Computer NetworksOther Application Protocols

BOOTP: Bootstrap Protocol

LevelIntermediate

Duration50 mins

TopicOther Application Protocols

1 / 5

Bootstrap Protocol

The Network Configuration Revolution

In the early days of computer networking, configuring a new machine to join a network was a painstaking manual process. System administrators had to physically visit each machine, manually enter IP addresses, subnet masks, gateway addresses, and DNS server information. For networks with hundreds or thousands of machines, this was not just tedious—it was fundamentally unscalable.

The Bootstrap Protocol (BOOTP) emerged in 1985 as a revolutionary solution to this problem. Defined in RFC 951, BOOTP introduced the concept of automated network configuration—the ability for a machine with no pre-configured network settings to discover and obtain all the information it needed to become a functional network participant.

The implications were profound. For the first time, a computer could boot from the network itself, without local storage or pre-configured settings. This capability enabled diskless workstations, centralized system management, and laid the conceptual groundwork for the modern internet's plug-and-play networking.

Learning Objectives

By the end of this page, you will understand what BOOTP is, why it was created, how it fundamentally works, its message format and exchange process, the relay agent mechanism for multi-subnet deployment, and its lasting impact on network configuration paradigms.

The Pre-BOOTP Configuration Crisis

To appreciate BOOTP's significance, we must understand the network configuration landscape before its introduction.

The Manual Configuration Burden

In early TCP/IP networks, every host required manual configuration of at least four critical parameters:

IP Address — A unique 32-bit identifier within the network
Subnet Mask — Defining the boundary between network and host portions
Default Gateway — The router through which to reach non-local destinations
DNS Server(s) — For hostname-to-IP resolution

For a modest corporate network of 500 machines, this meant 2,000 individual configuration entries—each susceptible to typos, duplicates, and documentation lag. Network administrators maintained spreadsheets, walked between buildings with floppy disks, and dreaded the day when subnet reorganization would require touching every machine.

Manual Configuration Challenges
Challenge	Description	Impact
IP Conflicts	Two machines accidentally assigned the same IP	Both machines intermittently lose connectivity
Documentation Drift	Records don't match actual configurations	Troubleshooting becomes guesswork
Mobility Impossible	Laptop moved to new subnet requires reconfiguration	Users lack flexibility to relocate
Onboarding Delay	New machines wait hours or days for admin visit	Productivity loss, bottlenecked IT staff
Scale Ceiling	Network growth limited by configuration capacity	Organizational expansion constrained

The RARP Partial Solution

Before BOOTP, the Reverse Address Resolution Protocol (RARP) offered a primitive automated solution. RARP allowed a machine knowing only its hardware (MAC) address to discover its IP address by broadcasting a query.

However, RARP had severe limitations:

Link-layer dependency — RARP operated at Layer 2, meaning it couldn't cross routers. Each subnet required its own RARP server.
IP address only — RARP provided just the IP address, not the gateway, subnet mask, or DNS servers.
No boot image location — Diskless workstations still needed a separate mechanism to find their operating system images.
Fixed table updates — RARP servers required manual table updates for each new MAC address.

The networking community needed something more capable.

Historical Context

RARP (RFC 903, 1984) predates BOOTP by just one year, illustrating how rapidly the networking community recognized the limitations of pure Layer 2 solutions. BOOTP's innovation was moving the problem to UDP/IP—making it routable and extensible.

BOOTP Architecture and Design Philosophy

BOOTP was designed with specific architectural principles that addressed RARP's shortcomings while enabling future extensibility.

Core Design Principles

Transport Layer Operation — By using UDP over IP, BOOTP messages are routable. A single BOOTP server can serve multiple subnets via relay agents.
Fixed Message Size — BOOTP uses a fixed 300-byte message format, simplifying implementation and ensuring predictable behavior across all implementations.
Stateless Server Design — The BOOTP server maintains no memory of previous transactions. Each request is self-contained, with the MAC address serving as the client identifier.
Static Mapping Model — Unlike later DHCP, BOOTP maps MAC addresses to IP addresses statically. The administrator pre-configures all assignments; BOOTP merely distributes them.
Boot Image Support — BOOTP natively supports providing the filename and location of a boot image, enabling diskless workstations to bootstrap from the network.

