DHCP Option 82 Message Format, Analysis. DHCP Snooping Option 82 Injection & Removal Method, Trusted – Untrusted Switch Ports
This article provides in-depth analysis of DHCP Option 82 (DHCP Relay Agent) which is one of the +180 DHCP Options available to the DHCP protocol and used by the Bootstrap Protocol (BOOTP) used for allowing diskless client machines to discover and obtain their IP address. We’ll show you how DHCP Option 82 is used when implementing DHCP Snooping, the structure and content of DHCP Option 82, how and where it’s injected and removed from DHCP messages plus much more. You’ll can also download our DHCP/BOOTP Options Excel file and Wireshark packet captures of DHCP packets with Option 82 used in this article to help further understand all topics covered.
Key Topics:
- The DHCP Options field within a DHCP Packet
- DHCP Option 82 (Agent Relay) Message Format, Structure & Fields
- Detailed Analysis of DHCP Option 82 – SubOption 1 & SubOption2
- Purpose & Usage Examples of DHCP Option 82 (Agent Relay)
- DHCP Snooping & Option 82 (Agent Relay) Considerations. Switches & Trusted – Untrusted Ports
- Summary
It’s highly recommend to read through our DHCP Snooping – DHCP Attack Mitigation article which is a foundation article.
The ‘DHCP Options’ Field within a DHCP Packet
The DHCP Options field is included inside every DHCP packet and is critical for the correct operation of the DHCP/BOOTP protocol. You’d be surprised to know that there are almost 200 different DHCP Options available and there are more added as new features are introduced in the protocol.
The material used in this article such as wireshark DHCP Options 82 packet captures, are freely available to download from our Article Attachments section.
The diagram below shows the structure of a DHCP packet and highlights the position of the DHCP Options field.
It is important to understand that the above DHCP packet is the data payload within an Ethernet frame using UDP as the transport protocol.
The below screenshot was taken from a packet analyzer and shows an Ethernet frame with the DHCP data payload expanded:
We’ve highlighted sections of the DHCP protocol using the same colours as our previous diagram to help the correlation process. Every field shown in our diagram maps directly to the fields of the captured DHCP packet.
The area marked in green is the section where the DHCP Options field is located. In our captured packet there are a total of 8 DHCP Options used, among them is also Option 82 (Agent Information Option).
DHCP Option 82 (Agent Relay) Message Format, Structure & Fields
The DHCP Option 82, aka Agent Relay Information Option or Agent Information Option, was originally created by RFC 3046 to allow the DHCP relay agent (e.g switch, router, firewall or server) to identify itself and the DHCP client that sent the original DHCP message.
The DHCP Option 82 is inserted and removed by the DHCP Agent Relay (e.g switch) as shown in the diagram below:
While some DHCP servers might not support the Option 82 they are still required to copy the Option 82 value received from the DHCP client and include it in all replies back to the client. We’ll discuss the Option 82 insertion and removal process in the next section.
As we saw earlier, the DHCP Options field is positioned at the end of the DHCP packet and always contains multiple DHCP options. This of course means the DHCP Option field varies in length according to the number of options used:
Let’s now take a closer look into the DHCP Options field at the end of the packet. This can contain multiple options as shown below in our packet analyzer screenshot:
Each option expands to include its own parameters however we will focus on Option 82 shown below:
Due to space restrictions we are only depicting the first (Message Type), second last (Option 82) and last (End) option.
Remember there are over 200 different DHCP options (Code options) available and multiple used in just a single DHCP packet so it can get very challenging analyzing only one DHCP packet!
Looking at the above diagram we can appreciate that the structure of each DHCP Option varies depending on its purpose and information contained however there is a common set of fields used by all except the last (Option 255 – End):
- Code (light green box). Identifies the DHCP Option type. Examples are Code=82 (DHCP Agent Information), Code=53 (DHCP Message Type: Discover, Offer, Request or Ack), etc.
- Length (green box). This is the DHCP option type length in bytes. For DHCP Option 82, this includes the combined the length of SubOption1 + SubOption2.
- Value (blue box). This contains value or data related to the DHCP Option type. DHCP Option 82 contains two SubOptions, each with its own unique value as shown above.
It’s probably worth mentioning at this point that RFC 3046 states that DHCP Option 82 should always be the last DHCP Option before the END option (Code 255).
The material used in this article such as wireshark DHCP Options 82 packet captures, are freely available to download from our Article Attachments section.
Detailed Analysis of DHCP Option 82 – SubOption 1 & SubOption 2
Before we begin analyzing the two SubOptions we need to understand that DHCP Option 82 is inserted by the Agent Relay (switch) as the client’s DHCP packets traverse it.
In this scenario the switch has DHCP Snooping enabled and the SubOption parameters configured accordingly. In the example below, switch DC-SW1 has DHCP Snooping plus DHCP Options 82 enabled and configured:
As the client’s DHCP Discover packet enters switch DC-SW1 via port Gi0/5 the switch will automatically add the DHCP Option 82 and continue forwarding the packet to the DHCP server.
