>Number:         10319
>Category:       kern
>Synopsis:       NFS_BOOTDHCP fails if DHCP relay honors IP TTL
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jun 07 22:16:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Scott Reynolds
>Release:        NetBSD-current 2000-05-28
>Organization:
>Environment:
	DNARD, NetBSD/arm32
System: NetBSD shark 1.4Z NetBSD 1.4Z (SHARK) #21: Sun May 28 20:03:12 CDT 2000 root@shark:/amd/toaster.eew.tgi.plexus.com/netbsd/src/sys/arch/arm32/compile/SHARK



>Description:
	The IP TTL in a DHCPDISCOVER broadcast is set to 1 when getting boot
	parameters for a diskless client. If a DHCP relay honors the TTL,
	the broadcast will never reach the server. This behavior has been
	observed with a Cisco IOS 12.0-based layer 3 switch.

	Code inspection reveals the problem fairly quickly.  From
	src/sys/nfs/nfs_bootdhcp.c, line 482:

		/*
		 * Skip the route table when sending on this socket.
		 * If this is not done, ip_output finds the loopback
		 * interface (why?) and then fails because broadcast
		 * is not supported on that interface...
		 */
	
	Setting SO_DONTROUTE on the socket results in the obvious behavior.

>How-To-Repeat:
	1. Set up a diskless system that uses DHCP to get boot parameters on
	   a network using a Cisco IOS switch/router. Make sure the DHCP
	   server is on a different IP network.
	2. Use "ip helper-address" to configure DHCP relay from the
	   diskless client to the DHCP server.
	3. Try to boot, watch it fail, and note from tcpdump output that
	   the IP TTL is set to 1 for the first set of DHCPDISCOVER
	   broadcasts after the kernel is loaded.

>Fix:
	None provided. Use dhcrelay(8) on another system to work around
	the problem.
>Release-Note:
>Audit-Trail:
>Unformatted: