BOOTP packets blocked while DHCP packets are accepted












1















We have an IP system that makes use of BOOTP for updating our embedded devices over IP. The main app uses DHCP for its IP configuration.



Our devices are usually on the network of the customer, the customer manages the network infrastructure. We provide a server machine that hosts a DHCP and BOOTP server, thus our ownership.
Till recently we never had any issues. There's one customer where BOOTP communication doesn't work while DHPC is working perfectly between same endpoints. I wiresharked the interface of our server machine: BOOTP- packet isn't received. This while DHCP- is coming in OK.
Both packets have ethernet-destination broadcast. Bot UDP on destination port 67. No firewall on our server machine. In fact DHCP is an extension of BOOTP.



If I tell this to the customer that I think their equipment is probably blocking this, I get a negative response. In my opinion there must be something - I believe a managed switch - that blocks this BOOTP packet. Does someone has any tips:




  1. Is it a common practice to block BOOTP on a managed enterprise network?

  2. How defend/elaborate this towards the customer in order to make him take (more) actions. Can I push him in the right direction, what to verify?

  3. Any other remarks suggestions, experiences...






networking dhcp tcpip infrastructure







share|improve this question

























  • network boot does offer the ability to bypass some enterprise security controls, by booting from an potentially unknown or unblessed image, so yes, many orgs that don't use network boot functionality might do well to disable it.

    – Frank Thomas
    Jan 14 '14 at 12:47











  • If your server isn't on the same IP network as your customers, then your server is only receiving DHCP because they had to specifically configure a 'helper ip address' on a router or host's network interface that is a member of the broadcast domain, such that when an unconfigured system sends a BOOTP/DHCP DISCOVER to the broadcast, the router(usually) can proxy that packet to the remote DHCP server, and broker the DISCOVER/OFFER/REQUEST/ACK transaction: The booting host won't have an IP address to be able to communicate with a remote server until the transaction's completed. ...cont...

    – Nevin Williams
    Mar 12 '14 at 1:30











  • If your customer is in charge of the network, then the onus is on them to have the helper IP proxy service configured properly. As I understand, you're able to process DHCP from the same physical network that you're not getting bootp DISCOVERs. The UDP transaction for DHCP is the same as for bootp, except DHCP packets have extra fields, and thus, are larger. Only a device that's processing packet contents could tell what's BOOTP or DHCP, which implies the router doing the helper-ip proxy for DHCP needs to be told to also do so for BOOTP, or there's a firewall with a DENY Bootp rule.

    – Nevin Williams
    Mar 12 '14 at 1:50
















1















We have an IP system that makes use of BOOTP for updating our embedded devices over IP. The main app uses DHCP for its IP configuration.



Our devices are usually on the network of the customer, the customer manages the network infrastructure. We provide a server machine that hosts a DHCP and BOOTP server, thus our ownership.
Till recently we never had any issues. There's one customer where BOOTP communication doesn't work while DHPC is working perfectly between same endpoints. I wiresharked the interface of our server machine: BOOTP- packet isn't received. This while DHCP- is coming in OK.
Both packets have ethernet-destination broadcast. Bot UDP on destination port 67. No firewall on our server machine. In fact DHCP is an extension of BOOTP.



If I tell this to the customer that I think their equipment is probably blocking this, I get a negative response. In my opinion there must be something - I believe a managed switch - that blocks this BOOTP packet. Does someone has any tips:




  1. Is it a common practice to block BOOTP on a managed enterprise network?

  2. How defend/elaborate this towards the customer in order to make him take (more) actions. Can I push him in the right direction, what to verify?

  3. Any other remarks suggestions, experiences...






networking dhcp tcpip infrastructure







share|improve this question

























  • network boot does offer the ability to bypass some enterprise security controls, by booting from an potentially unknown or unblessed image, so yes, many orgs that don't use network boot functionality might do well to disable it.

    – Frank Thomas
    Jan 14 '14 at 12:47











  • If your server isn't on the same IP network as your customers, then your server is only receiving DHCP because they had to specifically configure a 'helper ip address' on a router or host's network interface that is a member of the broadcast domain, such that when an unconfigured system sends a BOOTP/DHCP DISCOVER to the broadcast, the router(usually) can proxy that packet to the remote DHCP server, and broker the DISCOVER/OFFER/REQUEST/ACK transaction: The booting host won't have an IP address to be able to communicate with a remote server until the transaction's completed. ...cont...

    – Nevin Williams
    Mar 12 '14 at 1:30











  • If your customer is in charge of the network, then the onus is on them to have the helper IP proxy service configured properly. As I understand, you're able to process DHCP from the same physical network that you're not getting bootp DISCOVERs. The UDP transaction for DHCP is the same as for bootp, except DHCP packets have extra fields, and thus, are larger. Only a device that's processing packet contents could tell what's BOOTP or DHCP, which implies the router doing the helper-ip proxy for DHCP needs to be told to also do so for BOOTP, or there's a firewall with a DENY Bootp rule.

    – Nevin Williams
    Mar 12 '14 at 1:50














1












1








1








We have an IP system that makes use of BOOTP for updating our embedded devices over IP. The main app uses DHCP for its IP configuration.



Our devices are usually on the network of the customer, the customer manages the network infrastructure. We provide a server machine that hosts a DHCP and BOOTP server, thus our ownership.
Till recently we never had any issues. There's one customer where BOOTP communication doesn't work while DHPC is working perfectly between same endpoints. I wiresharked the interface of our server machine: BOOTP- packet isn't received. This while DHCP- is coming in OK.
Both packets have ethernet-destination broadcast. Bot UDP on destination port 67. No firewall on our server machine. In fact DHCP is an extension of BOOTP.



If I tell this to the customer that I think their equipment is probably blocking this, I get a negative response. In my opinion there must be something - I believe a managed switch - that blocks this BOOTP packet. Does someone has any tips:




  1. Is it a common practice to block BOOTP on a managed enterprise network?

  2. How defend/elaborate this towards the customer in order to make him take (more) actions. Can I push him in the right direction, what to verify?

  3. Any other remarks suggestions, experiences...






networking dhcp tcpip infrastructure







share|improve this question
















We have an IP system that makes use of BOOTP for updating our embedded devices over IP. The main app uses DHCP for its IP configuration.



Our devices are usually on the network of the customer, the customer manages the network infrastructure. We provide a server machine that hosts a DHCP and BOOTP server, thus our ownership.
Till recently we never had any issues. There's one customer where BOOTP communication doesn't work while DHPC is working perfectly between same endpoints. I wiresharked the interface of our server machine: BOOTP- packet isn't received. This while DHCP- is coming in OK.
Both packets have ethernet-destination broadcast. Bot UDP on destination port 67. No firewall on our server machine. In fact DHCP is an extension of BOOTP.



If I tell this to the customer that I think their equipment is probably blocking this, I get a negative response. In my opinion there must be something - I believe a managed switch - that blocks this BOOTP packet. Does someone has any tips:




  1. Is it a common practice to block BOOTP on a managed enterprise network?

  2. How defend/elaborate this towards the customer in order to make him take (more) actions. Can I push him in the right direction, what to verify?

  3. Any other remarks suggestions, experiences...






networking dhcp tcpip infrastructure




networking dhcp tcpip infrastructure






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 30 at 22:44









Flux

1145




1145










asked Jan 14 '14 at 11:16









Nick VNick V

1084




1084













  • network boot does offer the ability to bypass some enterprise security controls, by booting from an potentially unknown or unblessed image, so yes, many orgs that don't use network boot functionality might do well to disable it.

    – Frank Thomas
    Jan 14 '14 at 12:47











  • If your server isn't on the same IP network as your customers, then your server is only receiving DHCP because they had to specifically configure a 'helper ip address' on a router or host's network interface that is a member of the broadcast domain, such that when an unconfigured system sends a BOOTP/DHCP DISCOVER to the broadcast, the router(usually) can proxy that packet to the remote DHCP server, and broker the DISCOVER/OFFER/REQUEST/ACK transaction: The booting host won't have an IP address to be able to communicate with a remote server until the transaction's completed. ...cont...