Below is the breakdown of DHCP Option 82 added inside the DHCP Options field:
The DHCP Option 82 in this example has the following configured:
- SubOption 1 (Agent Circuit ID) = Gi0/5. Used to identify the individual switchport.
- SubOption 2 (Agent Remote ID) = DC-SW1. The Hostname or description of the DHCP Relay Agent
Here is what a DHCP Option 82 packet capture looks like in network protocol analyzer:
The top section highlights the two SubOptions along with their parameters and values which are all in HEX while the lower right section shows these values in ASCII – making them easy to decipher.
Before we complete this section let’s take a closer look at the fields each SubOption consists of:
- SubOption Number. This identifies the first (Agent Circuit ID) or second (Agent Remote ID) SubOption.
- Length. The length of the specific SubOption in bytes.
- Value. The specific SubOption value.
This completed the protocol analysis of DHCP Option 82. Next up, we’ll take a look at examples where DHCP Option 82 plays a significant role in the operation of the network infrastructure.
Purpose & Usage Examples of DHCP Option 82 (Agent Relay)
Most modern DHCP Servers, e.g Windows Server 2012 & Windows Server 2016, support DHCP Option 82 therefore allowing organizations to create DHCP policies according to the information contained inside the DHCP Option 82 field. For example DHCP Pools or IP address ranges can be reserved and assigned to DHCP clients connecting to specific switches within the network or specific ports on those switches.
Large metropolitan networks, for example ISPs or university campuses make extensive use of the DHCP Option 82 as it provides them with the capability of managing and maintaining DHCP network services from a centralized location without the need of dispersed DHCP servers at each site or campus.
DHCP client requests are directed to the main datacenter with the help of local DHCP relay agents (switches, routers, etc) configured to inject the DHCP Option 82 inside the client’s original DHCP packet. This packet is then forwarded to the DHCP Servers with all the necessary information that will allow them to identify the site, network switch and port to which the client is connected to. DHCP server policies then come into effect and ensure each site is served from the correct DHCP pool and clients are assigned the correct IP address.
The diagram above shows how a client’s DHCP Discover packet is modified by the local DHCP Relay Agent (DC-SW1) to include the DHCP Option 82 message allowing the DHCP server at the Core Network identify the campus, switch and port to which the client sending the request is connected to.
As previously noted, the DHCP server is required to maintain the DHCP Option 82 information when replying to the client. This is also shown in the diagram below:
The DHCP Relay Agent (DC-SW1) will receive the DHCP server’s reply and remove the Option 82 information before forwarding it out to the DHCP client.
Many sources on the internet incorrectly mention that the DHCP Relay Agent Option (Option 82) is automatically inserted by a DHCP Snooping enabled switch. RFC 3046 (Section 2.1 – Agent Operation) specifically notes that this function should be disabled by default.
DHCP Snooping & Option 82 (Relay Agent) Considerations. Switches & Trusted - Untrusted Ports
We already know that with DHCP Snooping enabled and Option 82 configured a Cisco Catalyst or Nexus switch, it will insert the Option 82 field into the client’s DHCP message as shown in the below diagram:
As shown in the example above, the DHCP client’s DHCP Discover packet is received by the switch on interface Gi0/5 which is by default an untrusted port. The switch, which acts as a DHCP relay agent, immediately inserts the DHCP Option 82 in the original DHCP Discover packet, updates the frame as needed (MAC addresses, destination IP, CRC) then sends it out Gi0/1, a trusted port, to the DHCP Server.
As a general rule of thumb, any switch interface expected to receive DHCP packets containing DHCP Option 82 must be configured as a Trusted interface otherwise the DHCP packet will be discarded by the switch:
In the case where there are multiple switches with involved in the path to reach the DHCP server the same rule applies to ensure DHCP packets with Option 82 can traverse each hop:
Interfaces Gi0/1 from SW1 and Gi0/4, Gi0/2 from SW2 will always receive DHCP packets with Option 82 therefore these ports must be configured as trusted ports.
Related Articles
- Complete Guide to DHCP Snooping, Snooping Database & mitigating DHCP Attacks
- Basic & Advanced Catalyst Layer 3 Switch Configuration
- Understanding & Designing VLAN Networks
- Ethernet II Frame Formats
- MAC Address
Summary
This article provided in-depth analysis of the DHCP Options field and more specifically the DHCP Option 82. We examined the DHCP Option 82 message format, structure and fields while also taking a close look at SubOptions 1 & 2 and explaining their usage. Finally we talked about the purpose and real-usage examples of DHCP Option 82 and showed how switchports should be configured on DHCP Snooping enabled switches with DHCP Option 82 configured.
Your IP address:
3.142.201.175
Wi-Fi Key Generator
Follow Firewall.cx
Cisco Password Crack
Decrypt Cisco Type-7 Passwords on the fly!