Understanding DHCP Option 82
You can use DHCP option 82, also known as the DHCP relay agent information option, to help protect supported Juniper devices against attacks including spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation.
In a common scenario, various hosts are connected to the network via untrusted access interfaces on the switch, and these hosts request and are assigned IP addresses from the DHCP server. Bad actors can spoof DHCP requests using forged network addresses, however, to gain an improper connection to the network.
To protect against this vulnerability, RFC 3046, DHCP Relay Agent Information Option, http://tools.ietf.org/html/rfc3046 describes a standard known as Option 82 which defines how for the DHCP server can use the location of a DHCP client when assigning IP addresses or other parameters to the client.
DHCP Option 82 Overview
If DHCP option 82 is enabled on a VLAN or bridge domain, then when a network device—a DHCP client—that is connected to the VLAN or bridge domain on an untrusted interface sends a DHCP request, the switching device inserts information about the client's network location into the packet header of that request. The switching device then sends the request to the DHCP server. The DHCP server reads the option 82 information in the packet header and uses it to implement the IP address or another parameter for the client. See Suboption Components of Option 82 for more information about option 82.
On EX4300 switches, DHCP option 82 information is added to DHCP packets received on trusted interfaces as well as untrusted interfaces.
If option 82 is enabled on a VLAN or bridge domain, the following sequence of events occurs when a DHCP client sends a DHCP request:
- The switching device receives the request and inserts the option 82 information in the packet header.
- The switching device forwards (or relays) the request to the DHCP server.
- The server uses the DHCP option 82 information to formulate its reply and sends a response to the switching device. It does not alter the option 82 information.
- The switching device strips the option 82 information from the response packet.
- The switching device forwards the response packet to the client.
To use the DHCP option 82 feature, you must ensure that the DHCP server is configured to accept option 82. If the DHCP server is not configured to accept option 82, then when it receives requests containing option 82 information, it does not use the information for setting parameters and it does not echo the information in its response message.
If your switching device is an EX Series switch and uses Junos OS with Enhanced Layer 2 Software (ELS) configuration style, you can enable DHCP option 82 only for a specific VLAN. See Setting Up DHCP Option 82 on the Switch with No Relay (ELS).
If your switching device is an EX Series switch and does not use Junos OS with Enhanced Layer 2 Software (ELS) configuration style, you can enable DHCP option 82 either for a specific VLAN or for all VLANs. See Setting Up DHCP Option 82 on the Switch with No Relay (non-ELS).
Suboption Components of Option 82
Option 82 as implemented on a switching device comprises the suboptions circuit ID, remote ID, and vendor ID. These suboptions are fields in the packet header:
circuit ID—Identifies the circuit (interface or VLAN) on the switching device on which the request was received. The circuit ID contains the interface name and VLAN name, with the two elements separated by a colon—for example, ge-0/0/10:vlan1, where ge-0/0/10 is the interface name and vlan1 is the VLAN name. If the request packet is received on a Layer 3 interface, the circuit ID is just the interface name—for example, ge-0/0/10.
Use the prefix option to add an optional prefix to the circuit ID. If you enable the prefix option, the hostname for the switching device is used as the prefix; for example, device1:ge-0/0/10:vlan1, where device1 is the hostname.
You can also specify that the interface description be used rather than the interface name or that the VLAN ID be used rather than the VLAN name.
remote ID—Identifies the remote host. See remote-id for details.
vendor ID—Identifies the vendor of the host. If you specify the vendor-id option but do not enter a value, the default value Juniper is used. To specify a value, you type a character string.
Switching Device Configurations That Support Option 82
Switching device configurations that support option 82 are:
Switching Device, DHCP Clients, and the DHCP Server Are on the Same VLAN or Bridge Domain
If the switching device, the DHCP clients, and the DHCP server are all on the same VLAN or bridge domain, the switching device forwards the requests from the clients on untrusted access interfaces to the server on a trusted interface. See Figure 1.
Switching Device Acts as a Relay Agent
The switching device functions as a relay agent (extended relay server) when the DHCP clients or the DHCP server is connected to the switching device through a Layer 3 interface. On the switching device, these interfaces are configured as routed VLAN interfaces (RVIs). Figure 2 illustrates a scenario for the switching device acting as an extended relay server; in this instance, the switching device relays requests to the server. This figure shows the relay agent and server on the same network, but they can also be on different networks–that is, the relay agent can be external.
DHCPv6 provides several options that can be used to insert information into the DHCPv6 request packets that are relayed to a server from a client. These options are equivalent to the sub-options of DHCP option 82.
Option 37—Identifies the remote host. Option 37 is equivalent to the remote-id sub-option of DHCP option 82.
Option 18—Identifies the interface on which the DHCP request packet was received from the client. Option 18 is equivalent to the circuit-id sub-option of DHCP option 82.
Option 16—Identifies the vendor of the hardware on which the client is hosted. Option 16 is equivalent to the vendor-id sub-option of DHCP option 82.
DHCPv6 options are not enabled automatically when DHCPv6 snooping is enabled on a VLAN. They must be configured using the dhcpv6-options statement.