Basic Concepts of DHCP Snooping

After DHCP snooping is configured on a device, interfaces can be classified as Trusted and Untrusted interfaces. DHCP snooping allows only DHCP request and response packets on Trusted interfaces to be sent to the CPU. DHCP snooping uses packet information on trusted interfaces to build and maintain a DHCP snooping binding table. DHCP snooping binding table is used for checking DHCP packets. Option 82, a field in a DHCP packet, specifies the forwarding paths of the DHCP packet. This field helps create DHCP snooping binding entries with accurate interface information. In addition, you can configure the whitelist function for DHCP snooping to implement whitelist-based filtering for packets to be sent to the CPU on the trusted client or server.

DHCP Snooping Trusted/Untrusted Interface

After DHCP snooping is enabled on a device, a device interface can be configured as trusted or untrusted. Generally, the interfaces connected to legitimate DHCP servers are configured as trusted, and all other interfaces are configured as untrusted. By default, all interfaces are untrusted.

DHCP Snooping Binding Table

A DHCP snooping binding table records hosts' media access control (MAC) addresses, IP addresses, IP address lease time, virtual local area network (VLAN) IDs, and interface information. DHCP snooping binding tables can be dynamic or static. Dynamic DHCP snooping binding tables are dynamically generated after DHCP snooping is enabled. Static DHCP snooping binding tables are manually configured.

Dynamic DHCP snooping binding table

If hosts obtain IP addresses from a DHCP server, the device dynamically learns the host information by parsing the DHCP reply packets received from trusted interfaces and uses the information to generate a dynamic DHCP snooping binding table.

Static DHCP snooping binding table

If hosts have statically configured IP addresses, you must use the hosts' MAC addresses, IP addresses, VLAN IDs, and interface information to configure a DHCP snooping binding table.

Dynamic and static DHCP snooping binding entries are deleted in different ways:

Dynamic binding entries are deleted after the corresponding IP address lease expires.
Static binding entries can only be deleted manually.

Option 82

Option 82 is a field in a DHCP packet. This field carries specific interface information and therefore specifies the forwarding paths of DHCP packets. A host (DHCP client) generates a DHCP request packet and broadcasts it on the network. If a device receives the DHCP request packet and the device has the option 82 insertion function enabled, the device inserts an option 82 field into the DHCP request packet and sends the packet to a DHCP server. After receiving the packet, the DHCP server echoes the option 82 field in the DHCP reply packet and sends it to the device. The device removes the option 82 field and forwards the packet to the DHCP client interface that sent the DHCP request packet.

Option 82 field format

Option fields in a DHCP packet carry control information and parameters that are not defined in some protocols. Figure 1 shows the format of a DHCP packet. Figure 2 shows the format of an option field. The option 82 field code is 82. Devices use the option 82 field to determine the path along which DHCP packets are transmitted.

Figure 1 DHCP packet format

Figure 2 Option field format

An option field consists of type, length, and value. The following table lists their meanings.

Field

Length

Description

Code

1 byte

Attribute of the message content

Length

1 byte

Length of the message content

Value

Determined by the Length field

Message content

Figure 3 shows the option 82 field format. The option 82 field consists of one or more suboptions. Figure 4 shows the format of a suboption. At least one suboption must be defined in the option 82 field, and the suboption value can be null. Therefore, the minimum length of the option 82 field is 2.
The initially assigned suboptions are as follows:
- 1: agent circuit ID suboption
- 2: agent remote ID suboption
A DHCP server uses the agent circuit ID suboption for allocating IP addresses and other parameters.

