DHCP Short Cycle Protection
DHCP Short Cycle Protection Against Frequent Brief or Failed Client Sessions
In highly scaled networks, a significant number of DHCP client negotiations fail before the session is established, resulting in high loading on the router and external authentication servers. Some CPE devices automatically retry negotiation on failure, some with very short retry intervals. A malicious client might mount an authentication attack by sending repeated, frequent login requests. These events can result in a significant load on the router and the external authentication server.
Starting in Junos OS Release 18.2R1, DHCP short cycle protection, also called DHCP client lockout, enables the router to reduce these loads by identifying and temporarily locking out clients that continually fail negotiation and have short negotiation cycles as well as clients that frequently complete connections but log out soon after logging in.
Identified clients are prevented from access by temporarily locking them out for an exponentially increasing lockout period. The router drops DHCP discover or solicit messages from these clients while they are locked-out. The router tracks clients by the client identifier for DHCPv4 clients or DHCP unique identifier (DUID) for DHCPv6 clients. Both types of client identifiers can be referred to as client keys. The client key enables the DHCP server to associate a client with its lease and configuration parameters. Using the client key for DHCP short-cycle protection tracking enables the router to prevent one client from negotiating a session while allowing other clients using the same logical interface to successfully negotiate sessions.
The initial lockout period for a client has a short duration. The goal here is to not negatively affect legitimate clients, for example, those that fail just once or that log in periodically to check their email and then log out again. By targeting clients that continually fail negotiation or log in and out frequently at short intervals, short-cycle protection reduces both the connection processing load on the router and the authentication load on external authentication servers. It has the effect of improving throughput by deferring client sessions that do not make progress in favor of sessions that complete.
- Conditions That Can Cause Failed or Short-Lived DHCP Client Sessions
- How DHCP Short-Cycle Protection Works
- Termination of the Lockout Condition
- Benefits of Using DHCP Short Cycle Protection
Conditions That Can Cause Failed or Short-Lived DHCP Client Sessions
Conditions that can cause a failed or short-lived client session include:
Authentication denials from external AAA servers, such as RADIUS or Diameter, due to the absence of a corresponding entry in the RADIUS database or due to improper login attempts.
Router or external authentication server unreachability due to network failure or misconfiguration.
Insufficient memory resources to create a dynamic subscriber interface.
Protocol negotiation failures with the CPE.
Client logout shortly after a successful login; this action creates a fully negotiated and configured client session before the session is torn down.
How DHCP Short-Cycle Protection Works
DHCP short-cycle protection is disabled on the router by default.
When you enable it by including the short-cycle-protection statement at a global, group, or interface level, the router does
the following for DHCP sessions on static and dynamic logical interfaces:
Detects short-lived client sessions, also referred to as short-cycle events, and locks out the client based on the following events:
E0: Time when jdhcpd declares the client session to be active.
E1: Time when jdhcpd declares the client session should be torn down.
E2: Time when jdhcpd deletes the client session entry from the database.
A short-cycle event occurs when the interval between E0 and E1 is less than or equal to 60 seconds. When the interval is greater than 60 seconds, the logout is considered normal. If the router declares the session to be short-lived, it adds the client to the lockout database at time E2.
Temporarily locks out the specified DHCP client by preventing connection to the router.
During lockout, the router drops negotiation packets (DHCP discover and solicit messages) from the client until the lockout period expires. When the lockout period expires, the client can resume normal negotiation of the connection.
You can set a range for the lockout period by specifying a minimum and maximum length with the
short-cycle-protectionstatement. You must specify both a minimum and a maximum value.Tracks the time between a client’s repeated short-cycle events to determine whether to increase the lockout time for a subsequent short-cycle event. The interval between events is compared to the grace time threshold. By default, the grace time threshold is 900 seconds, but it is automatically set to the maximum lockout time if that value is greater than 900 seconds.
If no subsequent negotiation is attempted within the grace time, the client entry is removed from the lockout database.
If a subsequent negotiation is attempted before the grace threshold is reached, it is treated as another short-cycle event and the lockout penalty is increased. The penalty is increased exponentially each time the negotiation is attempted within the grace time.
The initial lockout period is based on the configured minimum value. Additional penalties are calculated as follows, where n is the number of consecutive short-cycle events that occur within the grace time:
Lockout time = (Lockout minimum time) x [2(n-1)]
For example, with a minimum duration of 1 second and a maximum duration of 300 seconds, the initial lockout period is 1 second; subsequent penalties increase to 2 seconds, then 4 seconds, 8 seconds, 16 seconds, 32 seconds, 64 seconds, 128 seconds, 256 seconds and finally 300 seconds. The final lockout period is 300 seconds instead of 512 seconds because no penalty can exceed the maximum value of the lockout range.
If the lockout time reaches the maximum, then it stays at that value for each subsequent lockout period until the time between short-cycle events is greater than the grace threshold.
Termination of the Lockout Condition
When a DHCP client is locked out, the lockout condition persists until all lockout timers have expired, except when any of the following occurs:
You administratively clear the lockout condition by issuing one of the following operational commands:
clear dhcp relay lockout-entriesclear dhcp server lockout-entriesclear dhcpv6 relay lockout-entriesclear dhcpv6 server lockout-entries
You reset the FPC on which the client session undergoing lockout is configured.
You reset the Routing Engine.
When any of these events occurs, jdhcpd terminates lockout and clears the lockout history for all affected client sessions. The released clients are allowed to negotiate again. Because there is no retained history, the lockout period starts with the minimum value if a subsequent short-cycle event occurs for one of these clients.
When a dynamic VLAN or demux VLAN logical interface is removed
from an underlying physical interface that is configured with remove-when-no-subscribers, the lockout of affected clients
persists until all the timers have expired. If the logical interface
is recreated before all timers expire, then the lockout state is applied
to the re-created logical interfaces.
Benefits of Using DHCP Short Cycle Protection
Reduces excessive control plane loading on the router and authentication, authorization, and provisioning loading on the external authority server.
Reduces the resources required to process DHCP control packets and to negotiate and terminate short-lived connections.
Temporarily defers subsequent attempts for clients with failed or short-lived client sessions in favor of sessions can complete successfully and last for more than a short duration.
Reduces the resources required to authenticate and terminate these connections on external authentication servers, such as RADIUS and Diameter.
Enables lockout of a single failed or short-lived DHCP session without disrupting other DHCP sessions on the same interface.
Because DHCP short-cycle protection identifies each client session by its unique client ID, the router can lock out only the offending DHCP client while enabling other DHCP clients on the same interface to successfully negotiate the connection.
Configuring DHCP Short-Cycle Protection
In highly scaled networks, a significant number of DHCP client negotiations fail before the session is established, resulting in high loading on the router and external authentication servers. You can enable DHCP short cycle protection on the router to identify DHCP clients that either login frequently and briefly or continually fail to connect, then lock the clients out from access and drop subsequent requests from these clients until a lockout timer expires. For clients that repeatedly log in frequently and briefly, the initial lockout time is short enough to have no noticeable impact. As these brief logins continue, the lockout period is exponentially increased. By targeting clients that continually fail negotiation or log in and out frequently at short intervals, short-cycle protection reduces the connection processing load on the router and the authentication, authorization, and provisioning load on external authentication servers.
You can configure the range for the lockout period for DHCPv4 relay, DHCPv6 relay, DHCPv4 local server, and DHCPv6 local server. You can configure the period globally for all relay agent or local server interfaces, for a group of interfaces, or for specific interfaces within a group. For DHCPv4 relay and local server, you can also configure the lockout for a dual-stack group.
When you enable short-cycle protection, you must specify both the minimum and the maximum duration of the lockout period.
To configure the lockout range for DHCPv4 relay agent:
Specify the minimum and maximum lockout times.
For all DHCPv4 relay agents:
[edit forwarding-options dhcp-relay] user@host# set short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
For a specific group of DHCPv4 relay interfaces:
[edit forwarding-options dhcp-relay] user@host# set group group-name short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
For a specific interface within a specified group of DHCPv4 relay interfaces:
[edit forwarding-options dhcp-relay] user@host# set group group-name interface interface-name short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
For a DHCPv4 relay dual-stack group:
[edit forwarding-options dhcp-relay] user@host# set dual-stack-group dual-stack-group-name short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds
To configure the lockout range for DHCPv6 relay agent:
Specify the minimum and maximum lockout times.
