summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorDavid Hankins <dhankins@isc.org>2006-04-27 17:26:42 +0000
committerDavid Hankins <dhankins@isc.org>2006-04-27 17:26:42 +0000
commita55ccdd0371568e01a6bbab7b99e427ab66e1aef (patch)
tree057d9ab6464115f011246b072b43ce1d04993e1c /doc
parent91e17fc3aa6f6f96063b1eef7d877b779be5683c (diff)
downloadisc-dhcp-a55ccdd0371568e01a6bbab7b99e427ab66e1aef.tar.gz
- Support for 'reserved' (psuedo-static) and BOOTP leases via failover
was introduced. [ISC-Bugs #13672] - The failover implementation was updated to comply with revision 12 of the protocol draft. [ISC-Bugs #13672]
Diffstat (limited to 'doc')
-rw-r--r--doc/draft-ietf-dhc-failover-07.txt6778
1 files changed, 0 insertions, 6778 deletions
diff --git a/doc/draft-ietf-dhc-failover-07.txt b/doc/draft-ietf-dhc-failover-07.txt
deleted file mode 100644
index cb47dd9a..00000000
--- a/doc/draft-ietf-dhc-failover-07.txt
+++ /dev/null
@@ -1,6778 +0,0 @@
-
-
-
-
-
-Network Working Group Ralph Droms
-INTERNET DRAFT Bucknell University
-
- Kim Kinnear
- Mark Stapp
- Cisco Systems
-
- Bernie Volz
- IPWorks
-
- Steve Gonczi
- Network Engines
-
- Greg Rabil
- Mike Dooley
- Arun Kapur
- Lucent Technologies
-
- July 2000
- Expires January 2001
-
-
- DHCP Failover Protocol
- <draft-ietf-dhc-failover-07.txt>
-
-Status of this Memo
-
- This document is an Internet-Draft and is in full conformance with
- all provisions of Section 10 of RFC2026.
-
- Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working groups. Note that
- other groups may also distribute working documents as Internet-
- Drafts.
-
- Internet-Drafts are draft documents valid for a maximum of six months
- and may be updated, replaced, or obsoleted by other documents at any
- time. It is inappropriate to use Internet- Drafts as reference
- material or to cite them other than as "work in progress."
-
- The list of current Internet-Drafts can be accessed at
- http://www.ietf.org/ietf/1id-abstracts.txt
-
- The list of Internet-Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html.
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 1]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2000). All Rights Reserved.
-
-Abstract
-
- DHCP [RFC 2131] allows for multiple servers to be operating on a
- single network. Some sites are interested in running multiple
- servers in such a way so as to provide redundancy in case of server
- failure. In order for this to work reliably, the cooperating primary
- and secondary servers must maintain a consistent database of the
- lease information. This implies that servers will need to coordinate
- any and all lease activity so that this information is synchronized
- in case of failover.
-
- This document defines a protocol to provide such synchronization
- between two servers. One server is designated the "primary" server,
- the other is the "secondary" server. This document also describes a
- way to integrate the failover protocol with the DHCP load balancing
- approach.
-
- This document is a substantial reorganization as well as a technical
- and editorial revision of draft-ietf-dhc-failover-05.txt.
