DHCP w/ FHRP and duplicate requests

Alan DeKok aland at deployingradius.com
Wed Mar 12 15:02:19 CET 2014

Phil Mayers wrote:
> I'm wondering if the radius "duplicate packet detection" code could be
> re-used here?

  Not really.  You'd need DHCP-specific duplicate detection.  In
addition, you want *two* responses sent, whereas for RADIUS, you
suppress one of the responses.

  Arran and I have talked about some re-designs of the server core which
would help this.  It's one more step to gradually pulling RADIUS out of
the core, and making the server protocol-agnostic.

> It seems like rlm_cache would probably run "too late"?

  Maybe.  But it would also mean you'd be subject to race conditions,
which is bad.

> Note that you do have to respond to both packets; if you don't, the one
> you do respond to might fail uRPF check because it might be routed by
> router A, but directed to router B, and will thus arrive at router B
> with an invalid source for the ingress interface.

  That's protocol-specific.

> ISC sort-of does the right thing here unless you've got ping-check
> enabled and it's an initial lease allocation *or* you've got delayed-ack
> enabled for fsync performance. In that case it drops the 2nd duplicate
> and you run into uRPF problems.

  The design Arran and I came up with means you should be able to do
this kind of thing without too much code.

  But it will be a while before it's done.

  Alan DeKok.

More information about the Freeradius-Devel mailing list