New Member
Posts: 18
Registered: ‎10-19-2017
Kudos: 4

Re: DHCP Option 82

[ Edited ]

Bingo! NVX is correct about my question. After messing around with it a bit, though, where I did actually have some fully-AC sectors deployed, I was able to answer my own question.

 

For anyone reading this thread and wanting to know how the feature operates, here's what I've found:

 

The Option 82 feature causes the radio running it to intercept DHCP requests and send them as DHCP relay requests, with Option 82 being filled in as the ASCII-encoded MAC address of the device performing the relay.

 

So in other words, if you want to control DHCP based on individual subscribers' radios, then you should use Option 82 functionality on the stations. If you want to make decisions based on the wireless sector, then you should use it on the AP.

 

Another note for those reading along - if the option is active on both the AP and the station, then the station's Option-82 data is simply passed along by the AP - i.e. the MAC in the Agent-Circuit-ID field will be the station's, not the AP's.

 

One final note is that when it was active on both APs and Stations throughout the sector, I found that there was a bit of "ping pong" chain reaction going on, because the stations started trying to snoop against the relayed DHCP discover requests from each other. When I disabled it on the AP (and with client isolation enabled) I do not see this behavior. I also have layer 2 isolation between the APs as well, so it's possible that a flat, normal broadcast domain may get some strange ping-pong behavior if it's just turned on everywhere.

 

My testbed is actually a production sector, so I can't fiddle with it too much, but I do have some test radios on order to do more intensive scrutiny in a controlled lab environment.

 

Thoughts for Ubiquiti, as this feature is "Beta" status:

 

One thought for Ubiquiti: If these DHCP requests do bounce around repeatedly between the radios under certain circumstances, perhaps it would be beneficial to have a DHCP snooping option to block / ignore / pass through un-modified certain interfaces. In other words, it would be nice if a client's radio would ignore DHCP discover messages on the wireless interface, while the AP could be configured to ignore them on the ethernet interface.

 

Another thought - I don't know how difficult it would be to extend this feature to include the ability to administratively set a limit as to how many IP addresses the DHCP relay will allow. So if the customers behind the stations are required to use DHCP to get a dynamic IP address on their routers, it would be good to limit each one to some number of addresses, even just one - so that customers couldn't plug their LAN directly into the radio (intentionally or by mistake) and receive lots of IP addresses.

Veteran Member
Posts: 5,443
Registered: ‎03-12-2011
Kudos: 2738
Solutions: 129

Re: DHCP Option 82


@ZeroByte wrote:

 

So in other words, if you want to control DHCP based on individual subscribers' radios, then you should use Option 82 functionality on the stations. If you want to make decisions based on the wireless sector, then you should use it on the AP.


So this is disappointing from a security perspective since it's putting the trust on CPE devices rather than at the AP.

 


@ZeroByte wrote:

 

Another note for those reading along - if the option is active on both the AP and the station, then the station's Option-82 data is simply passed along by the AP - i.e. the MAC in the Agent-Circuit-ID field will be the station's, not the AP's.


This is even more concerning, my take away from this is that if you had it enabled on the STA and a malicious user sent a DHCP packet that already had Option 82 set the STA would let that pass as well.

 

From a quick play it also seems like it applies to whatever network is set as management which seems kinda backwards. Being able to specify which bridge interface(s) it should apply to would be ideal (eg, move the option from management into bridge settings next to STP/etc).

New Member
Posts: 18
Registered: ‎10-19-2017
Kudos: 4

Re: DHCP Option 82


NVX wrote:

So this is disappointing from a security perspective since it's putting the trust on CPE devices rather than at the AP.

 ...

 

This is even more concerning, my take away from this is that if you had it enabled on the STA and a malicious user sent a DHCP packet that already had Option 82 set the STA would let that pass as well.

 

From a quick play it also seems like it applies to whatever network is set as management which seems kinda backwards. Being able to specify which bridge interface(s) it should apply to would be ideal (eg, move the option from management into bridge settings next to STP/etc).


1- I've never deployed any option82-aware infrastructure, so this is all new to me, but my initial thought was that the AP made the most sense as the DHCP snooping point as well - I'd somewhat expected it to instert the sta's MAC as the circuit ID. Glad to see I wasn't alone in this regard. Plus it makes deployment of CPE have one less critical variable to configure - thus less mistakes by techs / jr NOC provisioners.