-
-Table of Contents
-
-
- 1. Introduction................................................. 4
- 2. Terminology.................................................. 5
- 2.1. Requirements terminology................................... 5
- 2.2. DHCP and failover terminology.............................. 5
- 3. Background and External Requirements......................... 9
- 3.1. Key aspects of the DHCP protocol........................... 9
- 3.2. BOOTP relay agent implementation........................... 11
- 3.3. What does it mean if a server can't communicate with its partner? 12
- 3.4. Challenging scenarios for a Failover protocol.............. 12
- 3.5. Using TCP to detect partner server failure................. 14
- 4. Design Goals................................................. 15
- 4.1. Design goals for this protocol............................. 15
- 4.2. Limitations of this protocol............................... 16
- 5. Protocol Overview............................................ 17
- 5.1. Messages and States........................................ 17
- 5.2. Fundamental guarantees..................................... 20
- 5.3. Load balancing............................................. 26
- 5.4. Operating in NORMAL state.................................. 27
- 5.5. Operating in COMMUNICATIONS-INTERRUPTED state.............. 27
- 5.6. Operating in PARTNER-DOWN state............................ 28
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 2]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
- 5.7. Operating in RECOVER state................................. 28
- 5.8. Operating in STARTUP state................................. 28
- 5.9. Time synchronization between servers....................... 28
- 5.10. IP address binding-status................................. 29
- 5.11. DNS dynamic update considerations......................... 33
- 5.12. Reservations and failover................................. 37
- 5.13. Dynamic BOOTP and failover................................ 39
- 5.14. Guidelines for selecting MCLT............................. 39
- 6. Common Message Format........................................ 40
- 6.1. Message header format...................................... 40
- 6.2. Common option format....................................... 43
- 6.3. Batching multiple binding update transactions in one BNDUPD mes- 44
- 7. Protocol Messages............................................ 46
- 7.1. BNDUPD message [3]......................................... 46
- 7.2. BNDACK message [4]......................................... 56
- 7.3. UPDREQ message [9]......................................... 59
- 7.4. UPDREQALL message [7]...................................... 60
- 7.5. UPDDONE message [8]........................................ 61
- 7.6. POOLREQ message [1]........................................ 62
- 7.7. POOLRESP message [2]....................................... 63
- 7.8. CONNECT message [5]........................................ 64
- 7.9. CONNECTACK message [6]..................................... 68
- 7.10. STATE message [10]........................................ 71
- 7.11. CONTACT message [11]...................................... 72
- 7.12. DISCONNECT message [12]................................... 73
- 8. Connection Management........................................ 74
- 8.1. Connection granularity..................................... 74
- 8.2. Creating the TCP connection................................ 74
- 8.3. Using the TCP connection for determining communications status 76
- 8.4. Using the TCP connection for binding data.................. 78
- 8.5. Using the TCP connection for control messages.............. 78
- 8.6. Losing the TCP connection.................................. 78
- 9. Failover Endpoint States..................................... 79
- 9.1. Server Initialization...................................... 79
- 9.2. Server State Transitions................................... 79
- 9.3. STARTUP state.............................................. 82
- 9.4. PARTNER-DOWN state......................................... 84
- 9.5. RECOVER state.............................................. 86
- 9.6. NORMAL state............................................... 89
- 9.7. COMMUNICATIONS-INTERRUPTED State........................... 91
- 9.8. POTENTIAL-CONFLICT state................................... 95
- 9.9. RESOLUTION-INTERRUPTED state............................... 96
- 9.10. RECOVER-DONE state........................................ 97
- 9.11. PAUSED state.............................................. 98
- 9.12. SHUTDOWN state............................................ 98
- 10. Safe Period................................................. 99
- 11. Security.................................................... 101
-
-
-
-Droms, et. al. Expires January 2001 [Page 3]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- 11.1. Simple shared secret...................................... 101
- 11.2. TLS....................................................... 102
- 12. Failover Options............................................ 103
- 12.1. addresses-transferred..................................... 103
- 12.2. assigned-IP-address....................................... 103
- 12.3. binding-status............................................ 104
- 12.4. client-identifier......................................... 104
- 12.5. client-hardware-address................................... 105
- 12.6. client-last-transaction-time.............................. 105
- 12.7. client-reply-options...................................... 105
- 12.8. client-request-options.................................... 106
- 12.9. DDNS...................................................... 107
- 12.10. delayed-service-parameter................................ 108
- 12.11. hash-bucket-assignment................................... 108
- 12.12. lease-expiration-time.................................... 108
- 12.13. max-unacked-bndupd....................................... 109
- 12.14. MCLT..................................................... 109
- 12.15. message.................................................. 109
- 12.16. message-digest........................................... 110
- 12.17. potential-expiration-time................................ 110
- 12.18. receive-timer............................................ 110
- 12.19. protocol-version......................................... 111
- 12.20. reject-reason............................................ 112
- 12.21. sending-server-IP-address................................ 113
- 12.22. server-flags............................................. 113
- 12.23. server-state............................................. 114
- 12.24. start-time-of-state...................................... 114
- 12.25. TLS-reply................................................ 115
- 12.26. TLS-request.............................................. 115
- 12.27. vendor-class-identifier.................................. 115
- 12.28. vendor-specific-options.................................. 116
- 13. IANA Considerations......................................... 116
- 14. Acknowledgments............................................. 116
- 15. References.................................................. 118
- 16. Author's information........................................ 119
- 17. Full Copyright Statement.................................... 120
-
-
-1. Introduction
-
- DHCP [RFC 2131] allows for multiple servers to be operating on a sin-
- gle network. Some sites are interested in running multiple servers
- in such a way so as to provide redundancy in case of server failure
- since the DHCP subsystem is in many cases a critical part of the net-
- work infrastructure.
