Every device that wants to communicate on a network requires an IP address, subnet mask, default gateway and DNS server details. There are two methods to configure an IP address information on a Host:
- Statically (manually), this is typically reserved for mission critical servers and network devices (routers and switches).
- Dynamically, this is typically used for hosts that do not care if their IP changes periodically.
Dynamic Host Configuration Protocol (DHCP) is a client/server network protocol that will automatically lease a Host on the network with the required IP address information, such as IP address, subnet mask, DNS servers and default gateway, so that it can communicate on the network.
DHCP is an improvement on the older Bootstrap Protocol (Bootp) defined in RFC 951. DHCP has many similarities to Bootp and uses many of the same message formats and options. DHCP was first defined as an Internet standards track protocol in RFC 1531 in October 1993, but is now defined in RFC 2131 which was ratified in March 1997.
DHCP Packet structure
The image bellow describes the DHCP packet structure as defined in RFC 2131:
The following table describes each of the fields in the DHCP packet:
| FIELD | OCTETS | DESCRIPTION |
|---|---|---|
| op | 1 | Message op code / message type. 1 = BOOTREQUEST, 2 = BOOTREPLY |
| htype | 1 | Hardware address type. |
| hlen | 1 | Hardware address length (e.g. '6' for 10mb ethernet). |
| hops | 1 | Client sets to zero, optionally used by relay agents when booting via a relay agent. |
| xid | 4 | Transaction ID, a random number chosen by the client, used by the client and server to associate messages and responses between a client and a server. |
| secs | 2 | Filled in by client, seconds elapsed since client began address acquisition or renewal process. |
| flags | 2 | Flags |
| ciaddr | 4 | Client IP address; only filled in if client is in BOUND, RENEW or REBINDING state and can respond to ARP requests. |
| yiaddr | 4 | 'your' (client) IP address. |
| siaddr | 4 | IP address of next server to use in bootstrap; returned in DHCPOFFER, DHCPACK by server. |
| giaddr | 4 | Relay agent IP address, used in booting via a relay agent. |
| chaddr | 16 | Client hardware address. |
| sname | 64 | Optional server host name, null terminated string. |
| file | 128 | Boot file name, null terminated string; "generic" name or null in DHCPDISCOVER, fully qualified directory-path name in DHCPOFFER. |
| options | var | Optional parameters field. |
DHCP Options Field
The DHCP options field is described in RFC 2132 “DHCP Options and BOOTP Vendor Extensions”. The diagram bellow details the structure of the DHCP options field:
The magic cookie defines the beginning of the DHCP options section of the DHCP Packet. The magic cookie for DHCP was standardised to be 99.130.83.99, in Dotted Decimal Notation (or 63.82.53.63 in hex), in RFC 1048. Multiple options can be included in a single DHCP message.
All options begin with a Option Code Tag, this uniquely identifies the option. The next octet is the Option Length which defines how many octets of data are to follow. The value of the Option Length octet does not include the two octets that define the tag and the length.
The table bellow lists the most common DHCP option codes that you will see in use today:
| Option Code | Name | Data Length | Notes |
|---|---|---|---|
| 1 | Subnet Mask | 4 Bytes | Subnet mask value. |
| 3 | Router | N X 4 Bytes | Available routers, should be listed in order of preference |
| 6 | Domain Name Server | N X 4 Bytes | Available DNS servers, should be listed in order of preference |
| 12 | Hostname | Var | Hostname string. |
| 50 | Requested IP address | 4 Bytes | Requested IP Address |
| 51 | IP address Lease Time | 4 Bytes | IP Address Lease Time |
| 53 | DHCP Message Type | 1 Byte | Identifies the type of the DHCP message. |
| 55 | Parameter List | N | List of parameters the client is requesting. |
There are too many option codes to list in this post, but if you are interested IANA have listed all the option codes here
How does DHCP work?
As mentioned above, DHCP operates as a client/server model. This means that the host (the client) requiring IP address information must contact a server on the network requesting to lease the required IP address information.
