Fundamentals: DHCP

ietfEvery device that wants to communicate on a network requires an IP address, subnet mask, default gateway and DNS server details. There are two methods to configure an IP address information on a Host:

  1. Statically (manually), this is typically reserved for mission critical servers and network devices (routers and switches).
  2. Dynamically, this is typically used for hosts that do not care if their IP changes periodically.

Dynamic Host Configuration Protocol (DHCP) is a client/server network protocol that will automatically lease a Host on the network with the required IP address information, such as IP address, subnet mask, DNS servers and default gateway, so that it can communicate on the network.

DHCP is an improvement on the older Bootstrap Protocol (Bootp) defined in RFC 951. DHCP has many similarities to Bootp and uses many of the same message formats and options. DHCP was first defined as an Internet standards track protocol in RFC 1531 in October 1993, but is now defined in RFC 2131 which was ratified in March 1997.

DHCP Packet structure

The image bellow describes the DHCP packet structure as defined in RFC 2131:

dhcp_packet

The following table describes each of the fields in the DHCP packet:

FIELD OCTETSDESCRIPTION
op1Message op code / message type.
1 = BOOTREQUEST, 2 = BOOTREPLY
htype1Hardware address type.
hlen1Hardware address length (e.g. '6' for 10mb ethernet).
hops1Client sets to zero, optionally used by relay agents when booting via a relay agent.
xid4Transaction ID, a random number chosen by the client, used by the client and server to associate messages and responses between a client and a server.
secs2Filled in by client, seconds elapsed since client began address acquisition or renewal process.
flags2Flags
ciaddr4Client IP address; only filled in if client is in BOUND, RENEW or REBINDING state and can respond to ARP requests.
yiaddr4'your' (client) IP address.
siaddr4IP address of next server to use in bootstrap; returned in DHCPOFFER, DHCPACK by server.
giaddr4Relay agent IP address, used in booting via a relay agent.
chaddr16Client hardware address.
sname64Optional server host name, null terminated string.
file128Boot file name, null terminated string; "generic" name or null in DHCPDISCOVER, fully qualified directory-path name in DHCPOFFER.
optionsvarOptional parameters field.

DHCP Options Field

The DHCP options field is described in RFC 2132 “DHCP Options and BOOTP Vendor Extensions”.  The diagram bellow details the structure of the DHCP options field:

The magic cookie defines the beginning of the DHCP options section of the DHCP Packet. The magic cookie for DHCP was standardised to be 99.130.83.99, in Dotted Decimal Notation (or 63.82.53.63 in hex), in RFC 1048. Multiple options can be included in a single DHCP message.
dhcp options

 

 

All options begin with a Option Code Tag, this uniquely identifies the option. The next octet is the Option Length which defines how many octets of data are to follow. The value of the Option Length octet does not include the two octets that define the tag and the length.

The table bellow lists the most common DHCP option codes that you will see in use today:

Option CodeNameData LengthNotes
1 Subnet Mask4 BytesSubnet mask value.
3RouterN X 4 BytesAvailable routers, should be listed in order of preference
6Domain Name ServerN X 4 BytesAvailable DNS servers, should be listed in order of preference
12HostnameVarHostname string.
50Requested IP address4 BytesRequested IP Address
51IP address Lease Time4 BytesIP Address Lease Time
53DHCP Message Type1 ByteIdentifies the type of the DHCP message.
55Parameter ListNList of parameters the client is requesting.

There are too many option codes to list in this post, but if you are interested IANA have listed all the option codes here

How does DHCP work?

As mentioned above, DHCP operates as a client/server model. This means that the host (the client) requiring IP address information must contact a server on the network requesting to lease the required IP address information.

The process that a client requests this information is typically referred to as D.O.R.A, based on the four types of packets that DHCP uses to request an IP address lease. The four packets are as follows:

  1. DHCP Discovery packet
  2. DHCP Offer packet
  3. DHCP Request packet
  4. DHCP Acknowledgement packet
    Selection_041

 

 

 

 

 

 

 

 

 

Once the client Receives the DHCP Ack message from the server, it will begin using the parameters offered by the server. The client is now bound to the DHCP server, with the server keeping a record of the client and the IP address assigned to it from the pool.

