Udp Applications - Learning Module

Loading content...

0/228

DHCP – Dynamic Host Configuration Protocol

Automatic Network Configuration at Scale

Imagine a world where every device connecting to a network required manual IP address configuration. Network administrators would spend their days assigning IP addresses, subnet masks, default gateways, and DNS servers to thousands of devices—laptops, phones, printers, IoT devices, guest devices, and more. The administrative burden would be crushing, and human error would cause constant connectivity issues.

Dynamic Host Configuration Protocol (DHCP) solves this problem elegantly. When you connect your laptop to a WiFi network and instantly receive an IP address, DHCP is working behind the scenes. This protocol runs over UDP, making it one of the most critical UDP-based services in modern networking.

What You Will Learn

By the end of this page, you will understand DHCP's architecture and operation, analyze the DORA process (Discover, Offer, Request, Acknowledge), explain why DHCP must use UDP (hint: the client has no IP yet), understand lease management and renewal, and comprehend DHCP relay agents for multi-subnet environments.

The DHCP Problem Space: Why Automatic Configuration?

Before diving into DHCP's technical details, let's understand the problem it solves and why its design choices are necessary.

The Configuration Challenge:

To communicate on an IP network, a host needs at minimum:

IP Address: Unique identifier on the network
Subnet Mask: Defines network/host portions
Default Gateway: Router for reaching other networks
DNS Servers: For name resolution

Optionally, a host may also need:

Domain name suffix
WINS servers (legacy Windows)
NTP servers (time synchronization)
Boot filename (diskless workstations)
Vendor-specific options

Manual vs. DHCP Configuration
Aspect	Manual Configuration	DHCP
Administrative Effort	High (per-device configuration)	Low (centralized)
Human Error Risk	High (typos, duplicates)	Low (automated)
Scalability	Poor (doesn't scale beyond dozens)	Excellent (millions of clients)
Mobility Support	None (reconfigure on each network)	Full (automatic per-network)
IP Address Efficiency	Low (permanently allocated)	High (dynamic allocation/reuse)
Audit/Tracking	Difficult (spreadsheets)	Built-in (lease database)
Configuration Changes	Visit each device	Central policy change

The Bootstrap Paradox:

Here's the fundamental challenge that makes DHCP interesting from a protocol design perspective:

How can a host request an IP address when it doesn't have an IP address yet?

This is the bootstrap problem. The client needs to communicate with a server, but it has no network identity. This constraint drives DHCP's reliance on UDP broadcasts and its specific design choices.

DHCP's Predecessor: BOOTP

DHCP evolved from BOOTP (Bootstrap Protocol, RFC 951), which provided static address assignment via a lookup table. DHCP (RFC 2131) added dynamic allocation, lease management, and richer options. DHCP is backward-compatible with BOOTP—they share message format and port numbers.

Why DHCP Must Use UDP: The Technical Necessity

DHCP doesn't merely prefer UDP—it requires UDP. Unlike DNS, where UDP is an optimization choice, DHCP physically cannot use TCP. Let's understand why.

The TCP Impossibility:

TCP requires both endpoints to have valid IP addresses before establishing a connection. The three-way handshake (SYN, SYN-ACK, ACK) assumes both parties can address each other. But a DHCP client:

Has no IP address (that's what it's trying to get)
Doesn't know the server's IP address (must use broadcast)
Cannot receive unicast packets (has no address to unicast to)

TCP fundamentally cannot work in this scenario.

UDP Enables DHCP

•Broadcast Support: UDP can be sent to the broadcast address (255.255.255.255) reaching all hosts on the local network.
•No Address Required: UDP datagrams can be sent with source address 0.0.0.0, indicating 'this host' before configuration.
•Connectionless: No handshake required, so no need for both parties to know each other's addresses.
•Layer 2 Reception: Before IP configuration, hosts can receive frames destined to broadcast or their MAC address.
•Simplicity: Failed transactions are simply retried; no complex state machine required.

TCP Cannot Work Here

•No Broadcast: TCP is strictly unicast; it cannot address 'all hosts on this network'.
•Connection State: TCP requires source and destination addresses for connection tracking.
•SYN-ACK Problem: Server's SYN-ACK would need to unicast to client's IP—which doesn't exist yet.
•Routing Issues: Without an IP address, the client has no route to reach a specific server.
•Port Numbers: TCP port binding requires an IP address on the local stack.

DHCP Port Numbers:

Role	Port	Protocol	Reason
Server	67	UDP	Well-known port for DHCP/BOOTP server
Client	68	UDP	Fixed client port enables broadcast reception

Why different ports?

Unlike most protocols where the server has a well-known port and the client uses an ephemeral port, DHCP uses fixed ports for both. This is because:

Broadcast responses: The server's OFFER is broadcast; clients filter by their MAC address and port 68
Relay agents: DHCP relays listen on port 67 and must distinguish client traffic from server traffic
Firewall rules: Fixed ports enable simple, predictable firewall configuration

The 0.0.0.0 Source Address

DHCP clients send initial packets with source IP 0.0.0.0 (meaning 'this host on this network'). This is a special address defined in RFC 1122 that can only appear as a source, never as a destination. It's what enables IP communication before configuration is complete.

