Juniper JUNOSE SOFTWARE 11.0.X - BROADBAND ACCESS CONFIGURATION GUIDE 4-1-2010 Configuration Manual page 532

JUNOSe 11.0.x Broadband Access Configuration Guide
detect spoofed giaddrs. Also, DHCP relay does not detect spoofed relay agent option
values.
Spoofed giaddrs are a concern when the DHCP relay is used if the giaddr value in
received DHCP packets is different from the local IP address on which the DHCP
relay is accessed. In this situation, DHCP relay always honors the giaddr. To configure
DHCP relay to override all giaddrs (including valid giaddrs) that are received from
downstream network elements, use the set dhcp relay override command with the
giaddr keyword. DHCP relay then takes control of the client, adding its own giaddr
to the packets before forwarding the packets to the DHCP server.
Spoofed relay agent options are a concern if the giaddr is not null, or if it is null and
the DHCP relay is operating in the trust-all method. In these two situations, DHCP
relay always honors the relay agent option value in received DHCP packets.
Using the Broadcast Flag Setting to Control Transmission of DHCP Reply Packets
Each DHCP request packet includes a broadcast flag that, if set, specifies how to
transmit DHCP Offer reply packets and DHCP ACK and NAK reply packets to DHCP
clients during the discovery process. To configure DHCP relay and DHCP relay proxy
to use the setting of the broadcast flag to control the transmission of DHCP Offer,
DHCP ACK, and DHCP NAK reply packets, use the set dhcp relay
broadcast-flag-replies command from Global Configuration mode.
When you issue the set dhcp relay broadcast-flag-replies command, the method
that DHCP relay and DHCP relay proxy use to transmit DHCP Offer reply packets
and ACK and NAK reply packets depends on whether the broadcast flag in the DHCP
request packet is set or not set, as follows:
There are exceptions to this behavior for DHCP relay proxy when the DHCP client
is already bound to an IP address or is renewing the lease on its IP address. For
information, see "Behavior for Bound Clients and Address Renewals" on page 514.
492
Configuring DHCP Relay and BOOTP Relay
To protect against spoofed giaddrs and relay agent option values:
host1(config)#set dhcp relay override agent-option
DHCP relay then overrides all relay agent option values that are received from
downstream network elements, performing one of the following actions:
If the DHCP relay is configured to add relay agent option 82 to the packets,
it clears the existing option 82 values and inserts the new values.
If the DHCP relay is not configured to add relay agent option 82, it clears
the existing option values but does not add any new values.
If the broadcast flag is set in the DHCP request packet, using the set dhcp relay
broadcast-flag-replies command causes DHCP relay and DHCP relay proxy to
broadcast DHCP reply packets to clients.
If the broadcast flag is not set in the DHCP request packet, using the set dhcp
relay broadcast-flag-replies command causes DHCP relay and DHCP relay proxy
to use the layer 2 unicast transmission method to send DHCP reply packets using
the client's layer 2 (MAC) address and layer 3 (IP) unicast address.