Validation of server response packets

A valid Option 82 server response to a client request packet includes a copy of the Option 82 fields the server received with the request. With validation disabled, most variations of Option 82 information are allowed, and the corresponding server response packets are forwarded.

Server response validation is an option you can specify when configuring Option 82 DHCP for append, replace, or drop operation. See Forwarding policies. Enabling validation on the routing switch can enhance protection against DHCP server responses that are either from untrusted sources or are carrying invalid Option 82 information.

With validation enabled, the relay agent applies stricter rules to variations in the Option 82 fields of incoming server responses to determine whether to forward the response to a downstream device or to drop the response due to invalid (or missing) Option 82 information. The following table describes relay agent management of DHCP server responses with optional validation enabled and disabled

Table 32: Relay agent management of DHCP server response packets.

Response packet content

Option 82 configuration

Validation enabled on the relay agent

Validation disabled (the default)

Valid DHCP server response packet without an Option 82 field.

append

, replace, or drop1

Drop the server response packet.

Forward server response packet to a downstream device.

keep2

Forward server response packet to a downstream device.

Forward server response packet to a downstream device.

The server response packet carries data indicating a given routing switch is the primary relay agent for the original client request, but the associated Option 82 field in the response contains a remote ID and circuit ID combination that did not originate with the given relay agent.

append

Drop the server response packet.

Forward server response packet to a downstream device.

replace

or drop1

Drop the server response packet.

Drop the server response packet.

keep2

Forward server response packet to a downstream device.

Forward server response packet to a downstream device.

The server response packet carries data indicating a given routing switch is the primary relay agent for the original client request, but the associated Option 82 field in the response contains a Remote ID that did not originate with the relay agent.

append

Drop the server response packet.

Forward server response packet to a downstream device.

replace

or drop1

Drop the server response packet.

Drop the server response packet.

keep2

Forward server response packet to a downstream device.

Forward server response packet to a downstream device.

All other server response packets 3

append

, keep2, replace, or drop1

Forward server response packet to a downstream device.

Forward server response packet to a downstream device.

1Drop is the recommended choice because it protects against an unauthorized client inserting its own Option 82 field for an incoming request.

2A routing switch with DHCP Option 82 enabled with the keep option forwards all DHCP server response packets except those that are not valid for either Option 82 DHCP operation (compliant with RFC 3046) or DHCP operation without Option 82 support (compliant with RFC 2131.)

3 A routing switch with DHCP Option 82 enabled drops an inbound server response packet if the packet does not have any device identified as the primary relay agent (giaddr=null; see RFC 2131.)