-
- This document defines a protocol to provide synchronization between
- two servers in order that each can take over for the other should
-
-
-
-Droms, et. al. Expires January 2001 [Page 4]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- either one fail or become unreachable.
-
- One server is designated the "primary" server, the other is the
- "secondary" server, and most DHCP client requests are sent to each
- server (see Section 3.1.1 for details).
-
- In order to provide a high availability DHCP service, these
- cooperating primary and secondary servers must maintain a consistent
- database of lease information. This implies that servers will need
- to coordinate all lease activity so that this information is syn-
- chronized in case failover is required. The protocol messages and
- processing techniques required to maintain a consistent database are
- specified in the protocol described here.
-
- The failover protocol also contains a way to integrate the DHCP load-
- balancing algorithm described in [LOADB] with the failover protocol.
-
-2. Terminology
-
- This section discusses both the generic requirements terminology com-
- mon to many IETF protocol specifications as well as specialized DHCP
- and failover protocol specific terminology.
-
-2.1. Requirements terminology
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in RFC 2119 [RFC 2119].
-
-
-2.2. DHCP and failover terminology
-
- This document uses the following terms:
-
- o "binding"
-
- A binding is a collection of configuration parameters, includ-
- ing at least an IP address, associated with or "bound to" a
- DHCP client. Bindings are managed by DHCP servers.
-
- o "binding database"
-
- The collection of bindings managed by a primary and secondary.
-
- o "binding update transaction"
-
- A binding update transaction refers to the set of information
- (contained in options) necessary to perform a binding update
-
-
-
-Droms, et. al. Expires January 2001 [Page 5]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- for a single IP address. It will be comprised of the
- assigned-IP-address option and the binding-status option, along
- other options as appropriate.
-
- o "binding-status"
-
- The binding-status is the status of an IP address with respect
- to its association with a client. There are specific binding-
- status values defined for use by the failover protocol, e.g.,
- ACTIVE, FREE, RELEASED, ABANDONED, etc. These are designed to
- map more or less directly onto the binding-status values used
- internally in most DHCP server implementations. The term
- binding-status refers to the concept also sometimes known as
- "lease state" or "IP address state", but in this document the
- term "state" is reserved for the failover state of a failover
- endpoint, and binding-status is always used to refer to the
- state associated with an IP address or lease.
-
- o "DHCP client" or "client"
-
- A DHCP client is an Internet host using DHCP to obtain confi-
- guration parameters such as a network address. The term
- "client" used within this document always means a DHCP client,
- and never one of the two failover servers.
-
- o "DHCP server" or "server"
-
- A DHCP server is an Internet host that returns configuration
- parameters to DHCP clients.
-
- o "DDNS"
-
- An abbreviation for "Dynamic DNS", which refers to the capabil-
- ity to update a DNS server's name (actually resource record)
- database using an on-the-wire protocol defined in [RFC 2136].
-
- o "DNS"
-
- An abbreviation for "Domain Name System", a scheme where a cen-
- tral name repository is used to map names to IP addresses and IP
- addresses to names.
-
- o "failover endpoint"
-
- The failover protocol allows for there to be a unique failover
- endpoint per partner per role (where role is primary or secon-
- dary). This failover endpoint can take actions and hold unique
- states. There are thus a maximum of two failover endpoints per
-
-
-
-Droms, et. al. Expires January 2001 [Page 6]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- server per partner (one for each partner as a primary and one
- for that same partner as a secondary.)
-
- o "FQDN"
-
- An FQDN is a "fully qualified domain name". A fully qualified
- domain name generally is a host name with at least one zone
- name, for example "www.dhcp.org" is a fully qualified domain
- name.
-
- o "lazy update"
-
- Lazy update refers to the requirement placed on a server imple-
- menting a failover protocol to update its failover partner when-
- ever the binding database changes. A failover protocol which
- didn't support lazy update would require the failover partner
- update to be complete before a DHCP server could respond to a
- DHCP client request with a DHCPACK. A failover protocol which
- does support lazy update places no such restriction on the
- update of the failover partner server, and so a server can allo-
- cate an IP address or extend a lease on an IP address and then
- update its failover partner as time permits. A failover proto-
- col which supports lazy update not only removes the requirement
- to update the failover partner prior to responding to a DHCP
- client with a DHCPACK, but also allows gathering up batches of
- updates from one failover server to its partner.
-
- o "MCLT"
-
- The MCLT refers to maximum client lead time. This time is con-
- figured on the primary server and transmitted from the primary
- to the secondary server in the CONNECT message. It is the max-
- imum amount of time that one server can extend a lease for a
- client's binding beyond the time known by the partner server.
- See section 5.2.1 for details.
-
- o "partner"
-
- A "partner", for the purposes of this document, refers to a
- failover server, typically the other failover server. In many
- (if not most) cases, the failover protocol is symmetric with
- respect to the primary or secondary nature of the servers, and
- so it is often appropriate to discuss "updating the partner
- server", since it could be a primary server updating a secondary
- server or a secondary server updating a primary server.
-
- o "Primary server" or "Primary"
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 7]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- A DHCP server configured to provide primary service to a set of
- DHCP clients for a particular set of subnet address pools.
-
- o "RR"
-
- "RR" is an abbreviation for "resource record". All records in
- the DNS are resource records. The resource records of most
- relevance to this document are the "A" resource record, which
- maps a DNS name to a particular IP address, the "PTR" resource
- record, which allows a "reverse map", from the IP address back
- to a DNS name, and the "KEY" resource record, which is used in
- ways defined in [DDNS] to tag a DNS name with the identity of
- the DHCP client with which it is associated.
-
- o "Secondary server" or "Secondary"
-
- A DHCP server configured to act as backup to a primary server
- for a particular set of subnet address pools.
-
- o "stable storage"
-
- Every DHCP server is assumed to have some form of what is called
- "stable storage". Stable storage is used to hold information
- concerning IP address bindings (among other things) so that this
- information is not lost in the event of a server failure which
- requires restart of the server.
-
- o "state"
-
- In this document, the term "state" refers exclusively to the
- state of a failover endpoint, for example: NORMAL,
- COMMUNICATIONS-INTERRUPTED, PARTNER-DOWN. It is not used to
- refer to any attributes of an IP address or a binding of an IP
- address. See "binding-status".
-
- o "subnet address pool"
-
- A subnet address pool is the set of IP addresses which is asso-
- ciated with a particular network number and subnet mask. In the
- simple case, there is a single network number and subnet mask
- and a set of IP addresses. In the more complex case (sometimes
- called "secondary subnets", sometimes "superscopes"), several
- (apparently unrelated) network number and subnet mask combina-
- tions with their associated IP addresses may all be configured
- together into one subnet address pool.
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 8]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-3. Background and External Requirements
-
- This section highlights key aspects of the DHCP protocol on which the
- failover protocol depends. It also discusses the requirements that
- the failover protocol places on other aspects of the network infras-
- tructure, and some general issues surrounding server failure detec-
- tion. Some failure scenarios that provide particular challenges to a
- failover protocol are discussed. Finally, the challenges inherent in
- using a TCP connection as a means to detect failure of a partner
- server are elaborated.
-
-3.1. Key aspects of the DHCP protocol
-
- The failover protocol is designed to augment the DHCP protocol as
- described in RFC 2131 [RFC 2131]. There are several key aspects of
- the DHCP protocol which are required by the failover protocol in
- order to successfully meet its design goals.
-
-3.1.1. Broadcast behavior
-
- There are two aspects of the broadcast behavior of the DHCP protocol
- which are key to making the failover protocol operate successfully.
- The first is simply that the DHCP protocol requires a DHCP client to
- broadcast all DHCPDISCOVER and DHCPREQUEST/INIT-REBOOT messages.
- Because of this requirement, a DHCP client who was communicating with
- one server will automatically be able to communicate with another
- server if one is available.
-
- The second aspect of broadcast behavior is similar to the first, but
- involves the distinction between a DHCPREQUEST/RENEW and
- DHCPREQUEST/REBINDING. A DHCPREQUEST/RENEW is the message that a
- DHCP client uses to extend its lease. It is unicast to the DHCP
- server from which it acquired the lease. However, the DHCP protocol
- (in a farsighted move), was explicitly designed so that in the event
- that a DHCP client cannot contact the server from which it received a
- lease on an IP address using a DHCPREQUEST/RENEW, the client is
- required to broadcast its renewal using a DHCPREQUEST/REBINDING to
- any available DHCP server. Since all DHCP clients were required to
- implement this algorithm, the failover protocol can have a different
- server from the one that initially granted a lease be the server to
- renew a lease. Thus, one server can take over for another with no
- interruption in the service as experienced by the DHCP client or its
- associated applications software.
-
-3.1.2. Client responsibility
-
- In the DHCP protocol the DHCP clients are entrusted with a consider-
- able responsibility. In particular, after they are granted a lease
-
-
-
-Droms, et. al. Expires January 2001 [Page 9]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- on an IP address, they are enjoined to only use that IP address while
- their lease is valid. Every DHCP client is expected to stop using an
- IP address if the expiration time on the lease has passed and if it
- cannot get an extension on the lease for that IP address from some
- DHCP server. Thus, the correct behavior of every DHCP client in this
- regard is required to ensure the integrity of the DHCP service. On
- the other hand, incorrect behavior by a client in this area will tend
- to adversely affect at most one other DHCP client.
-
- Furthermore, any DHCP client which sends in a DHCPREQUEST/RENEW or
- DHCPREQUEST/REBINDING to a DHCP server (either unicast for a RENEW or
- broadcast for a REBINDING) MUST still have time to run on the lease
- for that IP address. The DHCP server sends the DHCPACK back unicast
- to the IP address from which the RENEW or REBINDING originated.
-
- Given the existing responsibility placed on the client to only use an
- IP address when the lease is valid, and to only send in a RENEW or
- REBINDING if the lease is valid, the failover protocol relies on DHCP
- clients to perform responsibly and will, in the absence of conflict-
- ing information, believe a DHCP client that is attempting to RENEW or
- REBIND a lease on an IP address is the legitimate owner of that IP
- address.
-
- If clients do not follow these rules, it is possible for an address
- to be in use by more than one client. For a single server, this hap-
- pens because the server has leased the expired address to another
- client and the original client is also attempting to use the address.
- The server would NAK the renewal request. This is made slightly worse
- in the failover protocol if the two servers are unable to communicate
- with each other and one server leases an available address to a new
- client while the other server receives a renewal from a different
- client. In this case, both servers lease the same address to dif-
- ferent clients for the MCLT time.
-
- One troublesome issue is that of the DHCP client responsibility when
- sending in DHCPREQUEST/INIT-REBOOT requests. While the original DHCP
- RFC was written to require a DHCP client to have time left to run on
- the lease for an IP address if the client is sending an INIT-REBOOT
- request, it was sufficiently unclear that some client vendors didn't
- realize this until recently. Since the INIT-REBOOT request was sent
- with the IP address in the dhcp-requested-address option and not in
- the ciaddr (for perfectly good reasons), the similarity to the RENEW
- and REBINDING case was lost on many people.
-
- At present, the failover protocol does not assume that a client send-
- ing in an INIT-REBOOT request necessarily has a valid lease on the IP
- address appearing in the dhcp-requested-address option in the INIT-
- REBOOT request.
-
-
-
-Droms, et. al. Expires January 2001 [Page 10]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- The implications of this are as follows: Assume that there is a DHCP
- client that gets a lease from one server while that server is unable
- to communicate with its failover partner. Then, assume that after
- that client reboots it is able only to communicate with the other
- failover server. If the failover servers have not been able to com-
- municate with each other during this process, then the DHCP client
- will get a new IP address instead of being able to continue to use
- its existing IP address. This will affect no applications on the DHCP
- client, since it is rebooting. However, it will use up an additional
- IP address in this marginal case.
-
-3.1.3. Stable storage update before DHCPACK
-
- The DHCP protocol allocates resources, and in order to operate
- correctly it requires that a DHCP server update some form of stable
- storage prior to sending a DHCPACK to a DHCP client in order to grant
- that client a lease on an IP address.
-
- One of the goals of the failover protocol is that it not add signifi-
- cant additional time to this already time consuming requirement to
- update stable storage prior to a DHCPACK. In particular, adding a
- requirement to communicate with another server prior to sending a
- DHCPACK would greatly simplify the failover protocol, but it would
- unacceptably limit the potential scalability of any DHCP server which
- employed the failover protocol.
