ISC DHCP incorrect UDP checksum generation
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	rps
	Jan 2 2018, 12:50 PM

Description

Debian Bug 353161 (reported fixed in isc-dhcp 4.3.2-1) May 2015

Current package vyatta-dhcp3-relay 4.1.8+vyos1+helium2 (DHCPd also affected)

Produces the following log messages (level info):

Jan 2 12:28:45 10.10.64.3 dhcrelay: 4 bad udp checksums in 6 packets
Jan 2 12:28:51 10.10.64.3 dhcrelay: 4 bad udp checksums in 5 packets
Jan 2 12:28:53 10.10.64.3 dhcrelay: 4 bad udp checksums in 5 packets
Jan 2 12:28:55 10.10.64.3 dhcrelay: 4 bad udp checksums in 6 packets
Jan 2 12:28:56 10.10.64.3 dhcrelay: 4 bad udp checksums in 5 packets
Jan 2 12:28:58 10.10.64.3 dhcrelay: 4 bad udp checksums in 5 packets
Jan 2 12:29:03 10.10.64.3 dhcrelay: 4 bad udp checksums in 6 packets
Jan 2 12:29:03 10.10.64.3 dhcrelay: 4 bad udp checksums in 5 packets
Jan 2 12:29:10 10.10.64.3 dhcrelay: 4 bad udp checksums in 5 packets
Jan 2 12:29:21 10.10.64.3 dhcrelay: 4 bad udp checksums in 6 packets

Not sure how difficult building a post- 4.3.2-1 package will be on Squeeze.

Details

Difficulty level: Hard (possibly days)
Version: 1.1.8
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Bug (incorrect behavior)

Event Timeline

rps created this task.Jan 2 2018, 12:50 PM

syncer triaged this task as Normal priority.Jan 6 2018, 11:13 PM

syncer edited projects, added VyOS 1.1.x (1.1.9), VyOS 1.2 Crux (VyOS 1.2.0-rc1); removed VyOS 1.1.x (1.1.8).

syncer added a project: vyatta-dhcp3.Jan 6 2018, 11:16 PM

Is it reproducible in latest 1.2.0?

1.2 rolling has ISC dhcrelay 4.3.1 from the Debian isc-dhcp-relay 4.3.1-6+deb8u3 package.

The upstream fixes for handling DHCP on 802.1q interfaces and correct UDP checksum generation were only introduced in ISC 4.3.2-1, and looking at Debian maintainer patches that are part of this package I see no reference to a checksum fix so my guess is that it's still an issue.

I will try to do a test ...

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc2); removed VyOS 1.2 Crux (VyOS 1.2.0-rc1).Oct 9 2018, 6:42 AM

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc3); removed VyOS 1.2 Crux (VyOS 1.2.0-rc2), VyOS 1.1.x (1.1.9).Oct 13 2018, 9:22 AM

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc4); removed VyOS 1.2 Crux (VyOS 1.2.0-rc3).Oct 15 2018, 10:15 PM

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc5); removed VyOS 1.2 Crux (VyOS 1.2.0-rc4).Oct 24 2018, 4:39 PM

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc6); removed VyOS 1.2 Crux (VyOS 1.2.0-rc5).Oct 29 2018, 6:16 PM

pasik added a subscriber: pasik.Nov 4 2018, 11:24 AM

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc7); removed VyOS 1.2 Crux (VyOS 1.2.0-rc6).Nov 6 2018, 12:57 AM

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc8); removed VyOS 1.2 Crux (VyOS 1.2.0-rc7).Nov 13 2018, 3:48 AM

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc9); removed VyOS 1.2 Crux (VyOS 1.2.0-rc8).Nov 20 2018, 12:44 PM

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc10); removed VyOS 1.2 Crux (VyOS 1.2.0-rc9).Nov 27 2018, 12:03 AM

syncer edited projects, added VyOS 1.2 Crux ( VyOS 1.2.0-rc11); removed VyOS 1.2 Crux (VyOS 1.2.0-rc10).Dec 5 2018, 11:58 PM

syncer edited projects, added VyOS 1.2 Crux ( VyOS 1.2.0-EPA); removed VyOS 1.2 Crux ( VyOS 1.2.0-rc11).Dec 21 2018, 10:07 AM

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-EPA2); removed VyOS 1.2 Crux ( VyOS 1.2.0-EPA).Jan 1 2019, 6:10 PM

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-EPA3); removed VyOS 1.2 Crux (VyOS 1.2.0-EPA2).Jan 3 2019, 1:54 PM

syncer changed the task status from Open to Needs testing.Feb 7 2019, 11:58 PM

syncer assigned this task to rps.

syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux (VyOS 1.2.0-EPA3).

I can confirm this is still a problem in current rolling versions.

I'm currently researching a workaround - It does look like using iptables to recalculate the checksum for incoming DHCP packets may be the way to resolve this until 1.3 comes out.