The process that a client requests this information is typically referred to as D.O.R.A, based on the four types of packets that DHCP uses to request an IP address lease. The four packets are as follows:
- DHCP Discovery packet
- DHCP Offer packet
- DHCP Request packet
- DHCP Acknowledgement packet
Once the client Receives the DHCP Ack message from the server, it will begin using the parameters offered by the server. The client is now bound to the DHCP server, with the server keeping a record of the client and the IP address assigned to it from the pool.
It should be noted that the IP address is leased to the client, and once the lease expires the IP address is returned back to the pool, and the server is free to assign the IP to another client. The client will attempt to renew the lease once the lease time reaches half of the defined lease time value.
D.O.R.A explained
The D.O.R.A process works as follow:
Step 1: DHCP Discover
The client boots and as per it OS configuration it looks for a DHCP server to get an IP address from.It does this by sending a broadcast UDP DHCP Discovery packet onto the network.
Data Link Layer addressing:The 802.3 header will have a src MAC address of the client machine. In this case the client has a MAC address of c0:01:1b:69:00:00. The destination MAC address will be a broadcast address of FF:FF:FF:FF:FF:FF.
Network Layer Addressing:The source IP address will be 0.0.0.0 as no IP has been assigned yet. The destination IP address will be a broadcast IP of 255.255.255.255.
Transport Layer: The transport layer protocol will be UDP, and the source port number will be 68 while the destination port number will be 67.
DHCPDISCOVER message: Bellow is an example of a packet capture of a DHCPDISCOVER message:
The following table lists the DHCP packet fields and their equivalent values as seen in the packet capture above:
| DHCP Packet Field | Packet Capture Description | Value |
|---|---|---|
| op | Message Type | 1 Boot Request |
| htype | Hardware Type | 0x01 Ethernet |
| hlen | Hardware Address Length | 6 |
| hops | Hops | 0 |
| xid | Transaction ID | 0x00001aed |
| secs | Seconds elapsed | 0 |
| flags | Bootp flags | 0x8000 (Broadcast) |
| ciaddr | Client IP address | 0.0.0.0 (0.0.0.0) |
| yiaddr | Your (client) IP address | 0.0.0.0 (0.0.0.0) |
| siaddr | Next server IP address | 0.0.0.0 (0.0.0.0) |
| giaddr | Relay agent IP address | 0.0.0.0 (0.0.0.0) |
| chaddr | Client MAC address | c0:01:1b:69:00:00 |
| sname | Server host name | not given |
| file | Boot file name | not given |
DHCP OPTIONS: The image bellow shows a break down of the DHCP Options used in the DHCP Discover packet:
As you can see the DHCP Options are listed after the magic cookie with a value of 99.130.83.99 (DHCP). The options in the DHCP discover message are listed in the table bellow:
| Option Code | Name | Data Length (Bytes) | Description | Value |
|---|---|---|---|---|
| 53 | DHCP Message Type | 1 | Defines the DHCP message type. | 2 DHCP DIscover |
| 57 | DHCP Max Message Size | 2 | Defines the Maximum size of the DHCP message. | 1152 |
| 61 | Client ID | 27 | Client Identifier | N/A |
| 12 | Hostname | 2 | Clients hostname. | R1 |
| 55 | Parameter Request List | 8 Bytes | List of all parameters the client is requesting from the DHCP server. | Various Option Codes |
| 255 | End | 0 Bytes | Indicates the end of the DHCP Options. | N/A |
Step 2: DHCP Offer
The server receives the broadcast on UDP port 68 and processes it because it is configured as a DHCP server. The server then sends a UDP DHCP Offer packet back to the client.
Data Link Layer addressing:The 802.3 header will have a SRC MAC address of the Server. In this case the Server has a MAC address of 08:00:27:9b:11:3d. The destination MAC address will be a broadcast address of FF:FF:FF:FF:FF:FF.
Network Layer Addressing:The source IP address will be the IP address of the server that is responding to the DHCP discover message, in this case it is 192.168.56.100. The destination IP address will be a broadcast IP of 255.255.255.255.
Transport Layer: The transport layer protocol will be UDP, and the source port number will be 67 while the destination port number will be 68.