BOOTP vs RARP Comparison

•Layer — BOOTP uses UDP/IP (Layer 4/3); RARP uses raw Ethernet frames (Layer 2)
•Routability — BOOTP messages cross routers via relay agents; RARP is subnet-confined
•Information Provided — BOOTP delivers IP, gateway, subnet mask, DNS, boot file; RARP delivers only IP
•Extensibility — BOOTP includes a vendor-specific field for future options; RARP has no extension mechanism
•Server Architecture — BOOTP servers can be centralized; RARP requires per-subnet servers

The Client-Server Model

BOOTP employs a straightforward client-server architecture:

BOOTP Client (bootpc) — The machine seeking configuration, typically a device during power-on with no network parameters configured. Listens on UDP port 68.
BOOTP Server (bootps) — The configuration authority maintaining MAC-to-configuration mappings. Listens on UDP port 67.
BOOTP Relay Agent — An optional intermediary (typically a router) that forwards BOOTP messages between subnets, enabling centralized server deployment.

The port numbers (67 and 68) were deliberately chosen below the privileged port threshold (1024), requiring server processes to run with elevated privileges—an early security consideration.

Converting Mermaid diagram...

BOOTP Message Format Deep Dive

The BOOTP message format is a masterpiece of protocol design for its era—balancing simplicity, efficiency, and extensibility within a fixed 300-byte structure. Understanding each field illuminates both BOOTP's capabilities and its constraints.

The 300-Byte Message Structure

BOOTP messages use a fixed 300-byte format, split into well-defined fields. Both requests and replies use identical structures, with different fields populated depending on message direction.

BOOTP Message Format Fields
Field	Bytes	Description
op	1	Operation code: 1 = BOOTREQUEST, 2 = BOOTREPLY
htype	1	Hardware address type (1 for Ethernet)
hlen	1	Hardware address length (6 for Ethernet MAC)
hops	1	Hop count, incremented by relay agents
xid	4	Transaction ID, random number for matching request/reply
secs	2	Seconds elapsed since client boot began
flags	2	Broadcast flag and reserved bits
ciaddr	4	Client IP address (if client already knows it)
yiaddr	4	'Your' IP address (assigned by server)
siaddr	4	Server IP address (for boot image retrieval)
giaddr	4	Gateway IP address (relay agent address)
chaddr	16	Client hardware address (MAC, padded)
sname	64	Optional server hostname
file	128	Boot filename (e.g., 'pxelinux.0')
vend	64	Vendor-specific area (later: DHCP options)

Field-by-Field Analysis

Operation Code (op) — The single byte distinguishing requests from replies. A client always sends op=1; a server always sends op=2. This simplicity means parsers can determine message direction immediately.

Hardware Address Fields (htype, hlen, chaddr) — These fields support various network hardware types. For Ethernet, htype=1 and hlen=6. The chaddr field holds the 6-byte MAC address, padded to 16 bytes for future hardware types with longer addresses.

Transaction ID (xid) — A 32-bit random number generated by the client and echoed by the server. This allows clients to match incoming replies to their outstanding requests, crucial when multiple transactions may be in flight.

Seconds Elapsed (secs) — Indicates how long the client has been trying to boot. Servers may use this field to prioritize long-waiting clients or to trigger backup server activation.

Address Fields (ciaddr, yiaddr, siaddr, giaddr) — These four IP address fields form the configuration payload:

ciaddr — Set by clients that already know their IP (renewal scenarios)
yiaddr — The IP address assigned to the client by the server
siaddr — Points to the server hosting the boot image (may differ from BOOTP server)
giaddr — Set by relay agents to indicate which subnet the client is on

The Boot Filename Field

The 128-byte 'file' field was designed for diskless workstation bootstrapping. The client would use TFTP to retrieve this file from the server indicated by 'siaddr'. This same mechanism powers modern PXE (Preboot Execution Environment) network booting, demonstrating BOOTP's enduring architectural influence.

bootp_message_structure.h
C
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
/* BOOTP Message Structure - RFC 951 */
struct bootp_message {
    uint8_t  op;           /* Operation: 1=REQUEST, 2=REPLY */
    uint8_t  htype;        /* Hardware type: 1=Ethernet */
    uint8_t  hlen;         /* Hardware address length: 6 for Ethernet */
    uint8_t  hops;         /* Hop count for relay agents */
    uint32_t xid;          /* Transaction ID - random, matched in reply */
    uint16_t secs;         /* Seconds since boot process started */
    uint16_t flags;        /* Bit 0: Broadcast flag */
    
    /* IP Address Fields */
    uint32_t ciaddr;       /* Client IP (known, or 0.0.0.0) */
    uint32_t yiaddr;       /* 'Your' assigned IP address */
    uint32_t siaddr;       /* Boot server IP address */
    uint32_t giaddr;       /* Gateway/relay agent IP address */
    
    /* Hardware Address - padded to 16 bytes */
    uint8_t  chaddr[16];   /* Client hardware (MAC) address */
    
    /* String Fields */
    char     sname[64];    /* Optional server hostname */
    char     file[128];    /* Boot filename */
    
    /* Vendor Extensions */
    uint8_t  vend[64];     /* Vendor-specific data */
};
/* Total size: 300 bytes fixed */

The BOOTP Exchange Process

BOOTP employs a simple two-message exchange: the client broadcasts a BOOTREQUEST, and the server sends back a BOOTREPLY. This simplicity reflects BOOTP's stateless design philosophy.

