DHCP w/ FHRP and duplicate requests
Alan DeKok
aland at deployingradius.com
Wed Mar 12 15:02:19 CET 2014
Phil Mayers wrote:
> I'm wondering if the radius "duplicate packet detection" code could be
> re-used here?
Not really. You'd need DHCP-specific duplicate detection. In
addition, you want *two* responses sent, whereas for RADIUS, you
suppress one of the responses.
Arran and I have talked about some re-designs of the server core which
would help this. It's one more step to gradually pulling RADIUS out of
the core, and making the server protocol-agnostic.
> It seems like rlm_cache would probably run "too late"?
Maybe. But it would also mean you'd be subject to race conditions,
which is bad.
> Note that you do have to respond to both packets; if you don't, the one
> you do respond to might fail uRPF check because it might be routed by
> router A, but directed to router B, and will thus arrive at router B
> with an invalid source for the ingress interface.
That's protocol-specific.
> ISC sort-of does the right thing here unless you've got ping-check
> enabled and it's an initial lease allocation *or* you've got delayed-ack
> enabled for fsync performance. In that case it drops the 2nd duplicate
> and you run into uRPF problems.
The design Arran and I came up with means you should be able to do
this kind of thing without too much code.
But it will be a while before it's done.
Alan DeKok.
More information about the Freeradius-Devel
mailing list