    – Nevin Williams
    Mar 12 '14 at 1:30











  • If your customer is in charge of the network, then the onus is on them to have the helper IP proxy service configured properly. As I understand, you're able to process DHCP from the same physical network that you're not getting bootp DISCOVERs. The UDP transaction for DHCP is the same as for bootp, except DHCP packets have extra fields, and thus, are larger. Only a device that's processing packet contents could tell what's BOOTP or DHCP, which implies the router doing the helper-ip proxy for DHCP needs to be told to also do so for BOOTP, or there's a firewall with a DENY Bootp rule.

    – Nevin Williams
    Mar 12 '14 at 1:50



















  • network boot does offer the ability to bypass some enterprise security controls, by booting from an potentially unknown or unblessed image, so yes, many orgs that don't use network boot functionality might do well to disable it.

    – Frank Thomas
    Jan 14 '14 at 12:47











  • If your server isn't on the same IP network as your customers, then your server is only receiving DHCP because they had to specifically configure a 'helper ip address' on a router or host's network interface that is a member of the broadcast domain, such that when an unconfigured system sends a BOOTP/DHCP DISCOVER to the broadcast, the router(usually) can proxy that packet to the remote DHCP server, and broker the DISCOVER/OFFER/REQUEST/ACK transaction: The booting host won't have an IP address to be able to communicate with a remote server until the transaction's completed. ...cont...

    – Nevin Williams
    Mar 12 '14 at 1:30











  • If your customer is in charge of the network, then the onus is on them to have the helper IP proxy service configured properly. As I understand, you're able to process DHCP from the same physical network that you're not getting bootp DISCOVERs. The UDP transaction for DHCP is the same as for bootp, except DHCP packets have extra fields, and thus, are larger. Only a device that's processing packet contents could tell what's BOOTP or DHCP, which implies the router doing the helper-ip proxy for DHCP needs to be told to also do so for BOOTP, or there's a firewall with a DENY Bootp rule.

    – Nevin Williams
    Mar 12 '14 at 1:50

















network boot does offer the ability to bypass some enterprise security controls, by booting from an potentially unknown or unblessed image, so yes, many orgs that don't use network boot functionality might do well to disable it.

– Frank Thomas
Jan 14 '14 at 12:47





network boot does offer the ability to bypass some enterprise security controls, by booting from an potentially unknown or unblessed image, so yes, many orgs that don't use network boot functionality might do well to disable it.

– Frank Thomas
Jan 14 '14 at 12:47













If your server isn't on the same IP network as your customers, then your server is only receiving DHCP because they had to specifically configure a 'helper ip address' on a router or host's network interface that is a member of the broadcast domain, such that when an unconfigured system sends a BOOTP/DHCP DISCOVER to the broadcast, the router(usually) can proxy that packet to the remote DHCP server, and broker the DISCOVER/OFFER/REQUEST/ACK transaction: The booting host won't have an IP address to be able to communicate with a remote server until the transaction's completed. ...cont...

– Nevin Williams
Mar 12 '14 at 1:30





If your server isn't on the same IP network as your customers, then your server is only receiving DHCP because they had to specifically configure a 'helper ip address' on a router or host's network interface that is a member of the broadcast domain, such that when an unconfigured system sends a BOOTP/DHCP DISCOVER to the broadcast, the router(usually) can proxy that packet to the remote DHCP server, and broker the DISCOVER/OFFER/REQUEST/ACK transaction: The booting host won't have an IP address to be able to communicate with a remote server until the transaction's completed. ...cont...

– Nevin Williams
Mar 12 '14 at 1:30













If your customer is in charge of the network, then the onus is on them to have the helper IP proxy service configured properly. As I understand, you're able to process DHCP from the same physical network that you're not getting bootp DISCOVERs. The UDP transaction for DHCP is the same as for bootp, except DHCP packets have extra fields, and thus, are larger. Only a device that's processing packet contents could tell what's BOOTP or DHCP, which implies the router doing the helper-ip proxy for DHCP needs to be told to also do so for BOOTP, or there's a firewall with a DENY Bootp rule.

