Old M of mine, uncovered by the recent dhcpd update: Bypass IPsec in all

DHCP traffic.

4 files changed, 27 insertions, 0 deletions

diff --git a/usr.sbin/dhcp/common/socket.c b/usr.sbin/dhcp/common/socket.c
index 03aac4a4a9f..02049944dde 100644
--- a/usr.sbin/dhcp/common/socket.c
+++ b/usr.sbin/dhcp/common/socket.c
@@ -81,6 +81,17 @@ int if_register_socket (info)
 	if (bind (sock, (struct sockaddr *)&name, sizeof name) < 0)
 		error ("Can't bind to dhcp address: %m");
 
+	flag = IPSEC_LEVEL_BYPASS;
+	if (setsockopt (sock, IPPROTO_IP, IP_AUTH_LEVEL,
+			(char *)&flag, sizeof flag) < 0)
+		error ("Can't bypass auth IPsec on dhcp socket: %m");
+	if (setsockopt (sock, IPPROTO_IP, IP_ESP_TRANS_LEVEL,
+			(char *)&flag, sizeof flag) < 0)
+		error ("Can't bypass ESP transport on dhcp socket: %m");
+	if (setsockopt (sock, IPPROTO_IP, IP_ESP_NETWORK_LEVEL,
+			(char *)&flag, sizeof flag) < 0)
+		error ("Can't bypass ESP network on dhcp socket: %m");
+
 	return sock;
 }
 
diff --git a/usr.sbin/dhcp/dhclient/dhclient.8 b/usr.sbin/dhcp/dhclient/dhclient.8
index eae843776c7..ae9ec6663c8 100644
--- a/usr.sbin/dhcp/dhclient/dhclient.8
+++ b/usr.sbin/dhcp/dhclient/dhclient.8
@@ -108,6 +108,10 @@ available but BOOTP is.   In that case, it may be advantageous to
 arrange with the network administrator for an entry on the BOOTP
 database, so that the host can boot quickly on that network rather
 than cycling through the list of old leases.
+.PP
+DHCP traffic always bypass IPsec, otherwise there can come up situations
+when a server has an IPsec SA for the client, and sends replies over that,
+which a potentially newly booted client cannot grasp.
 .SH COMMAND LINE
 .PP
 The names of the network interfaces that dhclient should attempt to
diff --git a/usr.sbin/dhcp/relay/dhcrelay.8 b/usr.sbin/dhcp/relay/dhcrelay.8
index ec4f5c74bf4..6b9c560e6fb 100644
--- a/usr.sbin/dhcp/relay/dhcrelay.8
+++ b/usr.sbin/dhcp/relay/dhcrelay.8
@@ -132,6 +132,14 @@ should be relayed must be specified on the command line.
 .PP
 .SH SEE ALSO
 dhclient(8), dhcpd(8), RFC2132, RFC2131.
+.SH BUGS
+Relayed DHCP traffic could actually safely be protected by IPsec, but
+like
+.B dhcpd(8)
+and
+.B dhclient(8),
+.B dhcrelay(8)
+will bypass IPsec for all its traffic.
 .SH AUTHOR
 .B dhcrelay(8)
 has been written for the Internet Software Consortium
diff --git a/usr.sbin/dhcp/server/dhcpd.8 b/usr.sbin/dhcp/server/dhcpd.8
index b7e31881345..a6196f27802 100644
--- a/usr.sbin/dhcp/server/dhcpd.8
+++ b/usr.sbin/dhcp/server/dhcpd.8
@@ -143,6 +143,10 @@ require a great deal of work, our resources are extremely limited, and
 they can be better spent elsewhere.   So please don't complain about
 this on the mailing list unless you're prepared to fund a project to
 implement this feature, or prepared to do it yourself.
+.PP
+DHCP traffic always bypass IPsec, otherwise there can come up situations
+when a server has an IPsec SA for the client, and sends replies over that,
+which a potentially newly booted client cannot grasp.
 .SH COMMAND LINE
 .PP
 The names of the network interfaces on which dhcpd should listen for