, Relays and Server

DHCP-Relay05.png

DHCP Clients, Relays and Server

DHCP-Relay06.png

DHCP Clients, Relays and Server

DHCP-Relay07.png

DHCP Clients, Relays and Server

DHCP-Relay08.png

DHCP Clients, Relays and Server

DHCP-Relay09.png

DHCP Clients, Relays and Server

DHCP-Relay10.png

DHCP Clients, Relays and Server

DHCP-Relay11.png

DHCP Renew

RFC 2131

DHCPREQUEST generated during RENEWING state:

[…] This message will be unicast, so no relay agents will be involved in its transmission. […]

DHCP Renew

DHCP-Relay12.png

DHCP Renew

DHCP-Relay13.png

DHCP Renew challenges

  • There might be no direct communication between the DHCP client and the DHCP server
    • no ip forwarding
    • firewall
    • client in private IP address space, DHCP server in public address space

DHCP Renew issue

DHCP-Relay14.png

DHCP Rebinding

RFC 2131

DHCPREQUEST generated during REBINDING state: […] This message MUST be broadcast to the 0xffffffff IP broadcast address. The DHCP server SHOULD check 'ciaddr' for correctness before replying to the DHCPREQUEST.

The DHCPREQUEST from a REBINDING client is intended to accommodate sites that have multiple DHCP servers and a mechanism for maintaining consistency among leases managed by multiple servers. A DHCP server MAY extend a client's lease only if it has local administrative authority to do so.

DHCP Rebinding

DHCP-Relay15.png

DHCP Rebinding

DHCP-Relay16.png

Solution 1 - RFC 5107

RFC 5107 - DHCP Server Identifier Override Suboption

This memo defines a new suboption of the DHCP relay information option that allows the DHCP relay to specify a new value for the Server Identifier option, which is inserted by the DHCP Server. This allows the DHCP relay to act as the actual DHCP server such that RENEW DHCPREQUESTs will come to the relay instead of going to the server directly. This gives the relay the opportunity to include the Relay Agent option with appropriate suboptions even on DHCP RENEW messages.

DHCP RFC 5107

DHCP-Relay18.png

DHCP RFC 5107

DHCP-Relay19.png

DHCP RFC 5107

DHCP-Relay20.png

DHCP RFC 5107

DHCP-Relay21.png

DHCP RFC 5107

DHCP-Relay22.png

DHCP RFC 5107

DHCP-Relay23.png

"DHCP Proxy"

  • Some hardware network devices include a "DHCP Proxy"
    • Cisco, Juniper, …
    • Similar to RFC 5107, but documentation often does not mention RFC 5107

Solution 2 - "Snooping DHCP Agent"

"Snooping DHCP Agent"

  • Some DHCP-Relays snoop on DHCP traffic passing "through" (not broadcast and not addressed for the relay agent)
  • Relay-Agent creates own DHCP-Request as if the client had send a broadcast DHCP-request

"Snoopic DHCP Agent"

DHCP-Relay24.png

"Snoopic DHCP Agent"

DHCP-Relay25.png

"Snoopic DHCP Agent"

DHCP-Relay26.png

"Snoopic DHCP Agent"

DHCP-Relay27.png

Solution 3 - Explicit Server-Identifier Option

Explicit Server-Identifier Option

  • The 'Server-Identifier' Option (Code 54) is usually set by the DHCP-server with the IPv4 address of the DHCP server
  • The value is used by the client to send the unicast renew DHCP-request
  • This option is a regular DHCP option
    • it can be set manually for a subnet or a reserveration to any IPv4 address
    • including the IPv4 address of the subnets relay agent!

Explicit Server-Identifier

DHCP-Relay28.png

Explicit Server-Identifier

DHCP-Relay29.png

Explicit Server-Identifier

DHCP-Relay30.png

Explicit Server-Identifier

DHCP-Relay31.png

Explicit Server-Identifier

DHCP-Relay32.png

Explicit Server-Identifier

DHCP-Relay33.png

Explicit Server-Identifier

DHCP-Relay34.png

Explicit Server-Identifier

DHCP-Relay35.png

Open Source DHCP-Relay-Agent Software

ISC dhcp-relay

DHCP-Helper

dhcp-relay

  • DHCP snooping: YES
  • DHCP Server Identifier Override Suboption: ??
  • Note: supports resolving the DHCP server via DNS for each request
  • Note: opinionated Golang implementation
  • URL: https://github.com/Mirantis/dhcp-relay

dhcp-fwd (DHCP-Forwarder)

dnsmasq

References

Internet Standards

Commercial Implementations

Misc