DHCPOFFER message: Bellow is an example of a packet capture of a DHCPOFFER message:
The following table lists the DHCP packet fields and their equivalent values as seen in the packet capture above:
| DHCP Packet Field | Packet Capture Description | Value |
|---|---|---|
| op | Message Type | 2 Boot Reply |
| htype | Hardware Type | 0x01 Ethernet |
| hlen | Hardware Address Length | 6 |
| hops | Hops | 0 |
| xid | Transaction ID | 0x00001aed |
| secs | Seconds elapsed | 0 |
| flags | Bootp flags | 0x8000 (Broadcast) |
| ciaddr | Client IP address | 0.0.0.0 |
| yiaddr | Your (client) IP address | 192.168.56.104 |
| siaddr | Next server IP address | 192.168.56.100 |
| giaddr | Relay agent IP address | 0.0.0.0 |
| chaddr | Client MAC address | c0:01:1b:69:00:00 |
| sname | Server host name | not given |
| file | Boot file name | not given |
Note that the Message type has changed from a type 1 Boot Request to a type 2 Boot reply message. The yiaddr now shows 192.168.56.104, this is the the IP that the server is offering to the client for use on the network. Also the siaddr value now identifies the IP of the DHCP server 192.168.56.100.
DHCP OPTIONS: The image bellow shows a break down of the DHCP Options used in the DHCP Offer packet:
The table bellow describes the content of the DHCP options of the DHCP Offer message:
| Option Code | Name | Data Length (Bytes) | Description | Value |
|---|---|---|---|---|
| 53 | DHCP Message Type | 1 | Defines the DHCP message type. | 2 DHCP Offer |
| 54 | DHCP Server Id | 4 | DHCP Server Identification | 192.168.56.100 |
| 51 | Address Time | 4 | Lease time for the offered address | 600 seconds |
| 1 | Subnet Mask | 4 | Subnet mask of IP being offered. | 255.255.255.0 |
| 6 | DNS Server | 4 | DNS server being offered | 8.4.4.4 |
| 15 | Domain Name | 18 | Domain being offered. | routingloops.co.uk |
| 3 | Router | 4 | Default routers IP. | 192.168.56.1 |
| 255 | End | 0 | End of DHCP options | N/A |
Step 3: DHCP Request
The client receives the DHCP offer and responds by sending a DHCP Request packet.
Data Link Layer addressing:The 802.3 header will have a SRC MAC address of the Client. In this case the Client has a MAC address of c0:01:1b:69:00:00. The destination MAC address will be a broadcast address of FF:FF:FF:FF:FF:FF.
Network Layer Addressing:The source IP address will still be 0.0.0.0 and the destination IP address will be a broadcast IP of 255.255.255.255, a broadcast address is used as there may have been multiple DHCP servers that sent DHCP Offer messages to the client.
Transport Layer: The transport layer protocol will be UDP, and the source port number will be 68 while the destination port number will be 67.
DHCPREQUEST message: Bellow is an example of a packet capture of a DHCPREQUEST message:
The table bellow lists the values in the DHCP Request message:
| DHCP Packet Field | Packet Capture Description | Value |
|---|---|---|
| op | Message Type | 1 Boot Request |
| htype | Hardware Type | 0x01 Ethernet |
| hlen | Hardware Address Length | 6 |
| hops | Hops | 0 |
| xid | Transaction ID | 0x00001aed |
| secs | Seconds elapsed | 0 |
| flags | Bootp flags | 0x8000 (Broadcast) |
| ciaddr | Client IP address | 0.0.0.0 (0.0.0.0) |
| yiaddr | Your (client) IP address | 0.0.0.0 (0.0.0.0) |
| siaddr | Next server IP address | 0.0.0.0 (0.0.0.0) |
| giaddr | Relay agent IP address | 0.0.0.0 (0.0.0.0) |
| chaddr | Client MAC address | c0:01:1b:69:00:00 |
| sname | Server host name | not given |
| file | Boot file name | not given |
As you can see the values are pretty similar to the value in the DCHP Discover message. The main differences come in the DHCP Options fields.
