[strongSwan] DHCP plugin + freeradius - strange behavior when no proposals

Discussion:

Kamil Jońca

2018-10-16 08:25:29 UTC

Disclaimer: I do not know if it is bug or feature, and what should be
changed: freeradius or dhcp plugin.

I have configured dhcp plugin:

--8<---------------cut here---------------start------------->8---
dhcp {
force_server_address = yes
identity_lease = yes
interface = eth0
load = yes
server=192.168.200.200
}
--8<---------------cut here---------------end--------------->8---

as a DHCP server act freeradius.
Adresses are statically asigned.
strange thing happen when plugin asks for unknown mac, freeradius send
this message:

Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Relay-IP-Address = 192.168.200.200
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Message-Type = DHCP-Offer
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Domain-Name-Server = 192.168.200.200
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Subnet-Mask = 255.255.255.0
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Router-Address = 192.168.200.218
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-IP-Address-Lease-Time = 86400
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-DHCP-Server-Identifier = 192.168.200.200
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Domain-Name = "kjonca"
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Server-IP-Address = 192.168.200.200
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Time-Server = 192.168.200.200
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Opcode = Server-Message
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Hardware-Type = Ethernet
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Hardware-Address-Length = 6
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Hop-Count = 0
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Transaction-Id = 1809418123
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Flags = 0
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Client-IP-Address = 0.0.0.0
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Gateway-IP-Address = 192.168.200.200
Sun Oct 14 19:27:57 2018 : Debug: (35) DHCP-Client-Hardware-Address = 7a:a7:86:29:f1:72

so dhcp servers offer 0.0.0.0 as address
dhcp plugins requests this address:
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Opcode = Client-Message
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Hardware-Type = Ethernet
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Hardware-Address-Length = 6
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Hop-Count = 0
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Transaction-Id = 1809418123
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Number-of-Seconds = 0
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Flags = 0
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Client-IP-Address = 0.0.0.0
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Your-IP-Address = 0.0.0.0
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Server-IP-Address = 0.0.0.0
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Gateway-IP-Address = 192.168.200.200
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Client-Hardware-Address = 7a:a7:86:29:f1:72
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Message-Type = DHCP-Request
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Hostname = "sikorka.kjonca"
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Client-Identifier = 0x73696b6f726b612e6b6a6f6e6361
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Requested-IP-Address = 0.0.0.0
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-DHCP-Server-Identifier = 192.168.200.200
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Parameter-Request-List = DHCP-Domain-Name-Server
Sun Oct 14 19:27:57 2018 : Debug: (41) DHCP-Parameter-Request-List = DHCP-NETBIOS-Name-Servers

and received dhcp-ack.
And ... again send dhcp-request, received dhcp-ack, and we end with
infinite loop.

Now I (temporarily) configure dhcp server not to send offer for unknown
client but I am not sure if it is proper solution.

1. what should do dhcp server when receives dhcp-discover via gateway,
when there is no proposals? should it send any answer?
2. what should do dhcp-plugin when receives dhcp-offer with address like
0.0.0.0?

KJ

--
http://wolnelektury.pl/wesprzyj/teraz/
Work expands to fill the time available.
-- Cyril Northcote Parkinson, "The Economist", 1955

Tobias Brunner

2018-10-16 08:58:50 UTC

Permalink

Hi Kamil,

Post by Kamil JoÅca
and received dhcp-ack.
And ... again send dhcp-request, received dhcp-ack, and we end with
infinite loop.

Do you have the strongSwan log that goes with this? And what strongSwan
and FreeRADIUS versions are you using?

Post by Kamil JoÅca
Now I (temporarily) configure dhcp server not to send offer for unknown
client but I am not sure if it is proper solution.

It should probably either offer a valid address or not send an offer at all.

Post by Kamil JoÅca
1. what should do dhcp server when receives dhcp-discover via gateway,
when there is no proposals? should it send any answer?

No, why should it send an offer if it has no addresses to offer?

Post by Kamil JoÅca
2. what should do dhcp-plugin when receives dhcp-offer with address like
0.0.0.0?

Probably ignore the offer, so that might be something to look into.

Regards,
Tobias

Kamil Jońca

2018-10-16 09:16:43 UTC

Permalink

Post by Tobias Brunner
Hi Kamil,

Post by Kamil JoÅca
and received dhcp-ack.
And ... again send dhcp-request, received dhcp-ack, and we end with
infinite loop.

Do you have the strongSwan log that goes with this? And what strongSwan
and FreeRADIUS versions are you using?

only something like (I have had no debug):
2018-10-14T19:27:57.322435+02:00 alfa charon-systemd[6721]: sending DHCP DISCOVER to 192.168.200.200
2018-10-14T19:27:57.322643+02:00 alfa charon-systemd[6721]: received DHCP OFFER %any from 192.168.200.200
2018-10-14T19:27:57.324271+02:00 alfa charon-systemd: 13[IKE] peer requested virtual IP %any
2018-10-14T19:27:57.324465+02:00 alfa charon-systemd: 13[CFG] sending DHCP DISCOVER to 192.168.200.200
2018-10-14T19:27:57.324653+02:00 alfa charon-systemd: 06[CFG] received DHCP OFFER %any from 192.168.200.200
2018-10-14T19:27:57.325632+02:00 alfa charon-systemd[6721]: sending DHCP REQUEST for %any to 192.168.200.200
2018-10-14T19:27:57.325731+02:00 alfa charon-systemd: 13[CFG] sending DHCP REQUEST for %any to 192.168.200.200
2018-10-14T19:27:57.325846+02:00 alfa charon-systemd[6721]: sending DHCP REQUEST for %any to 192.168.200.200
2018-10-14T19:27:57.326035+02:00 alfa charon-systemd: 13[CFG] sending DHCP REQUEST for %any to 192.168.200.200
2018-10-14T19:27:57.332313+02:00 alfa charon-systemd[6721]: received DHCP ACK for %any
2018-10-14T19:27:57.334059+02:00 alfa charon-systemd: 12[CFG] received DHCP ACK for %any