In addition to suboption 1, the NetEngine 8000 F supports suboption 9 for showing the vendor customization information.
Suboption 9 has the following functions:
- If the option 82 field in a DHCP reply packet forwarded by an interface contains suboption 9 with the Huawei Device Identifier field, the device can parse the option 82 field and obtain interface information. The device then removes the Huawei Device Identifier field from suboption 9 and forwards the DHCP reply packet.
- After receiving a DHCP reply packet with the option 82 field, the device determines whether suboption 9 exists. If suboption 9 exists, the device generates a binding entry based on suboption 9. If suboption 9 does not exist, the device generates a binding entry based on suboption 1.
Figure 3 Option 82 field format

A suboption consists of code, length, and agent information field. The following table lists their meanings.
Field

Description

Code

Attribute of the message content

Length

Length of the message content

Agent Information Field

Message content

Figure 4 Option 82 suboption format

A suboption consists of subOpt, length, and sub-option value. The following table lists their meanings.
Field

Description

SubOpt

Attribute of the message content

Length

Length of the message content

Sub-Option Value

Message content

The option 82 field can be applied to Layer 2 or Layer 3 devices. When the option 82 field is applied to a Layer 2 device, the device determines to which interface a DHCP packet is sent by parsing the option 82 field, and creates a corresponding entry in the DHCP snooping binding table. When the option 82 field is applied to a DHCP server at Layer 3, the server performs the IP address allocation policy by identifying the option 82 field.

Field	Length	Description
Code	1 byte	Attribute of the message content
Length	1 byte	Length of the message content
Value	Determined by the Length field	Message content

Field	Description
Code	Attribute of the message content
Length	Length of the message content
Agent Information Field	Message content

Field	Description
SubOpt	Attribute of the message content
Length	Length of the message content
Sub-Option Value	Message content

Inserting the Option 82 field to packets at Layer 2

As shown in Figure 5, the DHCP client connects to the DeviceA, and the DeviceA connects to the DHCP relay agent or the DHCP server through a Layer 2 network.

The DeviceA is enabled with DHCP snooping globally. After receiving a DHCP discover or request packet, the device records the option 82 field carried in the packet and reconstructs the option 82 field based on the insertion policy. Then, the DeviceA sends the packet with the modified option 82 field to the DHCP server. After receiving the packet, the DHCP server echoes the option 82 field in the DHCP reply packet and sends it to the DeviceA. The DeviceA replaces the option 82 field in the DHCP reply packet with the recorded option 82 field (which is carried in the DHCP discover or request packet), determines the interface to which the DHCP reply packet is to be sent, creates a corresponding entry in the DHCP snooping binding table, and then sends the packet to the DHCP client.

Figure 5 Inserting the option 82 field to packets at Layer 2

Inserting the option 82 field to packets at Layer 3

On a Layer 3 network shown in Figure 6, the device functions as a DHCP relay agent.

With the option 82 function enabled, the device inserts the option 82 field to the DHCP discover packet and request packet. The DHCP server then implements IP address assignment policies and other policies based on the option 82 field.

After receiving the DHCP reply packet from the DHCP server, the device replaces the option 82 field in the DHCP reply packet with the recorded option 82 field (which is carried in the DHCP discover or request packet) and sends the packet to the DHCP client.

Figure 6 Inserting the option 82 field to packets at Layer 3

Option 82 implementation
With the option 82 function enabled, the device checks whether the DHCP request packet sent by a DHCP client carries the option 82 field.
- If the option 82 field exists, the device checks the option 82 inserting mode. The mode is either Insert or Rebuild.
  - If the rebuild mode is configured, the device inserts an option 82 field to replace the option 82 field carried in the received packet.
  - If the insert mode is configured, the device considers the option 82 field carried in the received packet trusted. The device inserts the option 82 field into a DHCP packet if no Option 82 field exists in the packet. If the Option 82 field exists in a DHCP packet, the device checks whether the Option 82 field contains suboptions. If the Option 82 field contains suboptions, the device does not change the suboptions. If the Option 82 field does not contain suboptions and the suboption format is configured, the device inserts suboptions into the Option 82 field.
- If the option 82 field does not exist:
  
  The device inserts option 82 field with suboption 1 to the message, regardless of the appending configuration.

Whitelist for DHCP Snooping

After a whitelist is configured for DHCP snooping, only DHCP packets listed in the whitelist are sent to the CPU, and the DHCP packets not listed in the whitelist are simply forwarded, without being sent to the CPU. This protects the device against attacks.