Phase 1: Client Broadcast (BOOTREQUEST)

When a BOOTP client boots:

Generate Transaction ID — The client creates a random 32-bit xid value to identify this configuration attempt.
Construct BOOTREQUEST — The client populates:
- op = 1 (request)
- htype = 1 (Ethernet)
- hlen = 6 (MAC length)
- xid = generated random value
- chaddr = client's MAC address
- All IP fields = 0.0.0.0 (unknown)
Broadcast Message — The client sends the UDP datagram to:
- Source IP: 0.0.0.0 (client has no IP yet)
- Destination IP: 255.255.255.255 (limited broadcast)
- Source Port: 68 (bootpc)
- Destination Port: 67 (bootps)

The 0.0.0.0 Source Address

Using 0.0.0.0 as a source address is normally illegal in IP networking. BOOTP defines a special exemption: hosts without configured IP addresses MAY use 0.0.0.0 as a source for bootstrap purposes. This exemption carries forward to DHCP and remains critical for network initialization today.

Phase 2: Server Response (BOOTREPLY)

When a BOOTP server receives a BOOTREQUEST:

MAC Address Lookup — The server searches its configuration database for an entry matching the chaddr field.
If Match Found — The server constructs a reply with:
- op = 2 (reply)
- xid = same as request (for matching)
- yiaddr = assigned IP address for this client
- siaddr = boot server address
- file = boot filename (if configured)
- vend = any vendor-specific options
Reply Delivery — Here's where BOOTP faces an interesting challenge. The client doesn't have an IP address yet, so how should the reply be addressed?

Reply Addressing Options:

Unicast to yiaddr — The server sends directly to the IP it's assigning. This requires the server to insert an ARP entry temporarily, or the client to accept packets before its IP is configured.
Broadcast — If the client set the broadcast flag, or the server cannot unicast, the reply goes to 255.255.255.255. All clients must examine the xid to determine ownership.
Hardware Unicast — Some implementations send to the client's MAC address directly at Layer 2, regardless of IP destination.

Converting Mermaid diagram...

Relay Agents: Crossing Subnet Boundaries

One of BOOTP's most important architectural innovations is the relay agent mechanism, which allows a single centralized BOOTP server to serve clients across multiple subnets. This was a direct solution to RARP's fundamental limitation of being non-routable.

The Problem: Broadcasts Don't Cross Routers

When a client broadcasts a BOOTREQUEST to 255.255.255.255, that broadcast is confined to the local subnet by design. Routers do not forward limited broadcasts. Without relay agents, every subnet would require its own BOOTP server—negating much of the protocol's administrative benefit.

The Solution: The BOOTP Relay Agent

A BOOTP relay agent (also called a BOOTP forwarder or helper) is a network device—typically a router—that:

Listens for BOOTP broadcasts on local interfaces
Forwards requests as unicast to configured BOOTP server(s)
Stamps the giaddr field with the relay agent's IP address on the client's subnet
Receives unicast replies from the server
Forwards replies to the client (broadcast or unicast, depending on flags)

Why giaddr Matters

•Subnet Identification — The giaddr tells the server which subnet the client is on, enabling proper IP pool selection
•Return Path — The server knows to send the reply to the relay agent's address, which then delivers it locally
•Multiple Pools — A single server can manage different address ranges for different subnets based on incoming giaddr values
•Hop Limiting — The hops field prevents infinite forwarding loops; relay agents increment it, and servers may reject high hop counts

Converting Mermaid diagram...

Relay Agent Configuration (Cisco Example)

On Cisco routers, BOOTP/DHCP relay is configured using the ip helper-address command on each client-facing interface:

router_relay_config.txt

Cisco IOS

! Configure interface facing client subnet
interface GigabitEthernet0/1
 description Client LAN - Subnet 192.168.1.0/24
 ip address 192.168.1.1 255.255.255.0
 ip helper-address 10.0.0.10   ! BOOTP/DHCP server address
 
! For redundancy, specify backup server
interface GigabitEthernet0/1  
 ip helper-address 10.0.0.11   ! Secondary server
 
! Note: ip helper-address forwards multiple protocols by default:
! - BOOTP/DHCP (UDP ports 67, 68)
! - TFTP (UDP port 69)
! - DNS (UDP port 53)
! - Time (UDP port 37)
! - NetBIOS (UDP ports 137, 138)
! - TACACS (UDP port 49)

The Vendor Extensions Field

The 64-byte vendor-specific (vend) field was BOOTP's forward-looking provision for extensibility. This field became the seed from which DHCP's rich options framework grew.

