This article describes the DHCP Option 61 changes in v7.0.13+, v7.2.6 + and v7.4.1.
FortiGate v7.0.13 and above, v7.2.6 and above v7.4.1 and above.
According to the RFC 2132: https://datatracker.ietf.org/doc/html/rfc2132#section-9.14
Option 61 format should be :
Code Len Type Client-Identifier
+-----+-----+-----+-----+-----+---
| 61 | n | t1 | i1 | i2 | ...
+-----+-----+-----+-----+-----+---
It includes the field 'Type' as well in option 61, however, FortiGate did not send it in DHCP discover to the DHCP server.
For example:
Up to Firmware v7.0.12, v7.2.5, and v7.4.0, the following is a capture of DHCP Discover forwarded to the DHCP relay agent IP by the FortiGate:
Dynamic Host Configuration Protocol (Discover)
Message type: Boot Request (1)
Hardware type: Ethernet (0x01)
Hardware address length: 6
Hops: 1
Transaction ID: 0x2a6d5c3f
Seconds elapsed: 0
Bootp flags: 0x0000 (Unicast)
Client IP address: 0.0.0.0
Your (client) IP address: 0.0.0.0
Next server IP address: 0.0.0.0
Relay agent IP address: X.X.X.X
Client MAC address: x.x.x.x.
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (53) DHCP Message Type (Discover)
Option: (57) Maximum DHCP Message Size
Option: (61) Client identifier <----
Length: 12
Starting from firmware v7.0.13+, v7.2.6+, and v7.4.1+, the FortiGate forwards the DHCP Discover packets to the DHCP relay agent IP with Type field in the Option (61): Client identifier:
Dynamic Host Configuration Protocol (Discover)
Message type: Boot Request (1)
Hardware type: Ethernet (0x01)
Hardware address length: 6
Hops: 1
Transaction ID: 0x5f9db612
Seconds elapsed: 0
Bootp flags: 0x0000 (Unicast)
Client IP address: 0.0.0.0
Your (client) IP address: 0.0.0.0
Next server IP address: 0.0.0.0
Relay agent IP address: X.X.X.X
Client MAC address: (0X:1X:BX:5X:7X:dX)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (53) DHCP Message Type (Discover)
Option: (57) Maximum DHCP Message Size
Option: (61) Client identifier
Length: 13
Type: 0 <----
Client Identifier: 192.168.53.4
In this scenario, the DHCP server would receive the client identifier as \000192.168.53.4. If the DHCP server is not configured to allow these NULL characters before the client identifier, the server may fail to respond to the DHCP Discovers.
In this case, the DHCP server from InfoBlox is used. On that DHCP server, there is an option to enable 'Match null (\0) at beginning of DHCP client identifier' which would then accept the client identifier value prepended with NULL characters.
Other DHCP servers may have the option to accept the Type field in the Client identifier.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.