SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Super Contributor
Posts: 498
Registered: ‎03-29-2008
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client


WL wrote:
Hi folks Sorry my mistake, the issue also exists from 11.2R1 onwards. The short-term workaround is that if you have DHCP client configured, ip spoofing should not be configured on the zone that the interface resides in. This is due to a change we had in behavior which is checked in from 11.1R2 11.3R1 11.2R1 The rationale behind this is that during the detection of ip spoofing, route lookup has to be done for the source address. After route lookup has been done it will compare the input interfaces with the result of the route lookup. In the case for DHCP clients, since it picks up the default route as discard and drops the packet as spoofed packet. In previous releases, if default route is matched, we allow the traffic to pass without matching the input interface. So the spoofing check was incorrect in older releases. We are still in discussion for this issue at the moment as we understand that an exception has to be made for dhcp, will update more when more info is available.

WL, does this bug also affect the DHCP server part of the SRX (e.g. SRX serving IP addresses to clients) or only the DHCP client part?

 

We currently have an issue with two SRX DHCP servers (11.1) not working, so I am wondering if this might be related.

 

Thanks

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Trusted Expert Trusted Expert
Trusted Expert
Posts: 791
Registered: ‎07-26-2008
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

It may affect DHCP sever portion as well depending on what routes are configured on the SRX. The best way to confirm is actually to log the alerts from the screens.

 

set system syslog file screen any any

set system syslog file screen match SCREEN

 

Or you can also check if the screens have been triggered via:

show security screen statistics zone | match spoof

 

and check if counters increment when dhcp clients request IP address.

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Super Contributor
Posts: 498
Registered: ‎03-29-2008
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

just checked the screen statistics. Ip spoofing has zero hits.
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Trusted Expert Trusted Expert
Trusted Expert
Posts: 791
Registered: ‎07-26-2008
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

yea then you have a different problem. did you try to turn on the dhcp traceoptions to take a look? set system services dhcp traceoptions flag all set system services dhcp traceoptions file
****pls click the button " Accept as Solution" if my post helped to solve your problem****
Super Contributor
Posts: 498
Registered: ‎03-29-2008
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client


WL wrote:
yea then you have a different problem. did you try to turn on the dhcp traceoptions to take a look? set system services dhcp traceoptions flag all set system services dhcp traceoptions file

yeah, we tried that already. In fact, we have a JTAC case open and they asked us to disable IP spoofing after I pointed them to this thread here :-)

 

Anyways, since this seems to be a different issue, I will take it elsewhere. Don't want to hijack this thread.

 

Cheers

Sascha

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Highlighted
Contributor
Posts: 40
Registered: ‎01-14-2009
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

I actually already tried a stateless firewall filter based UDP port 67 or 68 (can't remember)...in any case it did not work.  I assume because the spoofing screen inspects stateful and stateless traffic, which would make sense.

Super Contributor
Posts: 498
Registered: ‎03-29-2008
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client


cryptochrome wrote:

WL wrote:
yea then you have a different problem. did you try to turn on the dhcp traceoptions to take a look? set system services dhcp traceoptions flag all set system services dhcp traceoptions file

yeah, we tried that already. In fact, we have a JTAC case open and they asked us to disable IP spoofing after I pointed them to this thread here :-)

 

Anyways, since this seems to be a different issue, I will take it elsewhere. Don't want to hijack this thread.

 

Cheers

Sascha


I might add: We just disabled IP spoofing and now the DHCP server is working. So even though there were no hits on the IP spoofing counter, it broke DHCP server.

 

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Super Contributor
Posts: 498
Registered: ‎03-29-2008
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

So when and in which version will we see a fix?
Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Contributor
Posts: 47
Registered: ‎09-27-2009
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

[ Edited ]

It's dissapointing to hear that for every 11.x release this year the problem has existed and that the only workaround is to disable the spoof protection or custom configure a stateless filter.  Would it be possible to create a separate spoofing filter that allowed broadcasts?

Trusted Expert Trusted Expert
Trusted Expert
Posts: 791
Registered: ‎07-26-2008
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

Actually I am not quite sure if my previous post explained it clearly.

 

The reason why DHCP worked earlier is because ip spoofing was not working correctly! In the past ip spoofing was actually not comparing the input and output interfaces when addresses matched the default route!

 

So we fixed this behaviour and as a result its affecting the DHCP traffic now.

 

IMHO, I dont think we need spoofing check for DHCP packets on interfaces that require DHCP since DHCP is required for the interface.

 

Thats why I thought my previous post  to use the firewall filter with packet based processing specifically for DHCP packets is a better solution then deactivating spoofing altogether, has anyone tried it?

 

Only thing I want to add to it is that you may want to explicitly define the dest ports and protocol to be sure that the filter is only matching dhcp packet.

 

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Super Contributor
Posts: 498
Registered: ‎03-29-2008
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

Here is the official info on the bug:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21713

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Contributor
Posts: 40
Registered: ‎01-14-2009
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

Thanks, good to see the KB article posted. 

 

I'm going to try the firewall filter to bypass flow-mode and process in packet mode, but honestly I surprised that works, as I would expect IP Spoofing to work in packet-mode, as it's not restricted to stateful packet processing.  It should be a per packet analysis.

Super Contributor
Posts: 353
Registered: ‎04-30-2010
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

[ Edited ]

@techniq: I got puzzled, too. Trusty JunOS flow diagram to the rescue! (attached)

 

As you can see, packet filters take effect before Screens. Screens are still part of the Flow Module.

 

That diagram, btw, is so useful in so many ways. It completely explains just why NAT and policy-based VPN just cannot work together, for example.

 

Contributor
Posts: 40
Registered: ‎01-14-2009
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

Yes, I'm familiar with the packet-processing diagram.  I guess I was really questioning the logic of the IP Spoofing screen only being in flow-mode.  However, I rationalized it with a scenario of a legitimate need to allow asymmetric traffic (for example).

 

I still have to test it again, b/c as I stated previously I setup a stateless firewall filter for this but only using the ports 67/68/udp and it did not work.  I'll play around with various 'from' parameters.

Trusted Expert Trusted Expert
Trusted Expert
Posts: 791
Registered: ‎07-26-2008
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

[ Edited ]

@cryptochrome

 

btw, I tested the ip spoofing with the SRX working as DHCP server as well and it also affects the receiving of DHCP broadcast packets.

 

We will get the KB updated to reflect this as well.In my setup, I can clearly see the spoof messages and counters incrementing though not sure why counters are not working for you.

 

EG Aug 30 15:12:17 RT_IDS: RT_SCREEN_IP: IP spoofing! source: 0.0.0.0, destination: 255.255.255.255, protocol-id: 17, zone name: trust, interface name: fe-0/0/5.0, action: drop

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Super Contributor
Posts: 498
Registered: ‎03-29-2008
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client


WL wrote:

@cryptochrome

 

btw, I tested the ip spoofing with the SRX working as DHCP server as well and it also affects the receiving of DHCP broadcast packets.

 

We will get the KB updated to reflect this as well.In my setup, I can clearly see the spoof messages and counters incrementing though not sure why counters are not working for you.

 

EG Aug 30 15:12:17 RT_IDS: RT_SCREEN_IP: IP spoofing! source: 0.0.0.0, destination: 255.255.255.255, protocol-id: 17, zone name: trust, interface name: fe-0/0/5.0, action: drop


Hi WL,

 

confirmed. JTAC said the same thing. As for the counters, they were increasing last time I checked. Not sure why I didn't see them the first time. My guess is the customer that owns the machine must have reset the counters without me knowing :-)

 

JTAC still has no ETA for a bug fix release, which is kind of disapointing. 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Trusted Expert Trusted Expert
Trusted Expert
Posts: 791
Registered: ‎07-26-2008

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

[ Edited ]

IMHO, I dont really think its actually a bug as I said in my previous post as I dont see the need to apply ip spoofing for DHCP packets on interfaces which actually require DHCP

 

Also, I dont think they can actually roll back the behaviour to what it used to be since old behaviour is actually incorrect wrt to ip spoofing at least.

 

think at best, what'll happen is that there a be a cli to ignore dhcp packets or smthing like that.

****pls click the button " Accept as Solution" if my post helped to solve your problem****
Super Contributor
Posts: 498
Registered: ‎03-29-2008
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client


WL wrote:

IMHO, I dont really think its actually a bug as I said in my previous post as I dont see the need to apply ip spoofing for DHCP packets on interfaces which actually require DHCP

 

Also, I dont think they can actually roll back the behaviour to what it used to be since old behaviour is actually incorrect wrt to ip spoofing at least.

 

think at best, what'll happen is that there a be a cli to ignore dhcp packets or smthing like that.


We could argue about that. In my book, if IP spoofing prevents DHCP, that's clearly a bug :-)

 

But still, you are right of course. 

 

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Trusted Expert Trusted Expert
Trusted Expert
Posts: 791
Registered: ‎07-26-2008
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

Smiley Happy haha yes true you are right too but i guess thats all moot until the dev folks figure out what they are going to do
****pls click the button " Accept as Solution" if my post helped to solve your problem****
Trusted Contributor
Posts: 89
Registered: ‎03-18-2010
0

Re: SOLUTION: 11.1R2.3 breaks dhcp server and client

This also breaks DHCP/bootp relay if spoofing detection is enabled on the interface, which isn't mentioned in the KB article.