DHCP OPTIONS: The image bellow shows a break down of the DHCP Options used in the DHCP Offer packet:
The table describes the DHCP Options in the DHCP Request message:
| Option Code | Name | Data Length (Bytes) | Description | Value |
|---|---|---|---|---|
| 53 | DHCP Message Type | 1 | Defines the DHCP message type. | 3 DHCP Request |
| 57 | DHCP Max Message Size | 2 | Defines the Maximum size of the DHCP message. | 1152 |
| 61 | Client ID | 27 | Client Identifier | N/A |
| 54 | DHCP Server ID | 4 | DHCP Server Identifier | 192.168.56.100 |
| 50 | Requested IP | 4 | The IP address that was offered in the DHCP Offer message. | 192.168.56.104 |
| 51 | Address Time | 4 | DHCP Lease time | 600 seconds |
| 12 | Hostname | 2 | Hostname of the client. | R1 |
| 55 | Parameter Request List | 8 | List of the parameters that the client is requesting. | Various DHCP option codes. |
| End | End | 0 | End of the DHCP Options. | N/A |
Take note of the Server ID and Requested IP fields. The Server ID shows as 192.168.56.100, which is the IP of our test server. In an implementation where there are multiple DHCP servers on the network, the Server ID indicates the server that the client is choosing to accept the DHCP offer from. All messages from the other servers on the network are implicitly declined. Also note that the Requested IP is the same IP (192.168.56.104) that 192.168.56.100 provided in the DHCP Offer message. The client also repeats the Parameter List that it is requesting from the server.
Step 4: DHCP Ack
The final stage of the process is when the server receives the DHCP request from the client. The server responds by sending a DHCP Acknowledgement packet back to the client.
Data Link Layer addressing: The 802.3 header will have a SRC MAC address of the Server. In this case the Server has a MAC address of 08:00:27:9b:11:3d. The DST MAC address will be a broadcast address of FF:FF:FF:FF:FF:FF.
Network Layer Addressing: The source IP address will be the IP address of the server that is responding to the DHCP offer message, in this case it is 192.168.56.100. The destination IP address will be a broadcast IP of 255.255.255.255.
Transport Layer: The transport layer protocol will be UDP, and the source port number will be 67 while the destination port number will be 68.
DHCPACK message: Bellow is an example of a packet capture of a DHCPACK message:
| DHCP Packet Field | Packet Capture Description | Value |
|---|---|---|
| op | Message Type | 2 Boot Reply |
| htype | Hardware Type | 0x01 Ethernet |
| hlen | Hardware Address Length | 6 |
| hops | Hops | 0 |
| xid | Transaction ID | 0x00001aed |
| secs | Seconds elapsed | 0 |
| flags | Bootp flags | 0x8000 (Broadcast) |
| ciaddr | Client IP address | 0.0.0.0 |
| yiaddr | Your (client) IP address | 192.168.56.104 |
| siaddr | Next server IP address | 192.168.56.100 |
| giaddr | Relay agent IP address | 0.0.0.0 |
| chaddr | Client MAC address | c0:01:1b:69:00:00 |
| sname | Server host name | not given |
| file | Boot file name | not given |
The values in the DHCP Ack messages are similar to the values in the DHCP Offer message. The difference comes in the DHCP Options.
DHCP OPTIONS: The image bellow shows a break down of the DHCP Options used in the DHCP Ack packet:
The table bellow describes the DHCP Option values in the DHCP Ack message:
| Option Code | Name | Data Length (Bytes) | Description | Value |
|---|---|---|---|---|
| 53 | DHCP Message Type | 1 | Defines the DHCP message type. | 5 DHCP Ack |
| 54 | DHCP Server Id | 4 | DHCP Server Identification | 192.168.56.100 |
| 51 | Address Time | 4 | Lease time for the offered address | 600 seconds |
| 1 | Subnet Mask | 4 | Subnet mask of IP being offered. | 255.255.255.0 |
| 6 | DNS Server | 4 | DNS server being offered | 8.4.4.4 |
| 15 | Domain Name | 18 | Domain being offered. | routingloops.co.uk |
| 3 | Router | 4 | Default routers IP. | 192.168.56.1 |
| 255 | End | 0 | End of DHCP options | N/A |
Once the client receives the DHCP Acknowledgement packet becomes bound to the DHCP serer and can start using the parameters offered by the server.
In the example above I used a cisco router so we can check the running config of the router to confirm the parameters have been correctly learned via DHCP:
First lets see what IP address has been learned on the Fastethernet interface of the router:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
R1#sh dhcp lease Temp IP addr: 192.168.56.104 for peer on Interface: FastEthernet0/0 Temp sub net mask: 255.255.255.0 DHCP Lease server: 192.168.56.100, state: 3 Bound DHCP transaction id: 1AED Lease: 600 secs, Renewal: 300 secs, Rebind: 525 secs Temp default-gateway addr: 192.168.56.1 Next timer fires after: 00:01:13 Retry count: 0 Client-ID: cisco-c001.1b69.0000-Fa0/0 Client-ID hex dump: 636973636F2D633030312E316236392E 303030302D4661302F30 Hostname: R1 R1#sh ip interface fast 0/0 FastEthernet0/0 is up, line protocol is up Internet address is 192.168.56.104/24 Broadcast address is 255.255.255.255 Address determined by DHCP MTU is 1500 bytes <snip> |
Now lets confirm the default gateway has been learned:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
R1#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 192.168.56.1 to network 0.0.0.0 C 192.168.56.0/24 is directly connected, FastEthernet0/0 S* 0.0.0.0/0 [254/0] via 192.168.56.1 R1#sh run | in route R1# |
Next lets confirm the domain name and DNS servers:
|
1 2 3 4 5 6 7 8 9 |
R1#sh dhcp server DHCP server: ANY (255.255.255.255) Leases: 134 Offers: 1 Requests: 218 Acks : 134 Naks: 0 Declines: 0 Releases: 0 Query: 0 Bad: 0 DNS0: 8.4.4.4, DNS1: 0.0.0.0 Subnet: 255.255.255.0 DNS Domain: routingloops.co.uk R1# |
Lease Renewal
As mentioned earlier, the client will attempt to renew the lease once half of the lease time has expired. This is accomplished by using DHCPREQUEST and DHCPACK messages.
The process works as follows:
Step 1: As you can see from the output on the router, the lease is set to 300 seconds while the renewal is 150 seconds:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
R1#sh dhcp lease Temp IP addr: 192.168.56.104 for peer on Interface: FastEthernet0/0 Temp sub net mask: 255.255.255.0 DHCP Lease server: 192.168.56.100, state: 3 Bound DHCP transaction id: 16C3 Lease: 300 secs, Renewal: 150 secs, Rebind: 262 secs Temp default-gateway addr: 192.168.56.1 Next timer fires after: 00:01:34 Retry count: 0 Client-ID: cisco-c001.1b69.0000-Fa0/0 Client-ID hex dump: 636973636F2D633030312E316236392E 303030302D4661302F30 Hostname: R1 R1# |
When half of the lease has elapsed, the client will send a directed unicast DHCP Request message to the DHCP server that the client obtained the lease from.
Bellow is an example of a DHCP Request packet sent by the client to renew its lease:
As you can see from the above, the DHCP Request message is now being sent using the SRC IP of the Client and the DST IP of the server.
The image bellow is a break down of the DHCP Request message for renewal of the lease:
The DHCP Request message for lease renewal is exactly yhe same as that sent during the D.O.R.A process. The diffrence is that on a layer 2 and 3 level the client now uses unicast addresses rather than broadcast addresses.
Step 2: The server will renew the lease for the client and send back a directed unicast DHCP Ack message:
Again the packet is the same as the DHCP Ack message sent during the D.O.R.A process, the difference being that unicast addresses are used instead of broadcast addresses.
DHCP Release Message
The DHCP release message is used by the client to inform the server that its no longer going to be using the IP address assigned. This happens when a PC is shut down, or in the case of our example when the router is either shut down or the interface is shut down.
The DHCP Release message is sent by the client as a directed unicast packet to the server. Upon receipt of the DHCP Release message the server will return the IP address back to the pool of available IP’s. The image bellow gives a break down of the DHCP Release message and its ossociated DHCP Options:
References:
https://www.ietf.org/rfc/rfc2131.txt
https://www.ietf.org/rfc/rfc2132.txt
http://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml
http://www.thegeekstuff.com/2013/03/dhcp-basics/
Great article Jonathan. Very helpful! Will check more of your articles.
Great read. Thank you for writing that up.