Original Vendor Extensions (RFC 1048)

RFC 1048 defined the first structured format for the vend field, introducing the concept of BOOTP Vendor Extensions. The field begins with a 4-byte "magic cookie" (99.130.83.99 or 0x63825363) indicating that structured options follow.

Option Format:

[Tag: 1 byte][Length: 1 byte][Data: Length bytes]

This Tag-Length-Value (TLV) encoding remains the foundation for DHCP options today.

Original BOOTP Vendor Extensions (RFC 1048)
Tag	Name	Length	Description
0	Pad	0	Used for alignment, no data
1	Subnet Mask	4	Client's subnet mask
2	Time Offset	4	Offset from UTC in seconds
3	Gateways	4+	List of gateway IP addresses
4	Time Servers	4+	RFC 868 time servers
5	IEN-116 Name Servers	4+	Name servers (obsolete)
6	DNS Servers	4+	Domain Name System servers
7	Log Servers	4+	MIT-LCS UDP log servers
8	Cookie Servers	4+	Quote of the Day servers
9	LPR Servers	4+	Line Printer servers
255	End	0	Marks end of valid options

The Magic Cookie

The magic cookie (99.130.83.99) was chosen to be unlikely to appear by accident in unformatted vendor data. If the first four bytes of the vend field don't match this cookie, the field should be treated as vendor-proprietary data. This backward compatibility mechanism allowed gradual adoption of the extension format.

The 64-Byte Limitation

The 64-byte vend field size proved constraining as needs grew. Consider that just specifying three gateway addresses consumes 14 bytes (tag + length + 12 address bytes). Add a subnet mask (6 bytes), DNS servers (10 bytes for two), and you've exhausted most of the space.

Solutions to Space Constraints:

Option Overloading — RFC 1533 defined options 52 (overload) allowing the 'sname' and 'file' fields to carry additional options if not needed for their primary purpose.
Long Message Extension — Some implementations allowed messages longer than 300 bytes, though this risked interoperability issues.
DHCP — The eventual solution was DHCP, which expanded options to 312 bytes minimum and defined mechanisms for larger options.

The vendor extensions mechanism demonstrated both BOOTP's architectural foresight and its practical limitations, directly motivating DHCP's development.

BOOTP Server Implementation

Implementing a BOOTP server requires careful consideration of database design, message processing, and error handling. While modern networks use DHCP, understanding BOOTP server operation illuminates the configuration management problem space.

The bootpd Configuration File

The traditional Unix BOOTP daemon (bootpd) uses a simple text configuration file mapping MAC addresses to configuration sets:

/etc/bootptab

Configuration

# BOOTP Configuration File - /etc/bootptab
# Format: hostname:tag=value:tag=value:...
 
# Global defaults - inherited by all hosts
.default:\
    :sm=255.255.255.0:\       # Subnet mask
    :gw=192.168.1.1:\         # Default gateway
    :ds=8.8.8.8 8.8.4.4:\     # DNS servers
    :ht=1:\                   # Hardware type (Ethernet)
    :ha=0:\                   # Hardware address (override per-host)
    :bf=pxelinux.0:\          # Boot file
    :sa=192.168.1.10:\        # Server address for boot file
    :to=auto:                 # Time offset
 
# Individual host entries
workstation1:tc=.default:\
    :hn:\                     # Force hostname lookup
    :ha=001122334455:\        # MAC address (no colons)
    :ip=192.168.1.100:        # Assigned IP address
 
workstation2:tc=.default:\
    :ha=0011223344AA:\
    :ip=192.168.1.101:
 
# Diskless workstation with custom boot file
diskless-node:tc=.default:\
    :ha=DEADBEEF0001:\
    :ip=192.168.1.150:\
    :bf=/tftpboot/diskless/vmlinuz:\
    :rp=/nfs/diskless/root:   # NFS root path

Server Processing Logic

A BOOTP server follows this processing sequence for each incoming request:

Validate Message — Check op=1 (request), verify message length and format.
Extract Client Identifier — Pull the chaddr (MAC address) as the lookup key.
Check giaddr — If non-zero, the request came via relay agent. Use giaddr to select the correct IP pool.
Database Lookup — Search for a configuration entry matching the client's MAC address.
If No Match — Either ignore silently or log the unknown MAC. BOOTP has no NAK mechanism.
Build Reply — Populate yiaddr, siaddr, file, and vendor options from the configuration.
Determine Reply Address — Check if broadcast flag is set or if unicast is feasible.
Send Reply — Transmit the BOOTREPLY.