It should be noted that the IP address is leased to the client, and once the lease expires the IP address is returned back to the pool, and the server is free to assign the IP to another client. The client will attempt to renew the lease once the lease time reaches half of the defined lease time value.

D.O.R.A explained

The D.O.R.A process works as follow:

Step 1: DHCP Discover

The client boots and as per it OS configuration it looks for a DHCP server to get an IP address from.It does this by sending a broadcast UDP DHCP Discovery packet onto the network.

Selection_049
Data Link Layer addressing:The 802.3 header will have a src MAC address of the client machine. In this case the client has a MAC address of c0:01:1b:69:00:00. The destination MAC address will be a broadcast address of FF:FF:FF:FF:FF:FF.

Network Layer Addressing:The source IP address will be 0.0.0.0 as no IP has been assigned yet. The destination IP address will be a broadcast IP of 255.255.255.255.

Transport Layer: The transport layer protocol will be UDP, and the source port number will be 68 while the destination port number will be 67.

DHCPDISCOVER message:  Bellow is an example of a packet capture of a DHCPDISCOVER message:

Selection_047
The following table lists the DHCP packet fields and their equivalent values as seen in the packet capture above:

DHCP Packet FieldPacket Capture DescriptionValue
opMessage Type1 Boot Request
htypeHardware Type0x01 Ethernet
hlenHardware Address Length6
hopsHops0
xidTransaction ID0x00001aed
secsSeconds elapsed0
flagsBootp flags0x8000 (Broadcast)
ciaddrClient IP address0.0.0.0 (0.0.0.0)
yiaddrYour (client) IP address0.0.0.0 (0.0.0.0)
siaddrNext server IP address0.0.0.0 (0.0.0.0)
giaddrRelay agent IP address0.0.0.0 (0.0.0.0)
chaddrClient MAC addressc0:01:1b:69:00:00
snameServer host name not given
fileBoot file name not given

DHCP OPTIONS: The image bellow shows a break down of the DHCP Options used in the DHCP Discover packet:

Selection_048
As you can see the DHCP Options are listed after the magic cookie with a value of 99.130.83.99 (DHCP). The options in the DHCP discover message are listed in the table bellow:

Option CodeNameData Length (Bytes)DescriptionValue
53DHCP Message Type1Defines the DHCP message type.2 DHCP DIscover
57DHCP Max Message Size2Defines the Maximum size of the DHCP message.1152
61Client ID27Client Identifier N/A
12Hostname2Clients hostname.R1
55Parameter Request List8 BytesList of all parameters the client is requesting from the DHCP server.Various Option Codes
255End0 BytesIndicates the end of the DHCP Options.N/A

Step 2: DHCP Offer

The server receives the broadcast on UDP port 68 and processes it because it is configured as a DHCP server. The server then sends a UDP DHCP Offer packet back to the client.

Selection_050

Data Link Layer addressing:The 802.3 header will have a SRC MAC address of the Server. In this case the Server has a MAC address of 08:00:27:9b:11:3d. The destination MAC address will be a broadcast address of FF:FF:FF:FF:FF:FF.

Network Layer Addressing:The source IP address will be the IP address of the server that is responding to the DHCP discover message, in this case it is 192.168.56.100. The destination IP address will be a broadcast IP of 255.255.255.255.

Transport Layer: The transport layer protocol will be UDP, and the source port number will be 67 while the destination port number will be 68.

DHCPOFFER message:  Bellow is an example of a packet capture of a DHCPOFFER message:

Selection_051
The following table lists the DHCP packet fields and their equivalent values as seen in the packet capture above:

DHCP Packet FieldPacket Capture DescriptionValue
opMessage Type2 Boot Reply
htypeHardware Type0x01 Ethernet
hlenHardware Address Length6
hopsHops0
xidTransaction ID0x00001aed
secsSeconds elapsed0
flagsBootp flags0x8000 (Broadcast)
ciaddrClient IP address0.0.0.0
yiaddrYour (client) IP address192.168.56.104
siaddrNext server IP address192.168.56.100
giaddrRelay agent IP address0.0.0.0
chaddrClient MAC addressc0:01:1b:69:00:00
snameServer host name not given
fileBoot file name not given

Note that the Message type has changed from a type 1 Boot Request to a type 2 Boot reply message.  The yiaddr now shows 192.168.56.104, this is the the IP that the server is offering to the client for use on the network. Also the siaddr value now identifies the IP of the DHCP server 192.168.56.100.

DHCP OPTIONS: The image bellow shows a break down of the DHCP Options used in the DHCP Offer packet:

Selection_052
The table bellow describes the content of the DHCP options of the DHCP Offer message:

Option CodeNameData Length (Bytes)DescriptionValue
53DHCP Message Type1 Defines the DHCP message type.2 DHCP Offer
54DHCP Server Id4 DHCP Server Identification192.168.56.100
51Address Time 4Lease time for the offered address600 seconds
1Subnet Mask4Subnet mask of IP being offered.255.255.255.0
6DNS Server4DNS server being offered8.4.4.4
15Domain Name18Domain being offered.routingloops.co.uk
3Router4Default routers IP.192.168.56.1
255End0End of DHCP optionsN/A
Step 3: DHCP Request

The client receives the DHCP offer and responds by sending a DHCP Request packet.

Selection_002
Data Link Layer addressing:The 802.3 header will have a SRC MAC address of the Client. In this case the Client has a MAC address of c0:01:1b:69:00:00. The destination MAC address will be a broadcast address of FF:FF:FF:FF:FF:FF.

Network Layer Addressing:The source IP address will still be 0.0.0.0 and the destination IP address will be a broadcast IP of 255.255.255.255, a broadcast address is used as there may have been multiple DHCP servers that sent DHCP Offer messages to the client.

Transport Layer: The transport layer protocol will be UDP, and the source port number will be 68 while the destination port number will be 67.

DHCPREQUEST message:  Bellow is an example of a packet capture of a DHCPREQUEST message:

Selection_001

The table bellow lists the values in the DHCP Request message:

DHCP Packet FieldPacket Capture DescriptionValue
opMessage Type1 Boot Request
htypeHardware Type0x01 Ethernet
hlenHardware Address Length6
hopsHops0
xidTransaction ID0x00001aed
secsSeconds elapsed0
flagsBootp flags0x8000 (Broadcast)
ciaddrClient IP address0.0.0.0 (0.0.0.0)
yiaddrYour (client) IP address0.0.0.0 (0.0.0.0)
siaddrNext server IP address0.0.0.0 (0.0.0.0)
giaddrRelay agent IP address0.0.0.0 (0.0.0.0)
chaddrClient MAC addressc0:01:1b:69:00:00
snameServer host name not given
fileBoot file name not given

As you can see the values are pretty similar to the value in the DCHP Discover message. The main differences come in the DHCP Options fields.

DHCP OPTIONS: The image bellow shows a break down of the DHCP Options used in the DHCP Offer packet:

Selection_003

The table describes the DHCP Options in the DHCP Request message:

Option CodeNameData Length (Bytes)DescriptionValue
53DHCP Message Type1Defines the DHCP message type.3 DHCP Request
57DHCP Max Message Size2Defines the Maximum size of the DHCP message.1152
61Client ID27Client Identifier N/A
54DHCP Server ID4DHCP Server Identifier192.168.56.100
50Requested IP4The IP address that was offered in the DHCP Offer message.192.168.56.104
51Address Time 4DHCP Lease time600 seconds
12Hostname2Hostname of the client.R1
55Parameter Request List8List of the parameters that the client is requesting.Various DHCP option codes.
EndEnd0End of the DHCP Options.N/A

Take note of the Server ID and Requested IP fields. The Server ID shows as 192.168.56.100, which is the IP of our test server. In an implementation where there are multiple DHCP servers on the network, the Server ID indicates the server that the client is choosing to accept the DHCP offer from. All messages from the other servers on the network are implicitly declined. Also note that the Requested IP is the same IP (192.168.56.104) that 192.168.56.100 provided in the DHCP Offer message. The client also repeats the Parameter List that it is requesting from the server.

Step 4: DHCP Ack

The final stage of the process is when the server receives the DHCP request from the client. The server responds by sending a DHCP Acknowledgement packet back to the client.

Selection_004
Data Link Layer addressing: The 802.3 header will have a SRC MAC address of the Server. In this case the Server has a MAC address of 08:00:27:9b:11:3d. The DST MAC address will be a broadcast address of FF:FF:FF:FF:FF:FF.

Network Layer Addressing: The source IP address will be the IP address of the server that is responding to the DHCP offer message, in this case it is 192.168.56.100. The destination IP address will be a broadcast IP of 255.255.255.255.

Transport Layer: The transport layer protocol will be UDP, and the source port number will be 67 while the destination port number will be 68.

DHCPACK message:  Bellow is an example of a packet capture of a DHCPACK message:

Selection_005

DHCP Packet FieldPacket Capture DescriptionValue
opMessage Type2 Boot Reply
htypeHardware Type0x01 Ethernet
hlenHardware Address Length6
hopsHops0
xidTransaction ID0x00001aed
secsSeconds elapsed0
flagsBootp flags0x8000 (Broadcast)
ciaddrClient IP address0.0.0.0
yiaddrYour (client) IP address192.168.56.104
siaddrNext server IP address192.168.56.100
giaddrRelay agent IP address0.0.0.0
chaddrClient MAC addressc0:01:1b:69:00:00
snameServer host name not given
fileBoot file name not given

The values in the DHCP Ack messages are similar to the values in the DHCP Offer message. The difference comes in the DHCP Options.

DHCP OPTIONS: The image bellow shows a break down of the DHCP Options used in the DHCP Ack packet:

Selection_006

The table bellow describes the DHCP Option values in the DHCP Ack message:

Option CodeNameData Length (Bytes)DescriptionValue
53DHCP Message Type1 Defines the DHCP message type.5 DHCP Ack
54DHCP Server Id4 DHCP Server Identification192.168.56.100
51Address Time 4Lease time for the offered address600 seconds
1Subnet Mask4Subnet mask of IP being offered.255.255.255.0
6DNS Server4DNS server being offered8.4.4.4
15Domain Name18Domain being offered.routingloops.co.uk
3Router4Default routers IP.192.168.56.1
255End0End of DHCP optionsN/A

Once the client receives the DHCP Acknowledgement packet becomes bound to the DHCP serer and can start using the parameters offered by the server.

In the example above I used a cisco router so we can check the running config of the router to confirm the parameters have been correctly learned via DHCP:

First lets see what IP address has been learned on the Fastethernet interface of the router:

Now lets confirm the default gateway has been learned:

Next lets confirm the domain name and DNS servers:

Lease Renewal

As mentioned earlier, the client will attempt to renew the lease once half of the lease time has expired. This is accomplished by using DHCPREQUEST and DHCPACK messages.

The process works as follows:

Step 1: As you can see from the output on the router, the lease is set to 300 seconds while the renewal is 150 seconds:

When half of the lease has elapsed, the client will send a directed unicast DHCP Request message to the DHCP server that the client obtained the lease from.

Bellow is an example of a DHCP Request packet sent by the client to renew its lease:
Selection_007
As you can see from the above, the DHCP Request message is now being sent using the SRC IP of the Client and the DST IP of the server.

The image bellow is a break down of the DHCP Request message for renewal of the lease:
Selection_008
The DHCP Request message for lease renewal is exactly yhe same as that sent during the D.O.R.A process. The diffrence is that on a layer 2 and 3 level the client now uses unicast addresses rather than broadcast addresses.

Step 2:  The server will renew the lease for the client and send back a directed unicast DHCP Ack message:

Selection_009

Again the packet is the same as the DHCP Ack message sent during the D.O.R.A process, the difference being that unicast addresses are used instead of broadcast addresses.

Selection_010

DHCP Release Message

The DHCP release message is used by the client to inform the server that its no longer going to be using the IP address assigned. This happens when a PC is shut down, or in the case of our example when the router is either shut down or the interface is shut down.

The DHCP Release message is sent by the client as a directed unicast packet to the server. Upon receipt of the DHCP Release message the server will return the IP address back to the pool of available IP’s. The image bellow gives a break down of the DHCP Release message and its ossociated DHCP Options:

Selection_011

References:
https://www.ietf.org/rfc/rfc2131.txt
https://www.ietf.org/rfc/rfc2132.txt
http://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml
http://www.thegeekstuff.com/2013/03/dhcp-basics/

FacebookTwitterGoogle+Share

2 thoughts on “Fundamentals: DHCP”

Leave a Reply