OS-5186: DHCP Client Identifiers should be permitted in VMs using DHCP

Details

Issue Type:Improvement
Priority:4 - Normal
Status:Resolved
Created at:2016-02-24T22:28:47.000Z
Updated at:2018-06-20T17:21:49.962Z

People

Created by:Former user
Reported by:Former user
Assigned to:Former user

Resolution

Fixed: A fix for this issue is checked into the tree and tested.
(Resolution Date: 2018-06-13T15:53:01.527Z)

Fix Versions

2018-06-21 Underwater Reactor (Release Date: 2018-06-21)

Related Issues

Description

In smartos-live#567, NetBSD couldn't get an IP address via DHCP while installing, because it was sending the DISCOVER message with a DHCP Client Identifier. Since Client Identifiers cannot be predicted by the kernel ahead of time, and could be used to hijack other systems' transactions, DHCP spoofing protection disallows sending these packets. Most of the time allowing client identifiers should be fine though. If someone uses "dhcp" on a NIC, then we should allow through packets with Client Identifiers.

Comments

Comment by Former user
Created at 2017-12-11T22:56:16.909Z

I tested this by creating a NetBSD KVM instance, which uses Client Identifiers. With these changes, and without setting "allowed_dhcp_cids", the instance was able to get an IP address. When I set "allowed_dhcp_cids" to "0xff3e930301000100011e67a7f462483e930301" (its CID), it also worked. When I set the array to "0x20", though, it was unable to get an address and instead assigned itself an IPv4 link-local address of 169.254.43.112.


Comment by Former user
Created at 2018-06-12T22:49:38.215Z

I reran the vmadm(1M) test suite after making some updates to ensure that users can't create allowed_dhcp_cids arrays that would be too long for zonecfg(1M).


Comment by Jira Bot
Created at 2018-06-13T15:50:58.130Z

smartos-live commit 56aefb80e76f738a147644de8ad9b1c290325156 (branch master, by Cody Peter Mello)

OS-5186 DHCP Client Identifiers should be permitted in VMs using DHCP