– Nevin Williams
Mar 12 '14 at 1:50





If your customer is in charge of the network, then the onus is on them to have the helper IP proxy service configured properly. As I understand, you're able to process DHCP from the same physical network that you're not getting bootp DISCOVERs. The UDP transaction for DHCP is the same as for bootp, except DHCP packets have extra fields, and thus, are larger. Only a device that's processing packet contents could tell what's BOOTP or DHCP, which implies the router doing the helper-ip proxy for DHCP needs to be told to also do so for BOOTP, or there's a firewall with a DENY Bootp rule.

– Nevin Williams
Mar 12 '14 at 1:50










0






active

oldest

votes












Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f701461%2fbootp-packets-blocked-while-dhcp-packets-are-accepted%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f701461%2fbootp-packets-blocked-while-dhcp-packets-are-accepted%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Plaza Victoria

Image
Plaza Victoria Plaza Victoria en 2017 Otros nombres Plaza de La Victoria Localización El Almendral, Valparaíso, Chile Vías adyacentes Chacabuco, Molina, Plaza Victoria y Edwards Creación 1841 Metro Bellavista Ubicación 33°02′46″S 71°37′11″O  /  -33.04624167, -71.61980833 Coordenadas: 33°02′46″S 71°37′11″O  /  -33.04624167, -71.61980833 [editar datos en Wikidata] La Plaza Victoria , también llamada Plaza de la Victoria , [ 1 ] ​ es una plaza ubicada en el sector El Almendral del plan de la ciudad de Valparaíso, Chile, de importancia patrimonial, que incluye valiosas estatuas y especies vegetales. [ 2 ] ​ La plaza se creó como tal en la primera mitad del siglo XIX, tomando previamente los nombres de Plaza Nueva y Plaza de Orrego . Si bien desde sus inicios tuvo relevancia histórica, no fue sino a partir de fines de los años 1860 cuando comenzó a cobrar mayor importancia y se convirtió en uno de los principales centros sociales de l...
Read more

Brian Clough

Image
Brian Clough Datos personales Nombre completo Brian Howard Clough Apodo(s) Old Big 'Ead, Cloughie [ 1 ] ​ Nacimiento Middlesbrough, Inglaterra, Reino Unido 21 de marzo de 1935 Nacionalidad(es) Fallecimiento Derby, Reino Unido 20 de septiembre de 2004 (69 años) Altura 1,78 [ 1 ] ​ metros Carrera Deporte Fútbol Debut deportivo 1955 (Como jugador) 1965 (Como entrenador) (Middlesbrough F. C. (Como jugador) Hartlepool United F. C. (Como entrenador) ) Posición Delantero Goles en clubes 269 [ 2 ] ​ Retirada deportiva 1964 (Como jugador) 1993 (Como entrenador) (Sunderland A. F. C. (Como jugador) Nottingham Forest (Como entrenador) ) Carrera internacional Part. 2 [editar datos en Wikidata] Brian Howard Clough , OBE [ 3 ] ​ (Middlesbrough, Inglaterra, Reino Unido, 21 de marzo de 1935 – Derby, Inglaterra, Reino Unido, 20 de septiembre de 2004) fue un jugador y entrenador británico de fútbol. Es conocido por...
Read more

Cáceres

Image
Para otros usos de este término, véase Cáceres (desambiguación). Cáceres Municipio y ciudad Bandera Escudo Collage de Cáceres Cáceres Ubicación de Cáceres en España. Cáceres Ubicación de Cáceres en la provincia de Cáceres. País  España • Com. autónoma  Extremadura • Provincia  Cáceres • Partido judicial Cáceres Ubicación 39°28′23″N 6°22′16″O  /  39.473055555556, -6.3711111111111 Coordenadas: 39°28′23″N 6°22′16″O  /  39.473055555556, -6.3711111111111 • Altitud 457 [ 1 ] ​ msnm (mín.:211 [ 2 ] ​, máx.:708 [ 2 ] ​) Superficie 1750,33 km² Núcleos de población Cáceres Estación Arroyo-Malpartida Rincón de Ballesteros Valdesalor Fundación 34 a. C. Población 96 068 hab. (2018) • Densidad 54,8 hab./km² Gentilicio Cacereño/a [ 3 ] ​ Código postal 10001-10005, 10195 Alcaldesa (2015) María Elena Nevado del Campo [ 4 ] ​ Presupuesto 69.045.004€ [ 5 ] ​  (año ...
Read more