-
-3.2. BOOTP relay agent implementation
-
- Many DHCP clients are not resident on the same network segment as a
- DHCP server. In order to support this form of network architecture,
- most contemporary routers implement something known as a BOOTP Relay
- Agent. This capability inside of a router listens for all broadcasts
- at the DHCP port, port 67, and will relay any broadcasts that it
- receives on to a DHCP server. The IP address of the DHCP server must
- have been previously configured into the router. As part of the
- relay process, the relay agent will place the address of the inter-
- face on which it received the broadcast into the giaddr field of the
- DHCP packet.
-
- Since the failover protocol requires two DHCP servers to receive any
- broadcast DHCP messages, in order to work with DHCP clients which are
- not local to the DHCP server, the BOOTP relay agent on the router
- closest to the DHCP client must be configured to point at more than
- one DHCP server.
-
- Most BOOTP relay agent implementations allow this duplication of
- packets.
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 11]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- If this is not possible, an administrator might be able to configure
- the relay agent with a subnet broadcast address, but in this case the
- primary and secondary DHCP servers in a failover pair must both
- reside on the same subnet.
-
-3.3. What does it mean if a server can't communicate with its partner?
-
- In any protocol designed to allow one server to take over some
- responsibilities from a partner server in the event of "failure" of
- that partner server, there is an inherent difficulty in determining
- when that partner server has failed.
-
- In fact, it is fundamentally impossible for one server to distinguish
- a network communications failure from the outright failure of the
- server to which it is trying to communicate. In the case where each
- server is handing out resources (in this case IP addresses) to a
- client community, mistaking an inability to communicate with a
- partner server for failure of that partner server could easily cause
- both servers to be handing out the same IP addresses to different
- clients.
-
- One way that this is sometimes handled is for there to be more than
- two servers. In the case of an odd number of servers, the servers
- that can still communicate with a majority of other servers will con-
- sider themselves operational, and any server which can't communicate
- to a majority of other servers must immediately cease operations.
-
- While this technique works in some domains, having the only server to
- which a DHCP client can communicate voluntarily shut itself down
- seems like something worth avoiding.
-
- The failover protocol will operate correctly while both servers are
- unable to communicate, whether they are both running or not. At some
- point there may be resource contention, and if one of the servers is
- actually down, then the operator can inform the operational server
- and the operational server will be able to use all of the failed
- server's resources.
-
- The protocol also allows detection of an orderly shutdown of a parti-
- cipating server.
-
-3.4. Challenging scenarios for a Failover protocol
-
- There exist two failure scenarios which provide particular challenges
- to the correctness guarantees of a failover protocol.
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 12]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-3.4.1. Primary Server crash before "lazy" update:
-
- In the case where the primary server sends a DHCPACK to a client for
- a newly allocated IP address and then crashes prior to sending the
- corresponding update to the secondary server, the secondary server
- will have no record of the IP address allocation. When the secondary
- server takes over, it may well try to allocate that IP address to a
- different client. In the case where the first client to receive the
- IP address is not on the net at the time (yet while there was still
- time to run on its lease), an ICMP echo (i.e., ping) will not prevent
- the secondary server from allocating that IP address to a different
- client.
-
- The failover protocol deals with this situation by having the primary
- and secondary servers allocate addresses for new clients from dis-
- joint address pools. See section 5.4 for details.
-
- A more likely (in that DHCPRENEWs are presumably more common than
- DHCPDISCOVERs) and more subtle version of this problem is where the
- primary server crashes after extending a client's lease time, and
- before updating the secondary with a new time using a lazy update.
- After the secondary takes over, if the client is not connected to the
- network the secondary will believe the client's lease has expired
- when, in fact, it has not. In this case as well, the IP address
- might be reallocated to a different client while the first client is
- still using it.
-
- This scenario is handled by the failover protocol through control of
- the lease time and the use of the maximum client lead time (MCLT).
- See section 5.2.1 for details.
-
-3.4.2. Network partition where DHCP servers can't communicate but each
-can talk to clients:
-
- Several conditions are required for this situation to occur. First,
- due to a network failure, the primary and secondary servers cannot
- communicate. As well, some of the DHCP clients must be able to com-
- municate with the primary server, and some of the clients must now
- only be able to communicate with the secondary server. When this
- condition occurs, both primary and secondary servers could attempt to
- allocate IP addresses for new clients from the same pool of available
- addresses. At some point, then, two clients will end up being allo-
- cated the same IP address. This will cause problems when the network
- failure that created this situation is corrected.
