Validation of server response packets
A valid Option 82 server response to a client request packet includes a copy of the Option 82 fields the server received with the request. With validation disabled, most variations of Option 82 information are allowed, and the corresponding server response packets are forwarded.
Server response validation is an option you can specify when configuring Option 82 DHCP for
append
,
replace
, or
drop
operation. Enabling validation on the routing switch can enhance protection against DHCP server responses that are either from untrusted sources or are carrying invalid Option 82 information.
With validation enabled, the relay agent applies stricter rules to variations in the Option 82 fields of incoming server responses to determine whether to forward the response to a downstream device or to drop the response due to invalid (or missing) Option 82 information. The following table describes relay agent management of DHCP server responses with optional validation enabled and disabled.
Response packet content |
Option 82 configuration |
Validation enabled on the relay agent |
Validation disabled (the default) |
---|---|---|---|
Valid DHCP server response packet without an Option 82 field. |
append ,
|
Drop the server response packet. |
Forward server response packet to a downstream device. |
keep2 |
Forward server response packet to a downstream device. |
Forward server response packet to a downstream device. |
|
The server response packet carries data indicating a given routing switch is the primary relay agent for the original client request, but the associated Option 82 field in the response contains a remote ID and circuit ID combination that did not originate with the given relay agent. |
append |
Drop the server response packet. |
Forward server response packet to a downstream device. |
replace or
|
Drop the server response packet. |
Drop the server response packet. |
|
keep2 |
Forward server response packet to a downstream device. |
Forward server response packet to a downstream device. |
|
The server response packet carries data indicating a given routing switch is the primary relay agent for the original client request, but the associated Option 82 field in the response contains a Remote ID that did not originate with the relay agent. |
append |
Drop the server response packet. |
Forward server response packet to a downstream device. |
replace or
|
Drop the server response packet. |
Drop the server response packet. |
|
keep2 |
Forward server response packet to a downstream device. |
Forward server response packet to a downstream device. |
|
All other server response packets 3 |
append ,
|
Forward server response packet to a downstream device. |
Forward server response packet to a downstream device. |
1Drop
is the recommended choice because it protects against an unauthorized client inserting its own Option 82 field for an incoming request.
2
A routing switch with DHCP Option 82 enabled with the
keep
option forwards all DHCP server response packets except those that are not valid for either Option 82 DHCP operation (compliant with RFC 3046) or DHCP operation without Option 82 support (compliant with RFC 2131.)
3
A routing switch with DHCP Option 82 enabled drops an inbound server response packet if the packet does not have any device identified as the primary relay agent (giaddr=null; see RFC 2131.)