No Negative Acknowledgment

BOOTP has no mechanism for the server to explicitly reject a client. If a client's MAC is unknown, the server simply doesn't reply. The client will timeout and retry, potentially forever. This limitation is addressed in DHCP with the DHCPNAK message type.

Server Implementation Considerations

Concurrency — Multiple clients may request simultaneously. The server must be thread-safe or use non-blocking I/O.
Logging — Every transaction should be logged with timestamp, MAC, and assigned IP for troubleshooting.
Failover — With static mappings, multiple servers can run with identical configurations for redundancy.
Cache Insertion — Before unicasting to yiaddr, the server may need to insert a temporary ARP entry so the client can receive the reply.
Security — Anyone who can broadcast on the network can request configuration. BOOTP has no authentication mechanism.

Summary: The Bootstrap Protocol Foundation

BOOTP represents a pivotal advancement in network configuration management. Its concepts and mechanisms remain foundational to modern networking infrastructure.

Key Takeaways

•BOOTP solved the manual configuration crisis — Enabling automated IP address and boot parameter distribution, eliminating the need to visit each machine.
•Transport layer operation enables routing — By using UDP/IP instead of raw Ethernet frames, BOOTP messages can cross routers via relay agents.
•Fixed 300-byte message format — Provides simplicity and predictability, with fields for IP addressing, boot file location, and vendor extensions.
•Two-message exchange — The simple BOOTREQUEST/BOOTREPLY pattern reflects the stateless server design philosophy.
•Relay agents enable centralization — A single BOOTP server can serve multiple subnets through router-based forwarding.
•Vendor extensions enabled growth — The 64-byte vend field, while limited, established the TLV option encoding that DHCP would expand.
•Static mapping model — All MAC-to-IP assignments must be pre-configured, providing control but limiting automation.
•Diskless workstation support — The file and siaddr fields enable network booting without local storage.

Looking Ahead

While BOOTP solved immediate configuration challenges, its static nature created new limitations as networks grew and became more dynamic. Mobile users, temporary devices, and address conservation requirements demanded something more flexible.

In the next page, we'll compare BOOTP with its evolutionary successor, DHCP, examining how dynamic allocation and lease management extended BOOTP's foundation to meet modern networking demands.

Page Complete

You now understand the Bootstrap Protocol's architecture, message format, exchange process, and relay agent mechanism. These concepts form the essential foundation for understanding DHCP and modern network configuration management.

1 / 5

Loading learning content...

Computer NetworksOther Application Protocols

BOOTP: Bootstrap Protocol

LevelIntermediate

Duration50 mins

TopicOther Application Protocols

1 / 5

Bootstrap Protocol

The Network Configuration Revolution

Learning Objectives

The Pre-BOOTP Configuration Crisis

To appreciate BOOTP's significance, we must understand the network configuration landscape before its introduction.

The Manual Configuration Burden

In early TCP/IP networks, every host required manual configuration of at least four critical parameters:

IP Address — A unique 32-bit identifier within the network
Subnet Mask — Defining the boundary between network and host portions
Default Gateway — The router through which to reach non-local destinations
DNS Server(s) — For hostname-to-IP resolution

Manual Configuration Challenges
Challenge	Description	Impact
IP Conflicts	Two machines accidentally assigned the same IP	Both machines intermittently lose connectivity
Documentation Drift	Records don't match actual configurations	Troubleshooting becomes guesswork
Mobility Impossible	Laptop moved to new subnet requires reconfiguration	Users lack flexibility to relocate
Onboarding Delay	New machines wait hours or days for admin visit	Productivity loss, bottlenecked IT staff
Scale Ceiling	Network growth limited by configuration capacity	Organizational expansion constrained

The RARP Partial Solution

However, RARP had severe limitations:

Link-layer dependency — RARP operated at Layer 2, meaning it couldn't cross routers. Each subnet required its own RARP server.
IP address only — RARP provided just the IP address, not the gateway, subnet mask, or DNS servers.
No boot image location — Diskless workstations still needed a separate mechanism to find their operating system images.
Fixed table updates — RARP servers required manual table updates for each new MAC address.

The networking community needed something more capable.

Historical Context

BOOTP Architecture and Design Philosophy

BOOTP was designed with specific architectural principles that addressed RARP's shortcomings while enabling future extensibility.

Core Design Principles

Transport Layer Operation — By using UDP over IP, BOOTP messages are routable. A single BOOTP server can serve multiple subnets via relay agents.
Fixed Message Size — BOOTP uses a fixed 300-byte message format, simplifying implementation and ensuring predictable behavior across all implementations.
Stateless Server Design — The BOOTP server maintains no memory of previous transactions. Each request is self-contained, with the MAC address serving as the client identifier.
Static Mapping Model — Unlike later DHCP, BOOTP maps MAC addresses to IP addresses statically. The administrator pre-configures all assignments; BOOTP merely distributes them.
Boot Image Support — BOOTP natively supports providing the filename and location of a boot image, enabling diskless workstations to bootstrap from the network.