 

2- I hadn't thought of that contingency. Unfortunately I'll have to wait for my lab to arrive before I can test this, but given that the same hardware and OS is either the AP or the STA, I'm 99.99% certain that this behavior will be the case.

 

3- I'll add VLANs to my lab environment just to see whether it applies to any one in particular, or to all of them. I'd assume all of them, which is fine since if I decide to use DHCP for STA's mgt addressing, I don't actually have to use Option82 information. Although it could be nice to have a centralized DHCP server and apply certain IP pools to certain APs based on it...

Veteran Member
Posts: 5,443
Registered: ‎03-12-2011
Kudos: 2738
Solutions: 129

Re: DHCP Option 82

Worth noting there's actually multiple components of Option 82

 

The Circuit ID which is intended to be the intervace/vlan - in this instance having the SSID and/or AP MAC Address makes the most sense I think.

 

The Remote ID is meant to be the user name/caller id/modem ID - this would make most sense being the STA MAC Address, (and/or username when WPA-EAP is in use).

 

I've not had a chance to play with it yet, but having the AP make use of both fields and filling them appropriately would be the best outcome.

Emerging Member
Posts: 43
Registered: ‎10-23-2013
Kudos: 18

Re: DHCP Option 82

[ Edited ]

I agree completely. @NVX

 

This is how other vendors have implemented Option 82 in the wireless world, it works well. 

Regular Member
Posts: 481
Registered: ‎07-08-2013
Kudos: 95
Solutions: 3

Re: DHCP Option 82

Still no option 82 for M series radios?

Regular Member
Posts: 481
Registered: ‎09-16-2013
Kudos: 154
Solutions: 14

Re: DHCP Option 82

Agree with @NVX as well. This really should be implemented in the AC series AP, which kills multiple birds with one stone (including the M-series Option82 issue).

Ubiquiti Employee
Posts: 11,334
Registered: ‎04-14-2017
Kudos: 2100
Solutions: 324

Re: DHCP Option 82

There have been discussions internally on how to improve our option 82 implementation which I will give an update on when we are ready.
Emerging Member
Posts: 43
Registered: ‎10-23-2013
Kudos: 18

Re: DHCP Option 82

'soon.....'

 

Maybe time for another webpage Man Tongue

Ubiquiti Employee
Posts: 11,334
Registered: ‎04-14-2017
Kudos: 2100
Solutions: 324

Re: DHCP Option 82

What I can say at this point is option 82 improvements are scheduled for release v8.5.9, and we are fleshing them out currently.
Regular Member
Posts: 481
Registered: ‎09-16-2013
Kudos: 154
Solutions: 14

Re: DHCP Option 82

Hi @UBNT-SNK ! I see 8.5.11 RC just came out, with no mention of Option 82 improvements.

 

Since 8.5.9 was skipped, can we please have an update? Thanks!

Ubiquiti Employee
Posts: 11,334
Registered: ‎04-14-2017
Kudos: 2100
Solutions: 324

Re: DHCP Option 82

@UBNT-Dalia can you post the release these Option 82 updates are scheduled for please?
Regular Member
Posts: 481
Registered: ‎09-16-2013
Kudos: 154
Solutions: 14

Re: DHCP Option 82

@UBNT-Dalia Is there a planned release for any of these option 82 improvements? 

 

As a refresher, im hoping for a solution that has the AP adding CPE info to dhcp requests from clients' routers that are on one vlan, while the cpes and AP are on another management vlan.

Regular Member
Posts: 481
Registered: ‎09-16-2013
Kudos: 154
Solutions: 14

Re: DHCP Option 82

@UBNT-SNK Can you please let me know if there are still plans for improvements to the Option 82 feature?

 

Specifically I am curious if the AP will ever do the inserting of the Option 82 information, so that the DHCP request includes the Circuit ID (AP's MAC) and the Remote ID (CPE's MAC).

Emerging Member
Posts: 43
Registered: ‎10-23-2013
Kudos: 18

Re: DHCP Option 82

[ Edited ]

I've all but given up. There is better ways, and better things out there. Thanks for 'listening', @ UBNT.

 

Ubiquiti Employee
Posts: 11,334
Registered: ‎04-14-2017
Kudos: 2100
Solutions: 324

Re: DHCP Option 82

Yes, these are still planned, but I cannot commit to a specific release at this time.
Regular Member
Posts: 481
Registered: ‎07-08-2013
Kudos: 95
Solutions: 3

Re: DHCP Option 82

I am happy to report that this works on Cambium.