The Dynamic Host Configuration Protocol (DHCP) is a protocol used in the TCP/IP networking model for automatically and dynamically configuring hosts attached to a network with parameters they’ll need to be able to use the network. The protocol is defined in RFC 2131 (reference ), which updated and clarified the original specification in RFC 1541 (reference ); it uses and extends some facilities defined in the BOOTP (Boot Protocol) specification in RFC 951 (reference ). The service provided by DHCP frees a network administrator from having to manually configure each host connected to his network (though the protocol does not prevent this, and can provide partial information for hosts which have been partially configured). One of the widest uses of DHCP is for the automatic assignment of network (IP) addresses to hosts. A system administrator configures the DHCP client module with a pool of addresses which it may allocate. The protocol allows reuse of addresses that have been relinquished by hosts that have disconnected from the network; this is especially valuable when the pool of available addresses is limited and shared among all hosts, as in the case of an internet service provider with many dial-in clients. The protocol uses a client-server approach, with the DHCP client requesting network parameters from a DHCP server designated by the network administrator. One of the interesting features of this protocol involves the issue of the addressing of the DHCP messages exchanged by the client and server during the address allocation sequence. Since the purpose of this exchange is to assign a network address to the client, the protocol must specify a mechanism for the server to convey its responses to the client before the client has a valid network address. In addition, the client need not know an address for a DHCP server to initiate its requests for configuration information.
DHCP is really an application-layer protocol in the TCP/IP model, residing above and using services provided by the Transport layer. The messages exchanged by DHCP use the unreliable UDP (User Datagram Protocol) packet delivery service provided by the Transport layer. DHCP provides its services to the operating system. The operating system can ask the DHCP client module to request certain specific network parameters (usually including an IP address) from a DHCP server whenever the host detects that it has been connected to a network. The parameters are passed from the DHCP layer to the operating system, which then configures the IP layer of the protocol stack with these settings. Thus DHCP is a particularly interesting protocol in that it in a sense provides services for a layer below it in the protocol stack, though of course indirectly, through the operating system (which resides with it in the application layer).
The client and server peers communicate by exchanging messages in UDP packets, using UDP ports 67 for the server and 68 for the client. Eight types of messages are exchanged: DHCPDISCOVER, DHCPOFFER, DHCPREQUEST, DHCPACK, DHCPDECLINE, DHCPNAK, DHCPINFORM, and DHCPRELEASE. The message type is contained in the field “DHCP message type” (required, but oddly included in the “options” section of the message); the sequence of exchange of these messages during particular transactions is illustrated in the following section. The basic function of the message types is as follows.
Sent by a DHCP client when it first wishes to receive configuration information including a network address, containing a list of parameters for which it would like information. Since the client does not in general know the IP address of a DHCP server, this message is sent to the IP broadcast address 0xffffffff. As such, more than one DHCP server may receive and respond to such a message. This can improve reliability by providing redundancy.
Sent by a DHCP server in response to the receipt of a DHCPDISCOVER message, containing values for the configuration parameters requested. Since the client does not at this point have a valid IP address, the server must either address the message using the client’s hardware (data link) address (supplied in the DHCPDISCOVER message), or broadcast the response, or use some other forwarding mechanism; this is discussed in more detail in the section “Relaying messages and addressing”. In addition, the server is not required at this stage to commit these parameters to this client, or reserve them exclusively for this client for any specified period of time; these are merely proposed values, which must be confirmed through subsequent messages. This improves efficiency in the case in which more than one server responds to a client’s inquiry; since the client will choose parameters from only one of the servers, the others shouldn’t be forced to reserve resources that will not be used.
Sent by a client upon receipt of one or more DHCPOFFER responses. The client selects the parameters offered in one of the DHCPOFFER messages, and sends a DHCPREQUEST containing these same parameter values back to the specific server which provided them. This is necessary since the server isn’t required to reserve those parameter values (including the suggested IP address) for the client when it makes an offer; thus the client must re-confirm that they are still available.
Sent by a server on receipt of a DHCPREQUEST message if the requested parameters (e.g., IP address) are still available. At this point, the server reserves these parameters for this client; only on receipt of this message can a client consider those parameters to be its own (it becomes “bound”). Since the client may not have a network address until this message has been received, the server may have to address it in some alternate fashion, as in the case of DHCPOFFER messages.
Sent by a server in response to a DHCPREQUEST message which requests parameters that are no longer available. If a client receives this message, it must send another DHCPREQUEST message requesting other parameters (or send a new DHCPDISCOVER message if it has no other outstanding offers).