BOOTP vs RARP Comparison

•Layer — BOOTP uses UDP/IP (Layer 4/3); RARP uses raw Ethernet frames (Layer 2)
•Routability — BOOTP messages cross routers via relay agents; RARP is subnet-confined
•Information Provided — BOOTP delivers IP, gateway, subnet mask, DNS, boot file; RARP delivers only IP
•Extensibility — BOOTP includes a vendor-specific field for future options; RARP has no extension mechanism
•Server Architecture — BOOTP servers can be centralized; RARP requires per-subnet servers

The Client-Server Model

BOOTP employs a straightforward client-server architecture:

BOOTP Client (bootpc) — The machine seeking configuration, typically a device during power-on with no network parameters configured. Listens on UDP port 68.
BOOTP Server (bootps) — The configuration authority maintaining MAC-to-configuration mappings. Listens on UDP port 67.
BOOTP Relay Agent — An optional intermediary (typically a router) that forwards BOOTP messages between subnets, enabling centralized server deployment.

The port numbers (67 and 68) were deliberately chosen below the privileged port threshold (1024), requiring server processes to run with elevated privileges—an early security consideration.

Converting Mermaid diagram...

BOOTP Message Format Deep Dive

The 300-Byte Message Structure

BOOTP messages use a fixed 300-byte format, split into well-defined fields. Both requests and replies use identical structures, with different fields populated depending on message direction.

BOOTP Message Format Fields
Field	Bytes	Description
op	1	Operation code: 1 = BOOTREQUEST, 2 = BOOTREPLY
htype	1	Hardware address type (1 for Ethernet)
hlen	1	Hardware address length (6 for Ethernet MAC)
hops	1	Hop count, incremented by relay agents
xid	4	Transaction ID, random number for matching request/reply
secs	2	Seconds elapsed since client boot began
flags	2	Broadcast flag and reserved bits
ciaddr	4	Client IP address (if client already knows it)
yiaddr	4	'Your' IP address (assigned by server)
siaddr	4	Server IP address (for boot image retrieval)
giaddr	4	Gateway IP address (relay agent address)
chaddr	16	Client hardware address (MAC, padded)
sname	64	Optional server hostname
file	128	Boot filename (e.g., 'pxelinux.0')
vend	64	Vendor-specific area (later: DHCP options)

Field-by-Field Analysis

Seconds Elapsed (secs) — Indicates how long the client has been trying to boot. Servers may use this field to prioritize long-waiting clients or to trigger backup server activation.

Address Fields (ciaddr, yiaddr, siaddr, giaddr) — These four IP address fields form the configuration payload:

ciaddr — Set by clients that already know their IP (renewal scenarios)
yiaddr — The IP address assigned to the client by the server
siaddr — Points to the server hosting the boot image (may differ from BOOTP server)
giaddr — Set by relay agents to indicate which subnet the client is on

The Boot Filename Field

bootp_message_structure.h
C
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
/* BOOTP Message Structure - RFC 951 */
struct bootp_message {
    uint8_t  op;           /* Operation: 1=REQUEST, 2=REPLY */
    uint8_t  htype;        /* Hardware type: 1=Ethernet */
    uint8_t  hlen;         /* Hardware address length: 6 for Ethernet */
    uint8_t  hops;         /* Hop count for relay agents */
    uint32_t xid;          /* Transaction ID - random, matched in reply */
    uint16_t secs;         /* Seconds since boot process started */
    uint16_t flags;        /* Bit 0: Broadcast flag */
    
    /* IP Address Fields */
    uint32_t ciaddr;       /* Client IP (known, or 0.0.0.0) */
    uint32_t yiaddr;       /* 'Your' assigned IP address */
    uint32_t siaddr;       /* Boot server IP address */
    uint32_t giaddr;       /* Gateway/relay agent IP address */
    
    /* Hardware Address - padded to 16 bytes */
    uint8_t  chaddr[16];   /* Client hardware (MAC) address */
    
    /* String Fields */
    char     sname[64];    /* Optional server hostname */
    char     file[128];    /* Boot filename */
    
    /* Vendor Extensions */
    uint8_t  vend[64];     /* Vendor-specific data */
};
/* Total size: 300 bytes fixed */

The BOOTP Exchange Process

BOOTP employs a simple two-message exchange: the client broadcasts a BOOTREQUEST, and the server sends back a BOOTREPLY. This simplicity reflects BOOTP's stateless design philosophy.