DHCP Message Format: The Complete Packet Structure

DHCP uses a fixed-format message with variable-length options, derived from the BOOTP format. Understanding this format is essential for debugging DHCP issues.

Message Structure:

0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     op (1)    |   htype (1)   |   hlen (1)    |   hops (1)    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                            xid (4)                            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           secs (2)            |           flags (2)           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          ciaddr (4)                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          yiaddr (4)                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          siaddr (4)                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          giaddr (4)                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          chaddr (16)                          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          sname (64)                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          file (128)                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          options (variable)                   |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

DHCP Message Fields
Field	Size	Description	Values
op	1 byte	Operation code	1 = BOOTREQUEST (client), 2 = BOOTREPLY (server)
htype	1 byte	Hardware address type	1 = Ethernet (most common)
hlen	1 byte	Hardware address length	6 for Ethernet MAC
hops	1 byte	Relay hops count	0 initially; incremented by relays
xid	4 bytes	Transaction ID	Random number chosen by client
secs	2 bytes	Seconds since start	Time elapsed since client began
flags	2 bytes	Flags	Bit 0: Broadcast flag
ciaddr	4 bytes	Client IP address	Filled if client has valid address (renewal)
yiaddr	4 bytes	Your IP address	Server fills with offered/assigned IP
siaddr	4 bytes	Server IP address	IP of next bootstrap server
giaddr	4 bytes	Gateway IP address	Relay agent's IP address
chaddr	16 bytes	Client hardware address	Client's MAC address (padded)
sname	64 bytes	Server hostname	Optional server name
file	128 bytes	Boot filename	Path for network boot
options	variable	DHCP options	Start with magic cookie 99.130.83.99

The DHCP Magic Cookie:

DHCP options begin with a 4-byte magic cookie: 99.130.83.99 (or 0x63825363). This value distinguishes DHCP messages from BOOTP messages and marks the start of the options field.

Option Format:

+-------+-------+-------+-------+-------+
| Code  |  Len  | Data bytes...         |
+-------+-------+-------+-------+-------+
   1       1         Len bytes

Each option is TLV (Type-Length-Value) encoded, allowing extensibility while maintaining backward compatibility.

The 548-Byte Minimum

DHCP messages must be at least 548 bytes (300 bytes for fixed fields + 248 bytes minimum options). This legacy requirement from BOOTP ensures compatibility. Modern DHCP implementations typically pad messages to this minimum size, even when options don't fill the space.

Essential DHCP Options: Configuring the Network Stack

DHCP options carry the actual configuration parameters. Over 200 options are defined, but a small subset handles most use cases.

Critical DHCP Options:

Commonly Used DHCP Options
Code	Name	Description	Typical Value
1	Subnet Mask	Network mask for IP address	255.255.255.0
3	Router	Default gateway address(es)	192.168.1.1
6	DNS Servers	Recursive resolver addresses	8.8.8.8, 8.8.4.4
12	Hostname	Client's requested hostname	laptop-01
15	Domain Name	DNS domain suffix	example.com
51	Lease Time	Address lease duration (seconds)	86400 (24 hours)
53	DHCP Message Type	Identifies message purpose	1=DISCOVER, 2=OFFER, etc.
54	Server Identifier	DHCP server's IP address	192.168.1.1
55	Parameter Request List	Options client wants	1, 3, 6, 15, 51...
58	Renewal Time (T1)	When to start renewal	43200 (12 hours)
59	Rebinding Time (T2)	When to start rebinding	75600 (21 hours)
61	Client Identifier	Unique client ID (often MAC)	01:aa:bb:cc:dd:ee:ff
255	End	Marks end of options	No data

Message Type Option (53) Values:

Value	Type	Description
1	DHCPDISCOVER	Client seeking address
2	DHCPOFFER	Server offering address
3	DHCPREQUEST	Client requesting specific address
4	DHCPDECLINE	Client rejecting offered address
5	DHCPACK	Server confirming address
6	DHCPNAK	Server rejecting request
7	DHCPRELEASE	Client releasing address
8	DHCPINFORM	Client requesting config only (has IP)

Option 55: The Shopping List:

When a client sends a DISCOVER or REQUEST, it includes Option 55—a list of option codes it wants the server to provide. This allows clients to request only the parameters they need, and servers to tailor responses accordingly.

Vendor-Specific Options

Option 43 (Vendor Encapsulated Options) and Option 60 (Vendor Class Identifier) enable vendor-specific configuration. For example, VoIP phones might receive SIP server addresses, or thin clients might get boot server locations. This extensibility makes DHCP versatile for diverse network environments.

The DORA Process: DHCP Transaction Lifecycle

DHCP address allocation follows a four-message exchange known as DORA: Discover, Offer, Request, Acknowledge. This process is designed to handle multiple servers, prevent IP conflicts, and work across broadcast domains.