Sent by a client to a specific server in response to a DHCPACK message, which contain parameters which the client has determined are not in fact valid. For example, the client might test an IP address it has received by sending an ARP (Address Resolution Protocol) message on its shared LAN to see if any other host has been assigned this address; if it discovers that another host is in fact using this address, it must send a DHCPDECLINE message to the server which supplied the address. This both allows the server to release the resources it has allocated to this client, and inform a system administrator of the problem. (Such a problem might arise in a situation in which a host has been manually configured by an administrator with an IP address, but the DHCP server hasn’t been informed that this address is no longer available in its pool. Though it is suggested that a server test an address before allocating it to a client [1, section 3.1, point 2], for example by “pinging” the address to see if another host is using it, it may be that the test or the response to it is lost, incorrectly suggesting to the server that the address is available.)
This is sent by a client when it needs only certain configuration information, but already has a network address. The server sends a DHCPACK in response with the requested parameters.
Sent by a client to inform the server that it no longer requires the allocated parameters. This allows the server to return these parameters (such as IP address) to its pool for reallocation. This message is not required; the allocated parameters are generally configured with a finite lifetime (called a “lease”), and are deallocated automatically when the lease expires. This is discussed further in the next section, Leases and Renewals.
Leases and renewals
When a server has allocated a network address to a client, the address is generally provided as a “lease” for a limited period of time. The length of the lease assigned is configurable by the network administrator, and may be very long or even infinite, providing for permanent assignment of IP addresses to specific clients. (The lease time is specified as an unsigned 32-bit value interpreted in seconds, giving finite lease times from 1 second to approximately 100 years [1, section 3.3]; the value 0xffffffff is reserved to represent an infinite lease time.) The lease record for a client is maintained by the server, containing the assigned configuration information, and is identified by either the combination of the client’s hardware (data link) and assigned network address, or by a unique “client identifier” supplied by the client. For finite leases, the client must periodically renew the lease with the server before it expires if it wants to continue using the assigned network address. Clients generally try to renew their leases well before they expire, as they must stop using the assigned address if they are not successful in renewing the lease. The message exchange for the renewal process is illustrated below.
In the case of infinite or very long-term leases, clients will likely be rebooted many times before the lease has expired. In such cases, the client and servers need not go through the entire process of creating a new lease. The client, remembering the IP address it was previously assigned, simply asks the available DHCP servers if any of them holds a valid lease for it; if it receives an affirmative reply, it can then begin using the corresponding network address. The message exchange for this scenario is detailed below. Interestingly, the client does not try to communicate directly with the server which originally provided the lease (which it could presumably do easily by storing the server’s address). This permits multiple servers to serve configuration information, incorporating load balancing and redundancy by distributing leases which are held.
When a lease expires, or a server receives a DHCPRELEASE message from a client indicating that a lease is no longer needed, the server will remove the corresponding lease record and return the associated IP address to its pool of assignable addresses. However, one of the design goals mentioned in RFC 2131 [1, section 1.6] is for the DHCP server to attempt to provide the same IP address to a host between host reboots. This will happen automatically in the case of a still-valid lease, but can be implemented even for relinquished leases if the server reserves deallocated addresses and stores the corresponding expired lease records for some period of time, and inspects these when allocating a new lease for a host to see if a prior lease existed. These “reserved” addresses could easily be reclaimed if they are needed for allocation to other hosts; the obvious disadvantage with this approach is in the extra storage required on the server.
A typical set of peer exchanges is given below. In this, we assume that the DHCP servers are on the same subnet as the client, so that messages can be directly exchanged without the intervention of a BOOTP relay agent (a complication discussed in the section “Relaying messages and addressing”)
Initial configuration: client requires IP address and other parameters
- Client broadcasts DHCPDISCOVER message
- Servers broadcast DHCPOFFER messages
- Client selects one offer, broadcasts DHCPREQUEST message identifying the selected server
- Selected server broadcasts DHCPACK or DHCPNAK message
- if client receives DHCPNAK, returns to step 3; if no remaining offers, returns to step 1.
- The client may offer a suggested IP address in its DHCPDISCOVER message.
- The client broadcasts its DHCPREQUEST message, even though at this point it has the IP address of the selected server (supplied in the DHCPOFFER message), so that other servers can see the message and understand that the client is effectively declining their offers [1, section 3.1, point 4].
Lease renewal: client has valid IP address from DHCP server, but lease about to expire
- Client sends DHCPREQUEST addressed to specific server holding its lease
- Server sends DHCPACK or DHCPNAK addressed to client
- if DHCPNAK, client must obtain a new address using DHCPDISCOVER.