Phase 1: Client Broadcast (BOOTREQUEST)

When a BOOTP client boots:

Generate Transaction ID — The client creates a random 32-bit xid value to identify this configuration attempt.
Construct BOOTREQUEST — The client populates:
- op = 1 (request)
- htype = 1 (Ethernet)
- hlen = 6 (MAC length)
- xid = generated random value
- chaddr = client's MAC address
- All IP fields = 0.0.0.0 (unknown)
Broadcast Message — The client sends the UDP datagram to:
- Source IP: 0.0.0.0 (client has no IP yet)
- Destination IP: 255.255.255.255 (limited broadcast)
- Source Port: 68 (bootpc)
- Destination Port: 67 (bootps)

The 0.0.0.0 Source Address

Phase 2: Server Response (BOOTREPLY)

When a BOOTP server receives a BOOTREQUEST:

MAC Address Lookup — The server searches its configuration database for an entry matching the chaddr field.
If Match Found — The server constructs a reply with:
- op = 2 (reply)
- xid = same as request (for matching)
- yiaddr = assigned IP address for this client
- siaddr = boot server address
- file = boot filename (if configured)
- vend = any vendor-specific options
Reply Delivery — Here's where BOOTP faces an interesting challenge. The client doesn't have an IP address yet, so how should the reply be addressed?

Reply Addressing Options:

Unicast to yiaddr — The server sends directly to the IP it's assigning. This requires the server to insert an ARP entry temporarily, or the client to accept packets before its IP is configured.
Broadcast — If the client set the broadcast flag, or the server cannot unicast, the reply goes to 255.255.255.255. All clients must examine the xid to determine ownership.
Hardware Unicast — Some implementations send to the client's MAC address directly at Layer 2, regardless of IP destination.

Converting Mermaid diagram...

Relay Agents: Crossing Subnet Boundaries

The Problem: Broadcasts Don't Cross Routers

The Solution: The BOOTP Relay Agent

A BOOTP relay agent (also called a BOOTP forwarder or helper) is a network device—typically a router—that:

Listens for BOOTP broadcasts on local interfaces
Forwards requests as unicast to configured BOOTP server(s)
Stamps the giaddr field with the relay agent's IP address on the client's subnet
Receives unicast replies from the server
Forwards replies to the client (broadcast or unicast, depending on flags)

Why giaddr Matters

•Subnet Identification — The giaddr tells the server which subnet the client is on, enabling proper IP pool selection
•Return Path — The server knows to send the reply to the relay agent's address, which then delivers it locally
•Multiple Pools — A single server can manage different address ranges for different subnets based on incoming giaddr values
•Hop Limiting — The hops field prevents infinite forwarding loops; relay agents increment it, and servers may reject high hop counts

Converting Mermaid diagram...

Relay Agent Configuration (Cisco Example)

On Cisco routers, BOOTP/DHCP relay is configured using the ip helper-address command on each client-facing interface:

router_relay_config.txt

Cisco IOS

! Configure interface facing client subnet
interface GigabitEthernet0/1
 description Client LAN - Subnet 192.168.1.0/24
 ip address 192.168.1.1 255.255.255.0
 ip helper-address 10.0.0.10   ! BOOTP/DHCP server address
 
! For redundancy, specify backup server
interface GigabitEthernet0/1  
 ip helper-address 10.0.0.11   ! Secondary server
 
! Note: ip helper-address forwards multiple protocols by default:
! - BOOTP/DHCP (UDP ports 67, 68)
! - TFTP (UDP port 69)
! - DNS (UDP port 53)
! - Time (UDP port 37)
! - NetBIOS (UDP ports 137, 138)
! - TACACS (UDP port 49)

The Vendor Extensions Field

The 64-byte vendor-specific (vend) field was BOOTP's forward-looking provision for extensibility. This field became the seed from which DHCP's rich options framework grew.

Original Vendor Extensions (RFC 1048)

Option Format:

[Tag: 1 byte][Length: 1 byte][Data: Length bytes]

This Tag-Length-Value (TLV) encoding remains the foundation for DHCP options today.