Why Four Messages?

The DORA process seems redundant—why not just DISCOVER → ASSIGN? The four-step process solves critical problems:

Multiple Servers: DISCOVER is broadcast; multiple servers may respond with OFFERs
Client Choice: REQUEST lets client select among offers
Conflict Prevention: Server reserves address only after client commits
Confirmation: ACK confirms assignment after potential conflicts are resolved

Converting Mermaid diagram...

Detailed DORA Steps:

Step 1: DISCOVER (Client → Broadcast)

Source IP: 0.0.0.0 (no address yet)
Destination IP: 255.255.255.255 (broadcast)
Source Port: 68 (DHCP client)
Destination Port: 67 (DHCP server)
Contains: Client MAC (chaddr), Transaction ID (xid), Parameter Request List (Option 55)

Step 2: OFFER (Server → Client)

Source IP: Server's IP (192.168.1.1)
Destination IP: 255.255.255.255 (or unicast to yiaddr if supported)
yiaddr: Proposed IP for client (192.168.1.100)
Contains: Lease time, subnet mask, router, DNS servers, server identifier
Server reserves address temporarily pending client response

Step 3: REQUEST (Client → Broadcast)

Still broadcast (client doesn't have IP yet)
Includes Server Identifier option (Option 54) to identify chosen server
Includes Requested IP Address option (Option 50) to confirm desired IP
Non-selected servers see this and release their reserved offers

Step 4: ACK (Server → Client)

Confirms the lease binding
Contains final configuration parameters
After receiving ACK, client configures its network interface
Client should perform duplicate address detection (ARP probe)

The Broadcast Flag

Some clients cannot receive unicast packets before IP configuration. These clients set the Broadcast Flag (flags field bit 0) in DISCOVER, requesting that OFFER and ACK be broadcast rather than unicast to yiaddr. This adds broadcast traffic but ensures compatibility with all network stacks.

Lease Management: Renewal, Rebinding, and Expiration

DHCP addresses are leased, not permanently assigned. This lease model enables efficient IP address utilization—addresses return to the pool when no longer needed. Understanding the lease lifecycle is crucial for troubleshooting connectivity issues.

Lease Timers:

Timer	Default	Purpose
Lease Time (T)	86400s (24h)	Total lease duration
Renewal Time (T1)	T × 0.5	When to start renewal
Rebinding Time (T2)	T × 0.875	When to start rebinding

The Lease State Machine:

                    ┌──────────────────────────────────────┐
                    │           DHCP Lease Timeline        │
                    └──────────────────────────────────────┘

    0%          50%                    87.5%              100%
    │────────────│──────────────────────│───────────────────│
    │            │                      │                   │
  Lease      Renewal               Rebinding           Expiration
  Start      (T1)                  (T2)                    
             ↓                      ↓                       ↓
         Try unicast            Broadcast              Lose IP
         to original            to any                 address
         server                 server

Renewal (at T1):

Client sends REQUEST unicast to original server (ciaddr filled with current IP)
If server responds with ACK, lease is extended
If no response, retry with exponential backoff until T2

Rebinding (at T2):

Original server unreachable; client sends REQUEST broadcast
Any DHCP server can respond and extend the lease
This provides fault tolerance if original server fails

Expiration:

If T2 passes without successful renewal, client must stop using the IP
Client returns to DISCOVER state
Applications see this as network disconnection

Lease Best Practices

•Desktop/Server Networks: Long leases (24-48 hours) reduce DHCP traffic and provide stability.
•Guest/WiFi Networks: Short leases (1-4 hours) recover addresses quickly from transient devices.
•High-Mobility Environments: Very short leases (15-30 minutes) in airports, cafes.
•Address Pool Sizing: Pool should be ≥2× expected concurrent devices to handle renewals.
•Reservation for Servers: Use DHCP reservations (static assignments by MAC) for servers/printers.

DHCPINFORM: Configuration Without Lease

Hosts with static IP addresses can still use DHCP for other parameters (DNS, NTP, etc.) via DHCPINFORM. The server responds with configuration but doesn't assign an address or create a lease. This is useful for servers that need static IPs but should still receive centralized configuration.

DHCP Relay Agents: Spanning Broadcast Boundaries

DHCP broadcasts are limited to the local network segment—routers don't forward broadcasts. This creates a problem: would every subnet need its own DHCP server? DHCP Relay Agents solve this by forwarding DHCP messages across subnets.

The Problem:

Subnet A (10.1.1.0/24)           Subnet B (10.2.2.0/24)
     [Client]                         [DHCP Server]
         ↓                                  ↑
    DISCOVER                             How does
   (broadcast)                          this reach
         ↓                              the server?
    [Router]  ←── broadcasts don't cross ──→

The Solution: Relay Agent

The router can act as a DHCP Relay Agent, configured with the IP address of the DHCP server. When it receives a DHCP broadcast, it:

Converts it to a unicast packet addressed to the server
Fills in the Gateway IP Address (giaddr) field with its own interface IP
Forwards the packet to the server
The server uses giaddr to determine which pool to allocate from
Server responds to the relay agent, which broadcasts to the client

Converting Mermaid diagram...