-
- The failover protocol deals with this situation by having the primary
- and secondary servers allocate addresses for new clients from dis-
- joint address pools. See section 5.4 for details.
-
-
-
-Droms, et. al. Expires January 2001 [Page 13]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-3.5. Using TCP to detect partner server failure
-
- There are several characteristics of TCP that are important to the
- functioning of the failover protocol, which uses one TCP connection
- for both bulk data transfer as well as to assess communications
- integrity with the other server. Reliable and ordered message
- delivery are chief among these important characteristics.
-
- It would be nice to use the capabilities built in to TCP to allow it
- to determine if communications integrity exists to the failover
- partner but this strategy contains some problems which require
- analysis. There exist three fundamental cases for an open TCP con-
- nection that must be examined.
-
- 1. When no data is being sent then no messages are traveling
- across the TCP connection.
-
- 2. When data is queued to be sent, and the receiver has not
- blocked the sending of additional data, then messages are
- flowing across the TCP connection containing the applications
- data.
-
- 3. When data is queued to be sent, and the receiver has blocked
- the transmission of additional data, then persist messages are
- flowing from the receiver to the sender to ensure that the
- sender doesn't miss the receiver opening the window for
- further transmissions.
-
- The first case can be turned into the second case by sending
- application-level keep-alive messages periodically when there is no
- other data queued to be sent. Note TCP keep-alive messages might be
- used as well, but they present additional problems.
-
- Thus, we can ensure that the TCP connection has messages flowing
- periodically across the connection fairly easily. The question
- remains as to what TCP will do if the other end of the connection
- fails to respond (either because of network partition or because the
- receiving server crashes). TCP will attempt to retransmit a message
- with an exponential backoff, and will eventually timeout that
- retransmission. However, the length of that timeout cannot, in gen-
- eral, be set on a per-connection basis, and is frequently as long as
- nine minutes, though in some cases it may be as short as two minutes.
- On some systems it can be set system-wide, while on other systems it
- cannot be changed at all.
-
- A value for this timeout that would be appropriate for the failover
- protocol, say less than 1 minute, could have unpleasant side-effects
- on other applications running on the same server, assuming that it
-
-
-
-Droms, et. al. Expires January 2001 [Page 14]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- could be changed at all on the host operating system.
-
- Nine minutes is a long time for the DHCP service to be unavailable to
- any new clients that were being served by the server which has
- crashed, when there is another server running that could respond to
- them as soon as it determines that its partner is not operational.
-
- The conclusion drawn from this analysis is that TCP provides very
- useful support for the failover protocol in the areas of reliable and
- ordered message delivery, but cannot by itself be relied upon to
- detect partner server failure in a fashion acceptable to the needs of
- the failover protocol. Additional failover protocol capabilities
- have been created to support timely detection of partner server
- failure. See section 8.3 for details on this mechanism.
-
-4. Design Goals
-
- This section lists the design goals and the limitations of the fail-
- over protocol.
-
-4.1. Design goals for this protocol
-
- The following is a list of goals that are met by this protocol. They
- are listed in priority order.
-
- 1. Implementations of this protocol must work with existing DHCP
- client implementations based on the DHCP protocol [1].
-
- 2. Implementations of the protocol must work with existing BOOTP
- relay agent implementations.
-
- 3. The protocol must provide failover redundancy between servers
- that are not located on the same subnet.
-
- 4. Provide for continued service to DHCP clients through an
- automated mechanism in the event of failure of the primary
- server.
-
- 5. Avoid binding an IP address to a client while that binding is
- currently valid for another client. In other words, do not
- allocate the same IP address to two clients.
-
- 6. Minimize any need for manual administrative intervention.
-
- 7. Introduce no additional delays in server response time as a
- result of the network communications required to implement the
- failover protocol, i.e., don't require communications with the
- partner between the receipt of a DHCPREQUEST and the
-
-
-
-Droms, et. al. Expires January 2001 [Page 15]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- corresponding DHCPACK.
-
- 8. Share IP address ranges between primary and secondary servers;
- i.e., impose no requirement that the pool of available
- addresses be manually or permanently divided between servers.
-
- 9. Continue to meet the goals and objectives of this protocol in
- the event of server failure or network partition.
-
- 10. Provide graceful reintegration of full protocol service after
- server failure or network partition.
