Hazard's stuff

ISC dhcpd doesn't work for unicast renewals without ARP

— Posted by hazard @ 2018-07-14 13:29
While implementing a network isolation policy I encountered an interesting quirk of how ISC dhcpd works: for unicast renewals, it uses a Linux IP-based syscall to send DHCPACK towards an IP address, not MAC. As a result, it means that an ARP entry should exist and therefore ARP towards the client host should work. For broadcast DHCP requests, DHCP replies directly to a MAC address and ARP is not needed. I expected that DHCP server wouldn't need anything apart from ports 67/68 and isolated everything else. So, I was seeing that some devices can get DHCP while some don't, which led to quite fun troubleshooting session, especially since dhcpd was logging a successful DHCPACK response - while tcpdump was showing that no response was actually sent through the wire.