Is it legal for a DHCP relay agent to relay RENEWAL requests that were directly unicast to the "Server identifier" server?

Question

I'm observing the following in a packet capture.

Client -> Broadcast : DHCP Request
Relay  -> Client    : DHCP Ack (Option 54 == Server)

... After T1 expires ...

Client -> Server Identifier : DHCP Request
Relay  -> Client            : DHCP Ack
Client -> Relay             : ICMP Port unreachable

Is it legal for a Relay to respond instead of the server to unicast RENEWAL requests to the server?

RFC 2131 'DHCPREQUEST generated during RENEWING state' says

but should return a DHCPACK message regardless

but does not specify if this message can come through a relay.

Seems like the client rejects the DHCP Ack because it's expecting it from the server and not the relay.

Originally asked on NE https://networkengineering.stackexchange.com/questions/79634/is-it-legal-for-a-dhcp-relay-agent-to-relay-renewal-requests-that-were-directly — user80551, Aug 11 '22 at 18:12

caes73 · Answer 1 · 2023-04-18T07:54:46.860

I see the reject by RedHat 8 family clients, they have an established UDP connection with the DHCP server (DHCPREQUEST sent every 60 seconds):

DHCP Server: 172.16.1.14
DHCP Client IP (to be renewed): 172.16.255.39/24

# ss -tun
Netid    State     Recv-Q    Send-Q    Local Address:Port          Peer Address:Port
udp      ESTAB     0         0         172.16.255.39%ens224:68     172.16.1.14:67

with other OS, like ubuntu, the DHCPACK from the relay address is accepted.

# ss -ltun
Netid    State     Recv-Q    Send-Q    Local Address:Port          Peer Address:Port
udp      UNCONN    0         0         172.16.255.35%ens192:68     0.0.0.0:*

Do you know which kind of realy agent are you using?

According to RFC2131 [pag 31], the unicast DHCPREQUEST packet should not be modified by the relay agent, I guess also the DHCPACK shoud be sent directly back to the client

   o DHCPREQUEST generated during RENEWING state:

      'server identifier' MUST NOT be filled in, 'requested IP address'
      option MUST NOT be filled in, 'ciaddr' MUST be filled in with
      client's IP address. In this situation, the client is completely
      configured, and is trying to extend its lease. This message will
      be unicast, so no relay agents will be involved in its
      transmission.  Because 'giaddr' is therefore not filled in, the
      DHCP server will trust the value in 'ciaddr', and use it when
      replying to the client.

Is it legal for a DHCP relay agent to relay RENEWAL requests that were directly unicast to the "Server identifier" server?

1 Answers1