Key giaddr Behaviors:

Scenario	giaddr Value	Server Action
Direct client (same subnet)	0.0.0.0	Use listening interface's subnet
Relayed from 10.1.1.1	10.1.1.1	Allocate from 10.1.1.0/24 pool
Relayed from 10.3.3.1	10.3.3.1	Allocate from 10.3.3.0/24 pool

Relay Agent Information Option (Option 82):

RFC 3046 introduced Option 82, allowing relays to insert additional information:

Circuit ID: Identifies the circuit (VLAN, port) the request came from
Remote ID: Identifies the remote access device (switch ID)

This enables per-port/per-VLAN policies and helps with security auditing.

Multiple DHCP Servers

For redundancy, relay agents can be configured with multiple DHCP server addresses. The relay forwards each request to all configured servers. The fastest responding server's offer is typically selected by the client, providing natural load balancing and failover.

DHCP Security: Threats and Protections

DHCP's broadcast-based, unauthenticated nature makes it vulnerable to several attacks. Understanding these threats is essential for securing enterprise networks.

Core Vulnerabilities:

DHCP has no built-in authentication mechanism. Any device can:

Send DHCP requests (legitimate or malicious)
Send DHCP responses (rogue servers)
Observe all DHCP traffic (broadcasts are visible to all)

DHCP Security Threats
Threat	Attack Vector	Impact	Mitigation
Rogue DHCP Server	Attacker runs unauthorized DHCP server	Clients receive malicious configuration (wrong gateway/DNS)	DHCP Snooping on switches
DHCP Starvation	Attacker sends many DISCOVERs with spoofed MACs	Server pool exhausted, DoS for legitimate clients	Port security, rate limiting
DHCP Spoofing	Attacker races to respond before legitimate server	MITM via attacker-controlled default gateway	DHCP Snooping, 802.1X
Information Disclosure	Attacker captures DHCP traffic	Learns network topology, addressing scheme	Network segmentation, encryption
Client Impersonation	Attacker uses stolen MAC address	Obtains IP reserved for another device	802.1X, MAC authentication

DHCP Snooping: The Primary Defense

DHCP Snooping is a switch feature that:

Classifies ports as TRUSTED or UNTRUSTED
- Trusted: Ports connected to legitimate DHCP servers or uplinks
- Untrusted: Ports connected to clients
Blocks DHCP server messages on untrusted ports
- OFFER, ACK, NAK from untrusted ports are dropped
- Only trusted ports can send server messages
Builds a binding table
- Records MAC ↔ IP mappings from observed DHCP transactions
- Can be used by Dynamic ARP Inspection (DAI) and IP Source Guard

Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10,20
Switch(config)# interface gi0/1
Switch(config-if)# ip dhcp snooping trust   (uplink to server)
Switch(config)# interface range gi0/2-48
Switch(config-if)# ip dhcp snooping limit rate 10  (client ports)

Defense in Depth

DHCP Snooping alone isn't sufficient. Combine it with 802.1X authentication (verifies device identity before network access), Dynamic ARP Inspection (prevents ARP spoofing using DHCP Snooping bindings), and IP Source Guard (prevents IP spoofing). These form a comprehensive Layer 2 security stack.

Practical DHCP Analysis and Troubleshooting

Understanding DHCP at a practical level requires hands-on experience with client commands and packet analysis.

Client Commands:

DHCP Client Commands
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# View current DHCP lease information
ipconfig /all
 
# Release current DHCP lease
ipconfig /release
 
# Request new DHCP lease
ipconfig /renew
 
# Release and renew specific adapter
ipconfig /release "Wi-Fi"
ipconfig /renew "Wi-Fi"
 
# Clear DNS cache (often needed after DHCP changes)
ipconfig /flushdns
 
# View DHCP lease details in PowerShell
Get-NetIPConfiguration | Where-Object {$_.NetAdapter.Status -eq "Up"}
Get-DhcpServerv4Lease -ScopeId 192.168.1.0 # Server-side

Common DHCP Problems and Solutions:

Symptom	Possible Cause	Diagnostic	Solution
169.254.x.x address	No DHCP response	Check server reachability, relay config	Verify server is running, check firewalls
Slow lease acquisition	Rogue DHCP server responding	Wireshark capture of OFFER sources	Enable DHCP Snooping
Duplicate IP conflict	Pool overlap, static conflict	Check server pools, ARP tables	Audit address assignments
Lease not renewing	Server unreachable at T1	Ping server from client subnet	Check routing, firewall rules
Wrong DNS/gateway	Server misconfiguration	Check Option 3, 6 in lease	Correct server-side options

Wireshark DHCP Analysis

Filter DHCP traffic with 'bootp' or 'dhcp' in Wireshark. Look at the complete DORA sequence, examining xid to track transactions. Check giaddr for relay scenarios, and inspect Option 53 to identify message types. The Info column shows message type for quick analysis.

Summary: DHCP as a Critical UDP Service

DHCP demonstrates another essential use case for UDP—one where UDP isn't just preferred but required. Let's consolidate the key insights:

Key Takeaways

•DHCP solves the bootstrap problem: Clients need network configuration but can't communicate without it. UDP's broadcast capability and connectionless nature make configuration possible before IP assignment.
•DHCP must use UDP: TCP requires both endpoints to have IP addresses for the three-way handshake. Since DHCP clients have no IP, TCP is impossible—UDP with broadcasts is the only option.
•The DORA process handles multiple servers: DISCOVER (broadcast request), OFFER (server proposal), REQUEST (client acceptance), ACK (server confirmation) enables client choice among competing servers.
•Leases enable efficient address utilization: Addresses are temporarily assigned with renewal (T1), rebinding (T2), and expiration timers ensuring addresses return to the pool when devices leave.
•Relay agents span broadcast boundaries: Routers configured as DHCP relays convert broadcasts to unicasts, enabling centralized DHCP servers to serve multiple subnets via the giaddr field.
•Security requires infrastructure support: DHCP's lack of authentication necessitates switch-level protections like DHCP Snooping, rate limiting, and 802.1X to prevent rogue servers and starvation attacks.

DHCP vs. DNS: Two UDP Protocol Patterns:

Aspect	DNS	DHCP
UDP Choice	Optimization (TCP possible)	Necessity (TCP impossible)
Communication	Unicast preferred	Broadcast required
Message Pattern	Simple query/response	Four-message transaction
State	Stateless (caching aside)	Stateful (lease database)
Scale	Global, hierarchical	Local, flat

Next up: We'll examine SNMP (Simple Network Management Protocol), which uses UDP for network monitoring and management—another domain where UDP's efficiency shines.

Page Complete

You now understand DHCP as a UDP-based protocol that couldn't function any other way. You can explain the DORA process, analyze DHCP messages, understand lease management, and identify security concerns. This knowledge is essential for network administration and troubleshooting connectivity issues.

DHCP – Dynamic Host Configuration Protocol

Automatic Network Configuration at Scale

What You Will Learn

The DHCP Problem Space: Why Automatic Configuration?

Before diving into DHCP's technical details, let's understand the problem it solves and why its design choices are necessary.

The Configuration Challenge:

To communicate on an IP network, a host needs at minimum:

IP Address: Unique identifier on the network
Subnet Mask: Defines network/host portions
Default Gateway: Router for reaching other networks
DNS Servers: For name resolution

Optionally, a host may also need:

Domain name suffix
WINS servers (legacy Windows)
NTP servers (time synchronization)
Boot filename (diskless workstations)
Vendor-specific options

Manual vs. DHCP Configuration
Aspect	Manual Configuration	DHCP
Administrative Effort	High (per-device configuration)	Low (centralized)
Human Error Risk	High (typos, duplicates)	Low (automated)
Scalability	Poor (doesn't scale beyond dozens)	Excellent (millions of clients)
Mobility Support	None (reconfigure on each network)	Full (automatic per-network)
IP Address Efficiency	Low (permanently allocated)	High (dynamic allocation/reuse)
Audit/Tracking	Difficult (spreadsheets)	Built-in (lease database)
Configuration Changes	Visit each device	Central policy change

The Bootstrap Paradox:

Here's the fundamental challenge that makes DHCP interesting from a protocol design perspective:

How can a host request an IP address when it doesn't have an IP address yet?

DHCP's Predecessor: BOOTP

Why DHCP Must Use UDP: The Technical Necessity

DHCP doesn't merely prefer UDP—it requires UDP. Unlike DNS, where UDP is an optimization choice, DHCP physically cannot use TCP. Let's understand why.

The TCP Impossibility:

TCP requires both endpoints to have valid IP addresses before establishing a connection. The three-way handshake (SYN, SYN-ACK, ACK) assumes both parties can address each other. But a DHCP client:

Has no IP address (that's what it's trying to get)
Doesn't know the server's IP address (must use broadcast)
Cannot receive unicast packets (has no address to unicast to)

TCP fundamentally cannot work in this scenario.

UDP Enables DHCP

•Broadcast Support: UDP can be sent to the broadcast address (255.255.255.255) reaching all hosts on the local network.
•No Address Required: UDP datagrams can be sent with source address 0.0.0.0, indicating 'this host' before configuration.
•Connectionless: No handshake required, so no need for both parties to know each other's addresses.
•Layer 2 Reception: Before IP configuration, hosts can receive frames destined to broadcast or their MAC address.
•Simplicity: Failed transactions are simply retried; no complex state machine required.

TCP Cannot Work Here

•No Broadcast: TCP is strictly unicast; it cannot address 'all hosts on this network'.
•Connection State: TCP requires source and destination addresses for connection tracking.
•SYN-ACK Problem: Server's SYN-ACK would need to unicast to client's IP—which doesn't exist yet.
•Routing Issues: Without an IP address, the client has no route to reach a specific server.
•Port Numbers: TCP port binding requires an IP address on the local stack.

DHCP Port Numbers:

Role	Port	Protocol	Reason
Server	67	UDP	Well-known port for DHCP/BOOTP server
Client	68	UDP	Fixed client port enables broadcast reception

Why different ports?

Unlike most protocols where the server has a well-known port and the client uses an ephemeral port, DHCP uses fixed ports for both. This is because:

Broadcast responses: The server's OFFER is broadcast; clients filter by their MAC address and port 68
Relay agents: DHCP relays listen on port 67 and must distinguish client traffic from server traffic
Firewall rules: Fixed ports enable simple, predictable firewall configuration

The 0.0.0.0 Source Address

DHCP Message Format: The Complete Packet Structure

DHCP uses a fixed-format message with variable-length options, derived from the BOOTP format. Understanding this format is essential for debugging DHCP issues.

Message Structure:

0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     op (1)    |   htype (1)   |   hlen (1)    |   hops (1)    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                            xid (4)                            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           secs (2)            |           flags (2)           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          ciaddr (4)                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          yiaddr (4)                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          siaddr (4)                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          giaddr (4)                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          chaddr (16)                          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          sname (64)                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          file (128)                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          options (variable)                   |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

DHCP Message Fields
Field	Size	Description	Values
op	1 byte	Operation code	1 = BOOTREQUEST (client), 2 = BOOTREPLY (server)
htype	1 byte	Hardware address type	1 = Ethernet (most common)
hlen	1 byte	Hardware address length	6 for Ethernet MAC
hops	1 byte	Relay hops count	0 initially; incremented by relays
xid	4 bytes	Transaction ID	Random number chosen by client
secs	2 bytes	Seconds since start	Time elapsed since client began
flags	2 bytes	Flags	Bit 0: Broadcast flag
ciaddr	4 bytes	Client IP address	Filled if client has valid address (renewal)
yiaddr	4 bytes	Your IP address	Server fills with offered/assigned IP
siaddr	4 bytes	Server IP address	IP of next bootstrap server
giaddr	4 bytes	Gateway IP address	Relay agent's IP address
chaddr	16 bytes	Client hardware address	Client's MAC address (padded)
sname	64 bytes	Server hostname	Optional server name
file	128 bytes	Boot filename	Path for network boot
options	variable	DHCP options	Start with magic cookie 99.130.83.99

The DHCP Magic Cookie:

DHCP options begin with a 4-byte magic cookie: 99.130.83.99 (or 0x63825363). This value distinguishes DHCP messages from BOOTP messages and marks the start of the options field.

Option Format:

+-------+-------+-------+-------+-------+
| Code  |  Len  | Data bytes...         |
+-------+-------+-------+-------+-------+
   1       1         Len bytes

Each option is TLV (Type-Length-Value) encoded, allowing extensibility while maintaining backward compatibility.

The 548-Byte Minimum

Essential DHCP Options: Configuring the Network Stack

DHCP options carry the actual configuration parameters. Over 200 options are defined, but a small subset handles most use cases.

Critical DHCP Options:

Commonly Used DHCP Options
Code	Name	Description	Typical Value
1	Subnet Mask	Network mask for IP address	255.255.255.0
3	Router	Default gateway address(es)	192.168.1.1
6	DNS Servers	Recursive resolver addresses	8.8.8.8, 8.8.4.4
12	Hostname	Client's requested hostname	laptop-01
15	Domain Name	DNS domain suffix	example.com
51	Lease Time	Address lease duration (seconds)	86400 (24 hours)
53	DHCP Message Type	Identifies message purpose	1=DISCOVER, 2=OFFER, etc.
54	Server Identifier	DHCP server's IP address	192.168.1.1
55	Parameter Request List	Options client wants	1, 3, 6, 15, 51...
58	Renewal Time (T1)	When to start renewal	43200 (12 hours)
59	Rebinding Time (T2)	When to start rebinding	75600 (21 hours)
61	Client Identifier	Unique client ID (often MAC)	01:aa:bb:cc:dd:ee:ff
255	End	Marks end of options	No data

Message Type Option (53) Values:

Value	Type	Description
1	DHCPDISCOVER	Client seeking address
2	DHCPOFFER	Server offering address
3	DHCPREQUEST	Client requesting specific address
4	DHCPDECLINE	Client rejecting offered address
5	DHCPACK	Server confirming address
6	DHCPNAK	Server rejecting request
7	DHCPRELEASE	Client releasing address
8	DHCPINFORM	Client requesting config only (has IP)

Option 55: The Shopping List:

Vendor-Specific Options

The DORA Process: DHCP Transaction Lifecycle

Why Four Messages?

