Chapter 5. DHCP services

Table of Contents

DHCP
Bootstrap Protocol
Various DHCP options
Architecture
Flows and feeds
Administration
Monitoring
Operations
Users
Security
ISC DHCP
Installation and configuration
Logging
Resources

DHCP

DHCP stands for Dynamic Host Configuration Protocol and is the de-facto standard for dynamic IP allocation. The basic premise is that a client, who does not know what IP address it has (or should have), asks it to the DHCP server. The flow used is shown in the next figure.

Figure 5.1. Standard DHCP flow

Standard DHCP flow

Initially, the client does not know where the server is, so it broadcasts the DHCP discover request on the entire subnet. Network administrators will configure the routers on each subnet to forward the DHCP related messages to the proper server (actually enable a DHCP relay function in the router - forwarding alone is not sufficient), or can deploy DHCP Relay services in the subnet separate from the router.

DHCP has a few advanced usages as well though.

Bootstrap Protocol

The Bootstrap Protocol (BOOTP) allows for a client to obtain not only IP address information, but also images that the client should download and boot. Unlike DHCP itself, which is usually triggered when the operating system on the client has already booted, BOOTP is meant to be executed before an operating system is loaded. Historically, BOOTP was created for diskless systems, but this feature is still used often.

One of the situations where BOOTP can come in handy is to create bare metal backups of desktops. By default, the DHCP/BOOTP server does not pass any information back, and all desktops or workstations get no reply to the BOOTP requests and thus boot further into their operating system. But when a bare metal backup (or restore) needs to be executed, the administrator toggles the BOOTP server. When the workstation reboots, it now receives the necessary information from the BOOTP server, downloads an autonomous operating system image (such as a Linux OS with imaging software on it, such as PartImage) and performs the backup (or restore) operation that the administrator has configured.

After backing up the file, the workstation is rebooted and the BOOTP server becomes silent again, allowing the workstation to continue to boot regularly.

Various DHCP options

DHCP servers can pass on additional options to the clients, which are used to configure other services on the client. These options have unique integer as identifiers.

Most of these options are to point the client to other centralized services, such as the syslog server to use (28), NTP Server (47-49), mail server (69) and more. If both server and clients are fully controlled by the organization, additional custom options can be used to configure systems further.

Architecture

The basic setup shown further uses a high-available architecture where the DHCP services keep track of the leases granted to the systems, as well as balance free IP addresses between the two DHCP servers. This allows, if a network split occurs, that each DHCP service can act independently as it has its own pool of free IP addresses, and has knowledge of the lease state of all currently assigned addresses.

Figure 5.2. Standard HA architecture for DHCP

Standard HA architecture for DHCP

Important

Make sure that the two DHCP servers have their time synchronized, so the use of an NTP service for both systems is seriously recommended.

Flows and feeds

No flows or feeds are identified as of yet.

Administration

To administer DHCPd, a configuration management tool (puppet) is used to update configurations. Regular operations on the DHCP daemon (stopping/starting) is done through the standard Unix services.

Figure 5.3. Administering DHCPd

Administering DHCPd

Monitoring

To monitor DHCP operations, log events need to be captured. This allows the monitoring infrastructure to follow up on the IP pool balance.

On regular times, the following log entries will be shown with the current balancing information:

Oct 24 09:33:21 src <at> intranet dhcpd: pool 8124898 total 759 free 238 backup 266 lts -14
Oct 24 09:33:32 src <at> intranet dhcpd: pool 8124898 total 759 free 237 backup 266 lts -14

In the above example, from a pool with currently 759 IP addresses, 237 are not assigned and "owned" by the server while the backup server has 266 IP addresses free. The lts parameter (which stands for "leases to send") tells that the system is to receive 14 leases (negative number) in order to balance the available IP addresses.

Other monitoring is of course

Operations

In standard operation mode, the DHCP daemon receives requests and updates from DHCP relay services (or directly from servers in the same subnet). Any activity is logged through the system logger, who forwards the events to the log server for further processing.