- The client indicates to the server that this is an existing lease extension request by not including the “server identifier” option in the options field. The message may include a suggested lease time or other options.
- If the client receives a DHCPNAK message in response to its request, it is being told that its address will be invalid (perhaps reassigned) when its lease expires. As such, it must not use its network address after expiration of the lease, and must obtain a new address.
- Initial communication is unicast, since both the client and server know the other’s network address, and the client’s is still valid until the lease expires. If the server doesn’t respond within a specified timeout interval (which expires before the lease does), the client then broadcasts its request to any servers that might be listening, in the hope that another server might be now holding its lease; one will send a DHCPACK if it can extend the lease on the client’s address (for example, the responding server might be the backup for the previous server, which has been taken out of service). If the client receives no response before its lease expiration, it must acquire a new lease using a DHCPDISCOVER message.
Rebooting, but with valid lease still existing on current IP address ([1, section 4.4.2])
- Client broadcasts DHCPREQUEST with requested IP address
- Server sends DHCPACK or DHCPNAK
- if DHCPNAK, client must obtain a new address using DHCPDISCOVER.
- The client’s DHCPREQUEST message is broadcast, and doesn’t include an identifier for the server, even though the client knows the identity of the server which originally provided its lease. This permits multiple servers to be used to manage leases, which can be useful for load balancing. On the other hand, at most one server must respond; otherwise, multiple leases could be held on multiple servers for a single client, wasting resources on the servers. As such, it is specified as part of the protocol that a server may respond to the received DHCPREQUEST only if it has a lease record for the client; otherwise, it must not reply [1, section 4.3.2].
Messages in DHCP are of variable length, depending on the number of optional fields included. The byte-layout and description of the fields is in table 1, from [1, section 2].
Table 1: DHCP message byte layout (lengths of fields given in bytes)
|op||1||message type: 1 = boot request (from client), 2 = boot reply (from server)|
|htype||1||hardware address type: value specifies type of hardware in use, according to specifications in RFC 1700, Assigned Numbers|
|hlen||1||hardware address length (in bytes)|
|hops||1||used by relay agents (discussed below); client sets to 0|
|xid||4||transaction id, randomly chosen by client; this is an identifier, not a sequence number, used so the client will know that a broadcast response from a DHCP server is for it, and not for another client|
|secs||2||seconds since client began configuration request; used by relay agents in deciding whether to forward request to another network (discussed below in “Relaying messages and addressing”)|
|flags||2||only the first bit is used; called the broadcast bit (discussed below in “Relaying messages and addressing”)|
|ciaddr||4||client IP address; filled in by client only when its network address is known to be valid|
|yiaddr||4||IP address assigned by server to client (“y” for “your” address)|
|siaddr||4||DHCP server IP address to use for next part of configuration sequence
note: current server’s address supplied in “server identifier” option!
|giaddr||4||BOOTP relay agent IP address (see section “Relaying messages and addressing”); used by server to relay responses back to client when server is not on client’s subnet, using BOOTP protocol relay servers; if giaddr = 0, client and server are on same subnet, so relay not needed|
|chaddr||16||client hardware address|
|sname||64||server name (optional); null-terminated string|
|file||128||boot file name (optional); fully qualified path name on host with IP address siaddr; used in Boot Protocol , to specify boot file for client|
The options field is of variable size, and contains various required and optional parameters stored as tag,value pairs called “options”. The format of each option is shown in Table 2. (Two options, “pad” and “end”, don’t have this format: they each consist of a single-byte tag, without any length or value sub-fields.). Here, the tag byte is one of the values specified in RFC 2132 , and serves to identify the option. The length byte gives the length (in bytes) of the value data following. One required option for all DHCP messages is the “DHCP message type” option, which specifies the type of the DHCP message. The last option must be the “end” option. Other options may provide such information as the subnet mask a client should use on its network, the IP addresses of routers and domain name servers, and similar information needed for a client to properly configure its network protocol stack. RFC 2132  describes many additional options.