Original BOOTP Vendor Extensions (RFC 1048)
Tag	Name	Length	Description
0	Pad	0	Used for alignment, no data
1	Subnet Mask	4	Client's subnet mask
2	Time Offset	4	Offset from UTC in seconds
3	Gateways	4+	List of gateway IP addresses
4	Time Servers	4+	RFC 868 time servers
5	IEN-116 Name Servers	4+	Name servers (obsolete)
6	DNS Servers	4+	Domain Name System servers
7	Log Servers	4+	MIT-LCS UDP log servers
8	Cookie Servers	4+	Quote of the Day servers
9	LPR Servers	4+	Line Printer servers
255	End	0	Marks end of valid options

The Magic Cookie

The 64-Byte Limitation

Solutions to Space Constraints:

Option Overloading — RFC 1533 defined options 52 (overload) allowing the 'sname' and 'file' fields to carry additional options if not needed for their primary purpose.
Long Message Extension — Some implementations allowed messages longer than 300 bytes, though this risked interoperability issues.
DHCP — The eventual solution was DHCP, which expanded options to 312 bytes minimum and defined mechanisms for larger options.

The vendor extensions mechanism demonstrated both BOOTP's architectural foresight and its practical limitations, directly motivating DHCP's development.

BOOTP Server Implementation

The bootpd Configuration File

The traditional Unix BOOTP daemon (bootpd) uses a simple text configuration file mapping MAC addresses to configuration sets:

/etc/bootptab

Configuration

# BOOTP Configuration File - /etc/bootptab
# Format: hostname:tag=value:tag=value:...
 
# Global defaults - inherited by all hosts
.default:\
    :sm=255.255.255.0:\       # Subnet mask
    :gw=192.168.1.1:\         # Default gateway
    :ds=8.8.8.8 8.8.4.4:\     # DNS servers
    :ht=1:\                   # Hardware type (Ethernet)
    :ha=0:\                   # Hardware address (override per-host)
    :bf=pxelinux.0:\          # Boot file
    :sa=192.168.1.10:\        # Server address for boot file
    :to=auto:                 # Time offset
 
# Individual host entries
workstation1:tc=.default:\
    :hn:\                     # Force hostname lookup
    :ha=001122334455:\        # MAC address (no colons)
    :ip=192.168.1.100:        # Assigned IP address
 
workstation2:tc=.default:\
    :ha=0011223344AA:\
    :ip=192.168.1.101:
 
# Diskless workstation with custom boot file
diskless-node:tc=.default:\
    :ha=DEADBEEF0001:\
    :ip=192.168.1.150:\
    :bf=/tftpboot/diskless/vmlinuz:\
    :rp=/nfs/diskless/root:   # NFS root path

Server Processing Logic

A BOOTP server follows this processing sequence for each incoming request:

Validate Message — Check op=1 (request), verify message length and format.
Extract Client Identifier — Pull the chaddr (MAC address) as the lookup key.
Check giaddr — If non-zero, the request came via relay agent. Use giaddr to select the correct IP pool.
Database Lookup — Search for a configuration entry matching the client's MAC address.
If No Match — Either ignore silently or log the unknown MAC. BOOTP has no NAK mechanism.
Build Reply — Populate yiaddr, siaddr, file, and vendor options from the configuration.
Determine Reply Address — Check if broadcast flag is set or if unicast is feasible.
Send Reply — Transmit the BOOTREPLY.

No Negative Acknowledgment

Server Implementation Considerations

Concurrency — Multiple clients may request simultaneously. The server must be thread-safe or use non-blocking I/O.
Logging — Every transaction should be logged with timestamp, MAC, and assigned IP for troubleshooting.
Failover — With static mappings, multiple servers can run with identical configurations for redundancy.
Cache Insertion — Before unicasting to yiaddr, the server may need to insert a temporary ARP entry so the client can receive the reply.
Security — Anyone who can broadcast on the network can request configuration. BOOTP has no authentication mechanism.

Summary: The Bootstrap Protocol Foundation

BOOTP represents a pivotal advancement in network configuration management. Its concepts and mechanisms remain foundational to modern networking infrastructure.

Key Takeaways

•BOOTP solved the manual configuration crisis — Enabling automated IP address and boot parameter distribution, eliminating the need to visit each machine.
•Transport layer operation enables routing — By using UDP/IP instead of raw Ethernet frames, BOOTP messages can cross routers via relay agents.
•Fixed 300-byte message format — Provides simplicity and predictability, with fields for IP addressing, boot file location, and vendor extensions.
•Two-message exchange — The simple BOOTREQUEST/BOOTREPLY pattern reflects the stateless server design philosophy.
•Relay agents enable centralization — A single BOOTP server can serve multiple subnets through router-based forwarding.
•Vendor extensions enabled growth — The 64-byte vend field, while limited, established the TLV option encoding that DHCP would expand.
•Static mapping model — All MAC-to-IP assignments must be pre-configured, providing control but limiting automation.
•Diskless workstation support — The file and siaddr fields enable network booting without local storage.

Looking Ahead

In the next page, we'll compare BOOTP with its evolutionary successor, DHCP, examining how dynamic allocation and lease management extended BOOTP's foundation to meet modern networking demands.

Page Complete

1 / 5