An NTP service is explicitly mentioned on the drawing as time synchronisation is very important for the fail-over setup of the DHCP service.

Figure 5.4. Operational flows and activities on DHCP service

Operational flows and activities on DHCP service

Users

The DHCP daemon is an anonymous service; no users are defined beyond the administrators (on operating system level).

Security

ISC DHCP is a popular components, so exploits are not that hard to find against older versions.

Make sure that the DHCP service is running on the latest patch level, and is properly hardened.

ISC DHCP

When you have systems that require dynamically allocated IP addresses, you will need a DHCP service.

Installation and configuration

The installation and configuration of DHCP is fairly simple and, similar to BIND, uses flat files for its configuration.

Installation

First install the DHCP server.

# emerge dhcp

Do the same on the relay servers.

Next, edit /etc/conf.d/dhcpd to configure the DHCP daemon to use IPv6.

# cat /etc/conf.d/dhcpd
DHCPD_OPTS="-6"

Master DHCP server

On the master DHCP server, configure the /etc/dhcp/dhcpd.conf file similar to the following:

# cat /etc/dhcp/dhcpd.conf
ddns-update-style interim;

authorative;

default-lease-time 600;
max-lease-time 7200;

server-identifier adhcpp.internal.genfic.com;
failover peer "dhcp-ha" {
  primary;
  split 128;
  mclt 3600;
  address 2001:db8:81:e2::fe12; # This server
  port 519;
  peer address 2001:db8:81:e4::822f; # Secondary server
  peer port 519;
  max-response-delay 60;
  max-unacked-updates 10;
  load balance max seconds 3;
};

# Shared part

subnet6 2001:db8:81:e2::/64 {
  range6 2001:db8:81:e2::f00 2001:db8:81:e2::fff;
  option dhcp6.name-servers 2001:db8:81:21::ac:98ad:5fe1, \
    2001:db8:81:22::ae:6b01:e3d8;
  option dhcp6.domain-search "workstation.internal.genfic.com";
}

subnet6 2001:db8:81:21::/64 {
  # Empty but must be declared so DHCPd starts
}

It is also possible to have the DHCP server provide a fixed IP address to a system based on its MAC address. This is handled through the host parameter:

group {
  use-host-decl-names on;

  host la00010 {
    hardware ethernet "e8:0c:11:31:9f:0b";
    fixed-address la00010.workstation.internal.genfic.com;
    option host-name "la00010";
  }
}

Finally, start the service and register it to automatically start during boot.

# rc-update add dhcpd default
# rc-service dhcpd start

On the secondary server, the failover part of the configuration would look like so:

server-identifier adhcps.internal.genfic.com;
failover peer "dhcp-ha" {
  secondary;
  address 2001:db8:81:e4::822f; # This server
  port 519;
  peer address 2001:db8:81:e2::fe12; # Primary server
  peer port 519;
  max-response-delay 60;
  max-unacked-updates 10;
  load balance max seconds 3;
};

The remainder of the configuration file is the same as on the master.

Relay services

To configure a relay service, edit /etc/conf.d/dhcrelay and set the DHCRELAY_OPTS accordingly.

# cat /etc/conf.d/dhcrelay
DHCRELAY_OPTS="-6 -l eth0 -u 2001:db8:81:21::f4:3303:40f4%eth0 -u \
  2001:db8:81:22::5f:3853:fe78%eth0"

Also edit /etc/init.d/dhcrelay as it forces two options that are only valid for IPv4:

# vim /etc/init.d/dhcrelay
(... 1. look for $(printf " -i %s" ${IFACE}) and delete it ...)
(... 2. look for DHCRELAY_SERVERS and remove it ...)
(... End result should be something like:)
start-stop-daemon --start --exec /usr/sbin/dhcrelay \
  -- -q ${DHCRELAY_OPTS}

Then start up the relay service and make sure it starts at boot time as well.

# rc-update add dhcrelay default
# rc-service dhcrelay start

Logging

For the DHCP service, log entries are sent to the system logger.

Resources

On ISC DHCP: