Page MenuHomeVyOS Platform

DHCP: disallow/do-not-request certain options when requesting IP address from server
Closed, ResolvedPublicFEATURE REQUEST

Description

Please make it possible to disregard some received DHCP options (See T2997#78071 for screenshot of suggestion), for example:

set interfaces ethernet eth0 address dhcp alter-dhcp-default-gateway discard

Adding this capability also improves visibility about operational gateways (e.g: in a "show configuration commands" output ).

Note: since we already have similar syntax for dns received from DHCP:

set system name-servers-dhcp eth0

an alternative syntax could be (with default off)

set system routes-dhcp eth0

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

Alfa80 created this task.Oct 19 2020, 12:16 PM
Alfa80 updated the task description. (Show Details)Oct 19 2020, 12:19 PM
Alfa80 updated the task description. (Show Details)Oct 19 2020, 12:23 PM
Alfa80 updated the task description. (Show Details)Oct 19 2020, 12:26 PM
Alfa80 updated the task description. (Show Details)Oct 19 2020, 12:28 PM
c-po added a subscriber: c-po.Oct 19 2020, 2:42 PM

Do other vendors suppert highjacking/altering of DHCP options? I feel this kills the whole concept of DHCP.

I'm in for adding a CLI option to not request a default route for sure but the other stuff I do not comply. Please show e.g. Cisco / Juniper / Arista configs which support this highjacking.

This is an example scenario in which this comes handy:
You have three ethernet interfaces
Two are connected to different LANs
The third is connected to WAN (another router)
All networks offer DHCP and def gw
The LANs offer it for internet access
The WAN offers it for branch access
We want to keep def gw received for WAN and ignore internet access offered by those LANs

Only these three (gw, dns, ntp) benefit most to be hijackable. So I appreciate this point you mentioned and simplify the request to def-gw only if you agree.

Here below are attached images of GUI and text representation of a router which I use and supports this (it is Mikrotik. I currently have do not access to other brands to verify)


I can see a case where people deliberately do NOT want to use ISP provided DNS servers (to avoid DNS NX hijacking) (and/or lock to a major internet DNS server like google 8.8.8.8 or Quad9 9.9.9.9 or Cloudflare 1.1.1.1 for example)

pasik added a subscriber: pasik.Oct 20 2020, 6:24 AM
Alfa80 updated the task description. (Show Details)Oct 21 2020, 7:59 AM
Alfa80 updated the task description. (Show Details)Oct 21 2020, 8:56 AM
c-po moved this task from Need Triage to Backlog on the VyOS 1.3 Equuleus board.Oct 25 2020, 6:44 PM
c-po renamed this task from Allow ignoring received DHCP options to DHCP: disallow/do-not-request certain options when requesting IP address from server.Sat, Nov 7, 7:46 PM
c-po changed the task status from Open to In progress.
c-po claimed this task.
c-po added a comment.Sat, Nov 7, 8:32 PM

set interfaces ethernet eth2 dhcp-options no-default-route

Implemented for gateway address

c-po added a comment.Fri, Nov 20, 1:16 PM

DNS domain name servers are always requested from the server but must be explicitly "allowed" by set systems name-servers-dhcp

c-po closed this task as Resolved.Fri, Nov 20, 1:16 PM
c-po moved this task from Backlog to Finished on the VyOS 1.3 Equuleus board.Mon, Nov 23, 4:03 PM