I'm seeing this in Vyos 1.2.5 just released:

Apr 15 14:00:46 ferrari dhcpd[6148]: 59 bad udp checksums in 117 packets
Apr 15 14:01:44 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:03:14 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:04:06 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:04:56 ferrari dhcpd[6148]: 4 bad udp checksums in 5 packets
Apr 15 14:06:25 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:07:34 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:08:53 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:09:51 ferrari dhcpd[6148]: 4 bad udp checksums in 5 packets
Apr 15 14:11:15 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:12:34 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:13:20 ferrari dhcpd[6148]: 4 bad udp checksums in 5 packets
Apr 15 14:14:33 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:15:46 ferrari dhcpd[6148]: 4 bad udp checksums in 5 packets
Apr 15 14:17:07 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:18:15 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:19:37 ferrari dhcpd[6148]: 5 bad udp checksums in 6 packets
Apr 15 14:20:35 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:21:51 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:23:02 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:24:07 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:25:05 ferrari dhcpd[6148]: 4 bad udp checksums in 5 packets
Apr 15 14:26:25 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:27:38 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:28:48 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:29:48 ferrari dhcpd[6148]: 5 bad udp checksums in 6 packets

@jdevincentis Are you able to provide more details about the iptables fix you mention?

My first thought would be something wrong with offloading on the NIC -
there was a change recently that turns all the offloading settings on by
default, you can disable some in the ethernet config. My suggestion to
leave the default disabled and enable it on demand wasn't taken into
account.

Apr 15, 2020 4:32:28 AM tjh (Tim Harman) <[email protected]>:

tjh added a comment.

I'm seeing this in Vyos 1.2.5 just released:

Apr 15 14:00:46 ferrari dhcpd[6148]: 59 bad udp checksums in 117

packets

Apr 15 14:01:44 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:03:14 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:04:06 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:04:56 ferrari dhcpd[6148]: 4 bad udp checksums in 5 packets
Apr 15 14:06:25 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:07:34 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:08:53 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:09:51 ferrari dhcpd[6148]: 4 bad udp checksums in 5 packets
Apr 15 14:11:15 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:12:34 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:13:20 ferrari dhcpd[6148]: 4 bad udp checksums in 5 packets
Apr 15 14:14:33 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:15:46 ferrari dhcpd[6148]: 4 bad udp checksums in 5 packets
Apr 15 14:17:07 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:18:15 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:19:37 ferrari dhcpd[6148]: 5 bad udp checksums in 6 packets
Apr 15 14:20:35 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:21:51 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:23:02 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:24:07 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:25:05 ferrari dhcpd[6148]: 4 bad udp checksums in 5 packets
Apr 15 14:26:25 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:27:38 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:28:48 ferrari dhcpd[6148]: 5 bad udp checksums in 5 packets
Apr 15 14:29:48 ferrari dhcpd[6148]: 5 bad udp checksums in 6 packets

@jdevincentis Are you able to provide more details about the iptables

fix you mention?

TASK DETAIL
https://phabricator.vyos.net/T508

EMAIL PREFERENCES
https://phabricator.vyos.net/settings/panel/emailpreferences/

To: rps, tjh
Cc: tjh, jdevincentis, pasik, dmbaturin, Active contributors,

Maintainers, rps, teadur, jack9603301, hard, pa4ka, jestabro, Alfa80,
dongjunbo, hexes

As noted earlier in the ticket, this is a problem with the version of ISC DHCPD that VyOS 1.2.x is shipping. It's a very old version.

In T508#20039, @rps wrote:

1.2 rolling has ISC dhcrelay 4.3.1 from the Debian isc-dhcp-relay 4.3.1-6+deb8u3 package.

The upstream fixes for handling DHCP on 802.1q interfaces and correct UDP checksum generation were only introduced in ISC 4.3.2-1, and looking at Debian maintainer patches that are part of this package I see no reference to a checksum fix so my guess is that it's still an issue.

I will try to do a test ...

Ah, I missed that it's for 1.2, 1.3 has a newer isc-dhcp.

dmbaturin added a project: test.Jul 29 2021, 1:00 PM

dmbaturin set Is it a breaking change? to Unspecified (possibly destroys the router).

Not more actual for 1.3, as it used isc-dhcp-client/isc-dhcp-relay/isc-dhcp-server 4.4.1-2
I can't find in logs something like bad udp checksums

I close it.
Re-open if necessary.

dmbaturin set Issue type to Bug (incorrect behavior).Sep 3 2021, 7:31 AM

dmbaturin edited projects, added VyOS 1.3 Equuleus (1.3.0-epa1); removed test, VyOS 1.3 Equuleus.Sep 10 2021, 6:06 AM

ISC DHCP incorrect UDP checksum generationClosed, ResolvedPublicBUGActions

Description

Details

Event Timeline

ISC DHCP incorrect UDP checksum generation
Closed, ResolvedPublicBUG
Actions