Subject: Re: DHCP vs. IPsec
To: Charles M. Hannum <>
From: Michael Richardson <>
List: tech-net
Date: 09/17/2003 17:39:06

>>>>> "Charles" == Charles M Hannum <> writes:
    Charles> So, I use IPsec over my wireless network.  I also use DHCP.

  Excellent. Have you seen

    Charles> I observed that renewals were not working right from my laptop
    Charles> -- the 
    Charles> server did not seem to see the DHCP REQUESTs, nor did it send any
    Charles> replies.  Eventually the renewal timed out and it did a new DHCP
    Charles> DISCOVER sequence and managed to get a new lease, so the network
    Charles> appeared to function normally.

  Yes, that is correct.
  The DHCP client sends the rewewal using a plain UDP packet, it gets 
encrypted with IPsec, and the server actually will receive it. 

  The DHCP server answers the request in the IPsec, but the client is
listening only on the wire. It discards packets on port 67. The result is
that it thinks the renewal didn't happen.
  The problem is that getting two answers would be bad. I think that we
should be able to cope with that and enable reading on the UDP socket.

    Charles> An iBook running OSX experienced more chaotic behavior, eventually
    Charles> self-configuring a bogus IP address and not working at all.

  Yes, that's Rendezvous "working" for you.

    Charles> Yes, it is possible to tweak the IPsec configuration so that the
    Charles> outbound packets are not encrypted in this case.  However, that's
    Charles> irritating, and it does not fix the problem that the path isn't
    Charles> symmetric.  Furthermore, OSX does not encrypt outgoing DHCP

  This was the only solution that we came up with for wavesec.
  Same thing under Linux, btw.
    Charles> So, I've made the following change to my tree to prevent IPsec
    Charles> encapsulation of DHCP packets.  With this change, renewals work
    Charles> correctly from a NetBSD laptop -- and I believe will work
    Charles> correctly 
    Charles> from OSX, but I won't be able to test that for a few days.

  Nice changes. Alas, they don't solve the whole problem.
  A renewal through IPsec should be equally valid.

  Send it to ISC anyway.

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy");  [
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat