How to Configure Security Policies to Allow DHCP
A DHCP network has three roles: DHCP client, DHCP server, and DHCP relay. When a DHCP client and a DHCP server are located on different network segments, a DHCP relay must be deployed. The DHCP packet exchange process varies according to the networking scenario.
Scenario Without a DHCP Relay
Figure 8-1 shows the DHCP packet exchange process when no DHCP relay is deployed.
DHCP packets are encrypted using UDP. When the DHCP client accesses the network for the first time, the IP address allocation process is as follows:
- DHCP Discover: The DHCP client broadcasts a DHCPDISCOVER message, in which the source and destination IP addresses are 0.0.0.0 and 255.255.255.255, respectively, and the source and destination ports are 67 and 68, respectively. When accessing the network for the first time, the DHCP client has never obtained an IP address and does not know the IP address of the DHCP server. Therefore, the DHCPDISCOVER message is broadcast. The DHCPDISCOVER message contains the Flags field, which indicates whether the server sends a response packet in unicast or broadcast mode. Generally, the unicast mode is used (Broadcast Flag = 0).
- DHCP Offer: After receiving the DHCPDISCOVER message, the DHCP server selects an available IP address and sends a unicast DHCPOFFER message carrying this IP address. The destination IP address encapsulated in the message is the IP address allocated by DHCP server to the DHCP client.
- DHCP Request: The DHCP client broadcasts a DHCPREQUEST message to request an IP address from the selected DHCP server. The message carries the identifier of the selected DHCP server. When multiple DHCP servers exist on the network, a DHCPREQUEST message is broadcast to notify all the DHCP servers. The unselected DHCP servers then can update the status of the allocated IP address.
- DHCP Ack: The DHCP server sends a DHCPACK message to the DHCP client in unicast mode to acknowledge IP address allocation.
If the DHCP client accesses the network not for the first time, it can apply for an IP address that it has used. In this case, the IP address allocation process consists of two phases: DHCP Request and DHCP Ack. The source IP address in the DHCPREQUEST message is the DHCP client's current IP address.
When the lease renewal timer expires (50% of the lease, that is, 1800s), the DHCP client sends a unicast packet to the DHCP server to apply for lease renewal. If the DHCP client does not need to use the current IP address anymore, it sends a DHCPRELEASE message in unicast mode to release the IP address.
In this scenario, both the DHCP server and client may proactively send unicast packets. Table 8-2 shows the security policy configuration example when the firewall functions as a DHCP server.
No. |
Name |
Source Security Zone |
Destination Security Zone |
Source Address/Region |
Destination Address/Region |
Service |
Action |
|---|---|---|---|---|---|---|---|
101 |
Allow DHCP Client to Firewall |
Trust |
Local |
10.1.1.0/24 |
10.1.1.1/24 |
bootps (UDP: 67) |
permit |
102 |
Allow Firewall to DHCP Client |
Local |
Trust |
10.1.1.1/24 |
10.1.1.0/24 |
bootpc (UDP: 68) |
permit |
Scenario with a DHCP Relay
The broadcast packets of the DHCP client cannot traverse different network segments. When multiple network segments exist on a network, the DHCP relay is deployed. Figure 8-2 describes the packet exchange process.
During IP address allocation, the DHCP client broadcasts DHCPDISCOVER and DHCPREQUEST messages. After receiving the messages, the DHCP relay changes the source and destination addresses of the messages to the IP addresses of the outbound interface and the DHCP server, respectively, adds the relay IP address in the messages, and then forwards the messages to the DHCP server in unicast mode. The DHCP server sends DHCPOFFER and DHCPACK messages in unicast mode to the DHCP relay. The DHCP relay uses port 67 as both the source and destination ports to communicate with the DHCP server.
The DHCP client has obtained the IP address of the DHCP server in the address allocation phase. In the subsequent lease renewal and address release processes, the DHCP client directly sends unicast packets to the DHCP server to initiate a connection without the help of the DHCP relay.
No. |
Name |
Source Security Zone |
Destination Security Zone |
Source Address/Region |
Destination Address/Region |
Service |
Action |
|---|---|---|---|---|---|---|---|
101 |
Allow Firewall to DHCP Server |
Local |
Untrust |
100.1.1.10/24 |
100.1.1.1/24 |
bootps (UDP: 67) |
permit |
102 |
Allow DHCP Client to DHCP Server |
Trust |
Untrust |
10.1.1.0/24 |
100.1.1.1/24 |
bootps (UDP: 67) |
permit |
103 |
Allow Firewall to DHCP Client |
Local |
Trust |
10.1.1.1/24 |
10.1.1.0/24 |
bootpc (UDP: 68) |
permit |
DHCPv6
DHCPv6 messages are encapsulated using UDP. Table 8-4 lists the message sending modes. The DHCPv6 client uses UDP port 546, and the DHCPv6 server and relay use UDP port 547.
Packet Type |
DHCPv6 Message |
Sender |
Sending Mode |
Receiver |
Description |
|---|---|---|---|---|---|
1 |
Solicit |
DHCPv6 client |
Multicast |
All DHCPv6 servers and relays (FF02::1:2) |
The DHCPv6 client sends Solicit messages to all DHCPv6 servers and relays to determine the location of the DHCPv6 servers. |
2 |
Advertise |
DHCPv6 server DHCPv6 relay |
Unicast |
DHCPv6 client |
A DHCPv6 server sends an Advertise message in response to a Solicit message to declare that it can provide DHCPv6 services. In the DHCPv6 relay scenario, after receiving a Relay-reply message from a DHCPv6 server, a DHCPv6 relay also sends an Advertise message to the DHCPv6 client. |
3 |
Request |
DHCPv6 client |
Multicast |
All DHCPv6 servers and relays (FF02::1:2) |
A DHCPv6 client sends a Request message to request an IPv6 address and other configuration parameters from a DHCPv6 server. |
Unicast |
Specified DHCPv6 server |
Unicast packets can be sent only when the DHCPv6 server is configured with the Server Unicast option. |
|||
4 |
Confirm |
DHCPv6 client |
Multicast |
All DHCPv6 servers and relays (FF02::1:2) |
A DHCPv6 client sends a Confirm message to all DHCPv6 servers to check whether the obtained IPv6 address applies to the link connected to it. |
5 |
Renew |
DHCPv6 client |
Multicast |
Specified DHCPv6 server |
A DHCPv6 client sends a Renew message to the DHCPv6 server that provides the IPv6 address and other configuration parameters to extend the lifetime of the address and to update configuration parameters. |
Unicast |
Specified DHCPv6 server |
Unicast packets can be sent only when the DHCPv6 server is configured with the Server Unicast option. |
|||
6 |
Rebind |
DHCPv6 client |
Multicast |
All DHCPv6 servers and relays (FF02::1:2) |
A DHCPv6 client sends a Rebind message to all DHCPv6 servers to extend the lifetime of the allocated IPv6 address and to update configuration parameters when the client does not receive a response to its Renew message. |
7 |
Reply |
DHCPv6 server DHCPv6 relay |
Unicast |
DHCPv6 client |
A DHCPv6 server responds to unicast or multicast packets such as the Solicit, Confirm, Request, Rebind, Information-request, Renew, Release and Decline messages received from the DHCPv6 client. In the DHCPv6 relay scenario, after receiving a Relay-reply message from a DHCPv6 server, a DHCPv6 relay also sends a Reply message to the DHCPv6 client. |
8 |
Release |
DHCPv6 client |
Multicast |
Specified DHCPv6 server |
A DHCPv6 client sends a Release message to the DHCPv6 server that allocates IPv6 addresses to the DHCPv6 client, indicating that the DHCPv6 client will no longer use the obtained addresses. |
Unicast |
Specified DHCPv6 server |
Unicast packets can be sent only when the DHCPv6 server is configured with the Server Unicast option. |
|||
9 |
Decline |
DHCPv6 client |
Multicast |
Specified DHCPv6 server |
A DHCPv6 client sends a Decline message to a DHCPv6 server, indicating that the IPv6 addresses allocated by the DHCPv6 server are already in use on the link to which the DHCPv6 client is connected. |
Unicast |
Specified DHCPv6 server |
Unicast packets can be sent only when the DHCPv6 server is configured with the Server Unicast option. |
|||
10 |
Reconfigure |
DHCPv6 server |
Unicast |
DHCPv6 client |
A DHCPv6 server sends a Reconfigure message to a DHCPv6 client, informing the client of new addresses or updated configuration parameters on the server. |
11 |
Information-Request |
DHCPv6 client |
Multicast |
All DHCPv6 servers and relays (FF02::1:2) |
A DHCPv6 client sends an Information-request message to all DHCPv6 servers to request configuration parameters except for IPv6 addresses. |
Unicast |
Specified DHCPv6 server |
Unicast packets can be sent only when the DHCPv6 server is configured with the Server Unicast option. |
|||
12 |
Relay-Forward |
DHCPv6 relay |
Unicast |
Specified DHCPv6 server |
A DHCPv6 relay sends a Relay-forward message to relay Request messages to DHCPv6 servers. |
Multicast |
All DHCPv6 servers (FF05::1:3) |
The DHCPv6 relay can send multicast packets only when no DHCPv6 server is specified on the DHCPv6 relay. |
|||
13 |
Relay-Reply |
DHCPv6 server |
Unicast |
DHCPv6 relay |
A DHCPv6 server sends a Relay-reply message to a DHCPv6 relay. The Relay-reply message carries to the packet to be relayed to the DHCPv6 client. |
Generally, a DHCPv6 client sends multicast packets, and a DHCPv6 server responds with unicast packets. Therefore, you only need to configure a security policy to permit the traffic from the DHCPv6 server to the DHCPv6 client. However, when the DHCPv6 server is configured with Server Unicast Option, the DHCPv6 client can send Request, Renew, Information-request, Release, and Decline messages in unicast mode. In this case, you also need to configure a security policy for the traffic direction from the DHCPv6 client to the DHCPv6 server.
In the DHCPv6 relay scenario, one or more DHCPv6 server addresses are configured on a DHCPv6 relay. The DHCPv6 relay sends unicast packets to a DHCPv6 server, and the DHCPv6 server always responds with unicast packets. You need to configure security policies to permit the traffic from the DHCPv6 relay to the DHCPv6 client and to the DHCPv6 server.