strongswan and freeradius packaged by debian:

strongswan:
Version: 5.7.1-1

freeradius:
Version: 3.0.16+dfsg-4.1+b1

Post by Tobias Brunner

Post by Kamil JoÅca
Now I (temporarily) configure dhcp server not to send offer for unknown
client but I am not sure if it is proper solution.

It should probably either offer a valid address or not send an offer at all.

Post by Kamil JoÅca
1. what should do dhcp server when receives dhcp-discover via gateway,

relay agent ^^^^^^^

Post by Tobias Brunner

Post by Kamil JoÅca
when there is no proposals? should it send any answer?

No, why should it send an offer if it has no addresses to offer?

I was afraid I overlooked something when read DHCP spec. (And there is
DHCP message informs relay that this server cannot serve request)

So I can safely keep my freeradius config?

KJ

--
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
Life is a healthy respect for mother nature laced with greed.

Tobias Brunner

2018-10-16 10:16:59 UTC

Permalink

Post by Kamil JoÅca
2018-10-14T19:27:57.322435+02:00 alfa charon-systemd[6721]: sending DHCP DISCOVER to 192.168.200.200
2018-10-14T19:27:57.322643+02:00 alfa charon-systemd[6721]: received DHCP OFFER %any from 192.168.200.200
2018-10-14T19:27:57.324271+02:00 alfa charon-systemd: 13[IKE] peer requested virtual IP %any
2018-10-14T19:27:57.324465+02:00 alfa charon-systemd: 13[CFG] sending DHCP DISCOVER to 192.168.200.200
2018-10-14T19:27:57.324653+02:00 alfa charon-systemd: 06[CFG] received DHCP OFFER %any from 192.168.200.200
2018-10-14T19:27:57.325632+02:00 alfa charon-systemd[6721]: sending DHCP REQUEST for %any to 192.168.200.200
2018-10-14T19:27:57.325731+02:00 alfa charon-systemd: 13[CFG] sending DHCP REQUEST for %any to 192.168.200.200
2018-10-14T19:27:57.325846+02:00 alfa charon-systemd[6721]: sending DHCP REQUEST for %any to 192.168.200.200
2018-10-14T19:27:57.326035+02:00 alfa charon-systemd: 13[CFG] sending DHCP REQUEST for %any to 192.168.200.200
2018-10-14T19:27:57.332313+02:00 alfa charon-systemd[6721]: received DHCP ACK for %any
2018-10-14T19:27:57.334059+02:00 alfa charon-systemd: 12[CFG] received DHCP ACK for %any

Where do you see a loop here? (The duplicate messages are due to your
logging settings, syslog plus journald.) But as said, the offer with
0.0.0.0 should probably just be ignored (I pushed a fix for that to the
dhcp-ignore-anyaddr branch [1], the client will just time out and
retransmit the DHCPDISCOVER).

Post by Kamil JoÅca

Post by Tobias Brunner

Post by Kamil JoÅca
when there is no proposals? should it send any answer?

No, why should it send an offer if it has no addresses to offer?

I was afraid I overlooked something when read DHCP spec. (And there is
DHCP message informs relay that this server cannot serve request)

RFC 2131 does not explicitly say so in section 4.3.1, but my
understanding is that a server should not send a reply if it doesn't
assign an address to a client (also see section 4.2 where it explicitly
refers to not responding to DHCPDISCOVER, not just not allocating an
address). The table in section 4.3.1 also says 'yiaddr' is set to the
IP address that's offered to the client, which 0.0.0.0 is clearly not.
And the text after the table indicates that a DHCPOFFER should only be
constructed if an address has been determined. I also haven't found any
text that would change the behavior if a relay agent is involved.

But still, since there is no negative DHCPOFFER (unlike DHCPNAK as
response to DHCPREQUEST) it's not clear if maybe a response with 0.0.0.0
could be considered a negative offer (or if its just a bug on the
server's part and it really shouldn't reply at all).

Post by Kamil JoÅca
So I can safely keep my freeradius config?

What doubts do you have?

Regards,
Tobias

[1]
https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/dhcp-ignore-anyaddr

Kamil Jońca

2018-10-16 10:41:00 UTC

Permalink

Post by Tobias Brunner

Where do you see a loop here? (The duplicate messages are due to your

In freeradius logs :), are repeating dhcp-request/dhcp-ack pairs.

This is the situation where relay agent and dhcp server uses the same
address and reply from dhcp server (freeradius) is sent to port 67
instead of 68. So I am not sure if strongswan repaeatedly ask for
address (but no log this) or not. It is possible for me that something makes
"echo" of original strongswan request infinitely . As I said: I do not
know where the problem is.

[...]

Post by Tobias Brunner

Post by Kamil JoÅca
So I can safely keep my freeradius config?

What doubts do you have?

If it is 'good practice'™ :)

KJ

--
http://wolnelektury.pl/wesprzyj/teraz/
Hmmm ... an arrogant bouquet with a subtle suggestion of POLYVINYL
CHLORIDE ...