The DORA process seems redundant—why not just DISCOVER → ASSIGN? The four-step process solves critical problems:

Multiple Servers: DISCOVER is broadcast; multiple servers may respond with OFFERs
Client Choice: REQUEST lets client select among offers
Conflict Prevention: Server reserves address only after client commits
Confirmation: ACK confirms assignment after potential conflicts are resolved

Converting Mermaid diagram...

Detailed DORA Steps:

Step 1: DISCOVER (Client → Broadcast)

Source IP: 0.0.0.0 (no address yet)
Destination IP: 255.255.255.255 (broadcast)
Source Port: 68 (DHCP client)
Destination Port: 67 (DHCP server)
Contains: Client MAC (chaddr), Transaction ID (xid), Parameter Request List (Option 55)

Step 2: OFFER (Server → Client)

Source IP: Server's IP (192.168.1.1)
Destination IP: 255.255.255.255 (or unicast to yiaddr if supported)
yiaddr: Proposed IP for client (192.168.1.100)
Contains: Lease time, subnet mask, router, DNS servers, server identifier
Server reserves address temporarily pending client response

Step 3: REQUEST (Client → Broadcast)

Still broadcast (client doesn't have IP yet)
Includes Server Identifier option (Option 54) to identify chosen server
Includes Requested IP Address option (Option 50) to confirm desired IP
Non-selected servers see this and release their reserved offers

Step 4: ACK (Server → Client)

Confirms the lease binding
Contains final configuration parameters
After receiving ACK, client configures its network interface
Client should perform duplicate address detection (ARP probe)

The Broadcast Flag

Lease Management: Renewal, Rebinding, and Expiration

Lease Timers:

Timer	Default	Purpose
Lease Time (T)	86400s (24h)	Total lease duration
Renewal Time (T1)	T × 0.5	When to start renewal
Rebinding Time (T2)	T × 0.875	When to start rebinding

The Lease State Machine:

                    ┌──────────────────────────────────────┐
                    │           DHCP Lease Timeline        │
                    └──────────────────────────────────────┘

    0%          50%                    87.5%              100%
    │────────────│──────────────────────│───────────────────│
    │            │                      │                   │
  Lease      Renewal               Rebinding           Expiration
  Start      (T1)                  (T2)                    
             ↓                      ↓                       ↓
         Try unicast            Broadcast              Lose IP
         to original            to any                 address
         server                 server

Renewal (at T1):

Client sends REQUEST unicast to original server (ciaddr filled with current IP)
If server responds with ACK, lease is extended
If no response, retry with exponential backoff until T2

Rebinding (at T2):

Original server unreachable; client sends REQUEST broadcast
Any DHCP server can respond and extend the lease
This provides fault tolerance if original server fails

Expiration:

If T2 passes without successful renewal, client must stop using the IP
Client returns to DISCOVER state
Applications see this as network disconnection

Lease Best Practices

•Desktop/Server Networks: Long leases (24-48 hours) reduce DHCP traffic and provide stability.
•Guest/WiFi Networks: Short leases (1-4 hours) recover addresses quickly from transient devices.
•High-Mobility Environments: Very short leases (15-30 minutes) in airports, cafes.
•Address Pool Sizing: Pool should be ≥2× expected concurrent devices to handle renewals.
•Reservation for Servers: Use DHCP reservations (static assignments by MAC) for servers/printers.

DHCPINFORM: Configuration Without Lease

DHCP Relay Agents: Spanning Broadcast Boundaries

The Problem:

Subnet A (10.1.1.0/24)           Subnet B (10.2.2.0/24)
     [Client]                         [DHCP Server]
         ↓                                  ↑
    DISCOVER                             How does
   (broadcast)                          this reach
         ↓                              the server?
    [Router]  ←── broadcasts don't cross ──→

The Solution: Relay Agent

The router can act as a DHCP Relay Agent, configured with the IP address of the DHCP server. When it receives a DHCP broadcast, it:

Converts it to a unicast packet addressed to the server
Fills in the Gateway IP Address (giaddr) field with its own interface IP
Forwards the packet to the server
The server uses giaddr to determine which pool to allocate from
Server responds to the relay agent, which broadcasts to the client

Converting Mermaid diagram...

Key giaddr Behaviors:

Scenario	giaddr Value	Server Action
Direct client (same subnet)	0.0.0.0	Use listening interface's subnet
Relayed from 10.1.1.1	10.1.1.1	Allocate from 10.1.1.0/24 pool
Relayed from 10.3.3.1	10.3.3.1	Allocate from 10.3.3.0/24 pool

Relay Agent Information Option (Option 82):

RFC 3046 introduced Option 82, allowing relays to insert additional information:

Circuit ID: Identifies the circuit (VLAN, port) the request came from
Remote ID: Identifies the remote access device (switch ID)

This enables per-port/per-VLAN policies and helps with security auditing.

Multiple DHCP Servers

DHCP Security: Threats and Protections

DHCP's broadcast-based, unauthenticated nature makes it vulnerable to several attacks. Understanding these threats is essential for securing enterprise networks.

Core Vulnerabilities:

DHCP has no built-in authentication mechanism. Any device can:

Send DHCP requests (legitimate or malicious)
Send DHCP responses (rogue servers)
Observe all DHCP traffic (broadcasts are visible to all)

DHCP Security Threats
Threat	Attack Vector	Impact	Mitigation
Rogue DHCP Server	Attacker runs unauthorized DHCP server	Clients receive malicious configuration (wrong gateway/DNS)	DHCP Snooping on switches
DHCP Starvation	Attacker sends many DISCOVERs with spoofed MACs	Server pool exhausted, DoS for legitimate clients	Port security, rate limiting
DHCP Spoofing	Attacker races to respond before legitimate server	MITM via attacker-controlled default gateway	DHCP Snooping, 802.1X
Information Disclosure	Attacker captures DHCP traffic	Learns network topology, addressing scheme	Network segmentation, encryption
Client Impersonation	Attacker uses stolen MAC address	Obtains IP reserved for another device	802.1X, MAC authentication

DHCP Snooping: The Primary Defense

DHCP Snooping is a switch feature that:

Classifies ports as TRUSTED or UNTRUSTED
- Trusted: Ports connected to legitimate DHCP servers or uplinks
- Untrusted: Ports connected to clients
Blocks DHCP server messages on untrusted ports
- OFFER, ACK, NAK from untrusted ports are dropped
- Only trusted ports can send server messages
Builds a binding table
- Records MAC ↔ IP mappings from observed DHCP transactions
- Can be used by Dynamic ARP Inspection (DAI) and IP Source Guard

Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10,20
Switch(config)# interface gi0/1
Switch(config-if)# ip dhcp snooping trust   (uplink to server)
Switch(config)# interface range gi0/2-48
Switch(config-if)# ip dhcp snooping limit rate 10  (client ports)

Defense in Depth

Practical DHCP Analysis and Troubleshooting

Understanding DHCP at a practical level requires hands-on experience with client commands and packet analysis.

Client Commands:

DHCP Client Commands
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# View current DHCP lease information
ipconfig /all
 
# Release current DHCP lease
ipconfig /release
 
# Request new DHCP lease
ipconfig /renew
 
# Release and renew specific adapter
ipconfig /release "Wi-Fi"
ipconfig /renew "Wi-Fi"
 
# Clear DNS cache (often needed after DHCP changes)
ipconfig /flushdns
 
# View DHCP lease details in PowerShell
Get-NetIPConfiguration | Where-Object {$_.NetAdapter.Status -eq "Up"}
Get-DhcpServerv4Lease -ScopeId 192.168.1.0 # Server-side

Common DHCP Problems and Solutions:

Symptom	Possible Cause	Diagnostic	Solution
169.254.x.x address	No DHCP response	Check server reachability, relay config	Verify server is running, check firewalls
Slow lease acquisition	Rogue DHCP server responding	Wireshark capture of OFFER sources	Enable DHCP Snooping
Duplicate IP conflict	Pool overlap, static conflict	Check server pools, ARP tables	Audit address assignments
Lease not renewing	Server unreachable at T1	Ping server from client subnet	Check routing, firewall rules
Wrong DNS/gateway	Server misconfiguration	Check Option 3, 6 in lease	Correct server-side options

Wireshark DHCP Analysis

Summary: DHCP as a Critical UDP Service

DHCP demonstrates another essential use case for UDP—one where UDP isn't just preferred but required. Let's consolidate the key insights:

Key Takeaways

•DHCP solves the bootstrap problem: Clients need network configuration but can't communicate without it. UDP's broadcast capability and connectionless nature make configuration possible before IP assignment.
•DHCP must use UDP: TCP requires both endpoints to have IP addresses for the three-way handshake. Since DHCP clients have no IP, TCP is impossible—UDP with broadcasts is the only option.
•The DORA process handles multiple servers: DISCOVER (broadcast request), OFFER (server proposal), REQUEST (client acceptance), ACK (server confirmation) enables client choice among competing servers.
•Leases enable efficient address utilization: Addresses are temporarily assigned with renewal (T1), rebinding (T2), and expiration timers ensuring addresses return to the pool when devices leave.
•Relay agents span broadcast boundaries: Routers configured as DHCP relays convert broadcasts to unicasts, enabling centralized DHCP servers to serve multiple subnets via the giaddr field.
•Security requires infrastructure support: DHCP's lack of authentication necessitates switch-level protections like DHCP Snooping, rate limiting, and 802.1X to prevent rogue servers and starvation attacks.

DHCP vs. DNS: Two UDP Protocol Patterns:

Aspect	DNS	DHCP
UDP Choice	Optimization (TCP possible)	Necessity (TCP impossible)
Communication	Unicast preferred	Broadcast required
Message Pattern	Simple query/response	Four-message transaction
State	Stateless (caching aside)	Stateful (lease database)
Scale	Global, hierarchical	Local, flat

Next up: We'll examine SNMP (Simple Network Management Protocol), which uses UDP for network monitoring and management—another domain where UDP's efficiency shines.

Page Complete