Table 2: Format of DHCP options
|tag||1||identifies the option type|
|length||1||length of the option data|
|data||variable||data for the option|
Relaying messages and addressing
As mentioned in the introduction, one interesting feature of DHCP is in its message exchange and addressing mechanism before a client has been configured with a valid IP address, or knows the address of a DHCP server on its subnet. This is handled by clients and servers broadcasting their messages until each knows an address for the other. When a client is first looking for a server, it addresses its DHCPDISCOVER message to the IP broadcast address 0xffffffff (with the source address field set to 0, since it does not at this stage have a valid IP address) so that any available servers will respond. In addition, it sets the “broadcast” bit in the flags field according to how it would like the server to address its responses. If the broadcast bit is 0, this indicates that the server can address the response by constructing a data link frame directly using the client’s hardware address (supplied in the client’s message), and that the IP layer in the client’s TCP/IP stack will accept the message even though it hasn’t yet been configured with an IP address. Some TCP/IP implementations, however, may not pass through messages when the IP address of the client has not been specified, since in general the IP layer will only accept and forward messages to the Transport layer if they have the correct IP address. In this case, the client sets the broadcast bit to 1, indicating to the server that it should send its responses to the IP broadcast address 0xffffffff. With this approach, the server’s response will be broadcast to all of the hosts on the client’s subnet (the IP broadcast address will be resolved to the data link broadcast address), and the IP layer on each host will forward the broadcast message to the upper layers. However, it then becomes necessary for a DHCP client to be able to tell if such a broadcast message is intended for it or some other client. This is handled by the client including a randomly generated value in the xid (“transaction id”) field of its DHCPDISCOVER message, used to identify received responses. The server will copy this value into its reply, and the client will only accept responses which have the correct value. Since the xid value is randomly generated by the client as its identifier, there is a small probability that two clients on the subnet will choose the same value for xid, leading them to misinterpret server responses intended for the other client as being intended for them. (It seems odd that this field is used rather than the chaddr (“client hardware address”) field, since these addresses are guaranteed to be unique and are also passed back and forth by client and server.)
By the above mechanism, the server messages can always be forwarded to the client when the client and server are on the same subnet. However, this would require a DHCP server on each subnet. To permit a single DHCP server to service a number of subnets, the protocol allows the use of BootP relay agents, one per subnet, whose only function is to relay DHCP messages between the server and client. Since they do no allocation of addresses or other parameters, their configuration is quite simple, and the function can easily be provided by any selected host on the subnet. When such a relay agent receives a client’s DHCP broadcast message, it repackages it and forwards it to the network address of its designated DHCP server, including in the giaddr field its own IP address. With the giaddr field non-zero, the server knows the message has been forwarded by a relay agent, and addresses its responses to this agent, which then forwards the message to the client on the its local subnet, using the addressing techniques discussed in the previous paragraph. In addition, the server will often (though is not required to) assign an address to the client based on the relay agent’s address, since this can indicate which subnet the client belongs to since the client and relay agent are usually on the same subnet [1, section 4.3.1].
Certain of the fields in a client’s message may be used by a relay agent to determine handling. The secs field is set by the client to indicate the number of seconds since it first began trying to acquire its IP address and configuration parameters. The value will thus be non-zero in the case in which it does not get responses to its DHCPDISCOVER and DHCPREQUEST messages. A relay agent might choose not to forward client requests unless the secs field exceeds a certain value [3, section 8]. In this way any local DHCP server on the subnet will be allowed to respond first to handle the request, without it being simultaneously forwarded to remote servers. The hops field was introduced into the BootP protocol  so that gateways with even less functionality than the minimal relay agents (i.e., not having even the address of a server configured into them) could still forward requests across to another subnet which might have a server attached. In this case, the hops field is to be incremented by each successive gateway so that client requests can be discarded when they have traveled more than several subnets away [3, section 8].
In the RFC [1, section 7], it is noted that DHCP as defined is potentially very insecure, allowing for spoofing of server functions and denial-of-service attacks by rogue clients (e.g., repeatedly requesting IP addresses until all have been allocated). While it is perhaps possible to configure servers to only accept requests from hosts with specific hardware addresses, or to only take requests from the local subnet (ignoring messages forwarded by relay agents or over gateways), it is acknowledged that security has not been addressed in any detail.
Further client and server implementation details
The document  discusses additional details for effective implementation of DHCP. Among other matters considered are specific timing issues, such as how long a client should wait for responses before it rebroadcasts its requests [1, section 4.1], and a detailed state-transition diagram [1, Figure 5] indicating the precise sequence a client should use to obtain information under various conditions. Additional server implementation issues include restriction of services to externally identified clients and unique identification of clients and their leases (section 4.2).
The Dynamic Host Configuration Protocol has been widely implemented and tremendously successful at providing IP address assignment and other network configuration information automatically, greatly simplifying a network administrator’s job. It is very effective, and quite efficient in its message design and robust in its message-exchange sequences. However, there are a few minor areas in which it is perhaps less than optimal in its design. Some of these are discussed below.