For all DHCPv6 relay agents:
[edit forwarding-options dhcp-relay dhcpv6] user@host# set short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
For a specific group of DHCPv6 relay interfaces:
[edit forwarding-options dhcp-relay dhcpv6] user@host# set group group-name short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
For a specific interface within a specified group of DHCPv6 relay interfaces:
[edit forwarding-options dhcp-relay dhcpv6] user@host# set group group-name interface interface-name short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
To configure the lockout range for DHCPv4 local server:
Specify the minimum and maximum lockout times.
For all DHCPv4 local servers:
[edit system services dhcp-local-server] user@host# set short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
For a specific group of DHCPv4 local server interfaces:
[edit system services dhcp-local-server] user@host# set group group-name short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
For a specific interface within a specified group of DHCPv4 local server interfaces:
[edit system services dhcp-local-server] user@host# set group group-name interface interface-name short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
For a DHCPv4 local server dual-stack group:
[edit system services dhcp-local-server] user@host# set dual-stack-group dual-stack-group-name short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
To configure the lockout range for DHCPv6 local server:
Specify the minimum and maximum lockout times.
For all DHCPv6 local servers:
[edit system services dhcp-local-server dhcpv6] user@host# set short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
For a specific group of DHCPv6 local server interfaces:
[edit system services dhcp-local-server dhcpv6] user@host# set group group-name short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
For a specific interface within a specified group of DHCPv6 local server interfaces:
[edit system services dhcp-local-server dhcpv6] user@host# set group group-name interface interface-name short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
Verifying and Managing DHCP Short-Cycle Protection
Purpose
View or clear information about DHCP short-cycle protection operations.
Use the supported show and clear commands to manage and display information about the short-cycle protection operations for the DHCP relay agent and the DHCP local server. You can display information about all locked-out entries or about only individual entries identified by their database index number.
Action
To display short-cycle protection information for DHCPv4 or DHCPv6 relay agent:
user@host> show dhcp relay lockout-entries (all | index index) user@host> show dhcpv6 relay lockout-entries (all | index index)
To clear short-cycle protection information for DHCPv4 or DHCPv6 relay agent:
user@host> clear dhcp relay lockout-entries (all | index index) user@host> clear dhcpv6 relay lockout-entries (all | index index)
To display short-cycle protection information for DHCPv4 or DHCPv6 local server:
user@host> show dhcp server lockout-entries (all | index index) user@host> show dhcpv6 server lockout-entries (all | index index)
To clear short-cycle protection information for DHCPv4 or DHCPv6 local server:
user@host> clear dhcp server lockout-entries (all | index index) user@host> clear dhcpv6 server lockout-entries (all | index index)
Meaning
When you include the all option with these show commands, information is provided for each client entry in the lockout database, such as the index number that corresponds to the entry in the database, the client identification key, the state of the lockout, how many seconds until the current state is over, how long the current state has been in effect, and how many consecutive times the client has been locked out.
When you want to remove information from the lockout database for a particular client, you must first issue the corresponding show command with the all option to determine the index for the client entry. Then you can specify that index with the clear command.
In the following example, you display all locked-out client entries for DHCPv4 relay agent to find the index number for a particular client, then you clear only that entry and verify that it is deleted:
user@host> show dhcp relay lockout-entries all Index Key State Expires(s) Elapsed(s) Count 1 00:00:5E:00:53:00 LT 30 5200 2 2 00:00:5E:00:53:11 GT 120 780 2 3 00:00:5E:00:53:22 LT 180 2300 1 user@host> clear dhcp relay lockout-entries index 2 user@host> show dhcp relay lockout-entries all Index Key State Expires(s) Elapsed(s) Count 1 00:00:5E:00:53:00 LT 30 5200 2 3 00:00:5E:00:53:22 LT 180 2300 1
In the following example, you display all locked-out client entries for DHCPv6 local server, then you clear all entries and verify that they are deleted:
user@host> show dhcp relay lockout-entries all Index Key State Expires(s) Elapsed(s) Count 1 00:00:5E:00:53:00 LT 30 5200 2 2 00:00:5E:00:53:11 GT 120 780 2 3 00:00:5E:00:53:22 LT 180 2300 1 user@host> clear dhcp relay lockout-entries all user@host> show dhcp relay lockout-entries all