To begin with, there are two fields used for the client’s network address, ciaddr and yiaddr, with slightly different functions. However, there should be no cases in which both yiaddr and ciaddr are needed (and would have different values); as such, they could be replaced by a single field. From [1, section 4.4.1, Table 5], the client always sets yiaddr to 0 in its messages to the server. From [1, section 4.3.1, Table 3], the server sets ciaddr to 0 in its responses, except in the single case of a DHCPACK message responding to a DHCPREQUEST message in which ciaddr has been supplied by the client. The client supplies a value for ciaddr only if it already has a valid network address that the server may thus send its responses to – for example, in the case of a client renewing its lease on its IP address (before the lease has expired). However, there is really no need for the server to include the value of ciaddr in its DHCPACK response; the value is only needed for addressing the IP packet to the client, and will thus be placed in the “destination address” field of the IP header. The client needn’t bother to inspect the ciaddr field on receiving the message to know that this message is intended for it (and not a broadcast message intended for another client) – it already has both its randomly-generated xid value and its hardware address value in chaddr to tell it this (both of these are filled in by the server in its responses with the values that the client supplied). Thus the two network address fields ciaddr and yiaddr are never both needed in any DHCP message, and could be replaced by a single field whose interpretation would depend on whether the client or server were receiving the message.
In addition, DHCP messages have designated fields for a server name and a file name, both of which are optional and come before the options fields. Since these will often be empty, the protocol specifies that they may be used to hold options from the options field, with some somewhat complex rules for how the options data should be incorporated within them – for example, no option (consisting of a tag, length and value) may cross the border of either field if it is included within it, and “pad” options are used to fill out the fields if needed. It would make much more sense for these to have originally been included just as two additional options among the others, appearing within the options field only if they were needed. This would have reduced the complexity of the processing, and could potentially shorten messages since the bits comprising these two (currently required) fields would not need to be included if the options list were small. (In fact, one of the options currently allocated (with tag 67) is for a bootfile name [4, section 9.5], for the situation in which the filename field is being used to hold other options!)
In a related issue, it is unusual that the DHCP message type is not within a designated field, but is instead included as a required option in the options field. It would seem logical that the message type would be given a designated field of its own; the current 8 types of DHCP messages would require only 3 bits, so that allocating a single byte for such a field would leave plenty of room for possible future extensions (and existing BootP message types). The advantage with leaving this as an option is that there is thus no restriction on the number of different message types that can be included in the future. Even designating one full byte to a “message type” field would have limited the number of different message types to 256, which could at some point become too limiting.
Another more significant current limitation is in the number of different options. As discussed above, options are specified as (tag, length, value) triples, where the tag and length components are each one byte. Thus there are only 256 different tags, i.e., there can be only 256 different options. This could prove to be significantly limiting in the future, as many options have already been defined (76, as of 1997 ). One way to overcome this limitation would be to designate one of the current tags as denoting an “extended” option, which would signify that the “value” subfield of the (tag, length, value) triple should itself be interpreted as a (tag, length, value) triple, but whose tag now consists of 2 (or more) bytes. This would allow definition of many additional options.
There are other fields that could seemingly be eliminated – for example, the siaddr field, which isn’t used at all for DHCP messages. However, since DHCP was developed as an extension to the BootP Protocol, and is designed to operate concurrently with it , some of these fields do in fact play an important role in the latter protocol and are thus justified in being retained in DHCP messages.
The protocol specifies that when a server offers a network address to a client, it is not required to reserve that address for any period of time until it receives and accepts a DHCPREQUEST for the address from the client. As such, the server would be permitted to re-offer the same address to a different client immediately after offering it to the first client, allocating it to the first client which responds and sending a DHCPNAK to the loser (who might have to start the configuration process over). While this permits maximum flexibility on the part of servers, especially in the case in which a server has a relatively small pool of available addresses, it could obviously lead to inefficiencies. As such, the protocol suggests (but does not require [1, section 4.3.1]) that servers actually be implemented in such a way as to avoid re-offering the same address to more than one client in a short period of time.
- RFC 2131, “Dynamic Host Configuration Protocol”, R. Droms, March 1997.
- RFC 1531, “Dynamic Host Configuration Protocol”, R. Droms, October 1993.
- RFC 951, “Bootstrap Protocol (BootP)”, W. Croft, J. Gilmore, September 1985.
- RFC 2132, “DHCP Options and BOOTP Vendor Extensions”, S. Alexander, R. Droms, March 1997.
- RFC 1534, “Interoperation Between DHCP and BOOTP”, D. Droms, October 1993.
J. Sevy, December 1999