-
- 11. Allow for one computer to act as a secondary server for multi-
- ple primary servers. The protocol must allow failover primary
- and secondary configuration choices to be made at a granular-
- ity smaller than "all of the subnets served by a single
- server", though individual implementations may not choose to
- allow such flexibility.
-
- 12. Ensure that an existing client can keep its existing IP
- address binding if it can communicate with either the primary
- or secondary DHCP server implementing this protocol - not just
- whichever server that originally offered it the binding.
-
- 13. Ensure that a new client can get an IP address from some
- server. Ensure that in the face of partition, where servers
- continue to run but cannot communicate with each other, the
- above goals and requirements may be met. In addition, when
- the partition condition is removed, allow graceful automatic
- re-integration without requiring human intervention.
-
- 14. If either primary or secondary server loses all of the infor-
- mation that it has stored in stable storage, ensure that it be
- able to refresh its stable storage from the other server.
-
- 15. Support load balancing between the primary and secondary
- servers, and allow configuration of the percentage of the
- client population served by each with a moderately fine granu-
- larity.
-
-
-4.2. Limitations of this protocol
-
- The following are explicit limitations of this protocol.
-
- 1. This protocol provides only one level of redundancy through a
- single secondary server for each primary server.
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 16]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- 2. A subset of the address pool is reserved for secondary server
- use. In order to handle the failure case where both servers
- are able to communicate with DHCP clients, but unable to com-
- municate with each other, a subset of the IP address pool must
- be set aside as a private address pool for the secondary
- server. The secondary can use these to service newly arrived
- DHCP clients during such a period. The required size of this
- private pool is based only on the arrival rate of new DHCP
- clients and the length of expected downtime, and is not influ-
- enced in any way by the total number of DHCP clients supported
- by the server pair.
-
- The failover protocol can be used in a mode where both the
- primary and secondary servers can share the load between them
- when both are operating. In this load balancing mode, the
- addresses allocated by the primary server to the secondary
- server are not unused, but are used instead to service the
- portion of the client base to which the secondary server is
- required to respond. See section 5.3 for more information on
- load balancing.
-
- 3. The primary and secondary servers do not respond to client
- requests at all while recovering from a failure that could
- have resulted in duplicate IP assignments. (When synchroniz-
- ing in POTENTIAL-CONFLICT state).
-
-
-5. Protocol Overview
-
- This section will discuss the failover protocol at a relatively high
- level of detail. In the event that a description in this section
- conflicts (or appears to conflict due to the overview nature of this
- section) with information in later sections of this draft, the infor-
- mation in the later sections should be considered authoritative.
-
-5.1. Messages and States
-
- This protocol is centered around the message exchange used by one
- server to update the other server of binding database changes result-
- ing from DHCP client activity:
-
- o Communication of binding database changes
-
- The binding update (BNDUPD) message is used to send the binding
- database changes to the partner server, and the partner server
- responds with a binding acknowledgement (BNDACK) message when it
- has successfully committed those changes to its own stable
- storage.
-
-
-
-Droms, et. al. Expires January 2001 [Page 17]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- All of the other messages involve ancillary issues:
-
- o Management of available IP addresses
-
- The pool request (POOLREQ) is used by the secondary server to
- request an allocation of IP addresses from the primary server.
- The pool response (POOLRESP) is used by the primary server to
- inform the secondary server how many IP addresses were allocated
- to the secondary server as the result of the pool request.
-
- o Synchronization of the binding databases between the servers
- after they've been out of communications
-
- The update request (UPDREQ) message is used by one server to
- request that its partner send it all binding database informa-
- tion that it has not already seen. The update request all
- (UPDREQALL) message is used by one server to request that all
- binding database information be sent in order to recover from a
- total loss of its binding database by the requesting server.
- The update done (UPDDONE) message is used by the responding
- server to indicate that all requested updates have been sent the
- responding server and acked by the requesting server.
-
- o Connection establishment
-
- The connect (CONNECT) message is used by the primary server to
- establish a high level connection with the other server, and to
- transmit several important configuration data items between the
- servers. The connect acknowledgement message (CONNECTACK) is
- used by the secondary server to respond to a CONNECT message
- from the primary server. The disconnect (DISCONNECT) message is
- used by either server when closing a connection.
-
- o Server synchronization
-
- The state change (STATE) message is used by either server to
- inform the other server of a change of failover state.
-
- o Connection integrity management
-
- The contact (CONTACT) message is used by either server to ensure
- that the other server continues to see the connection as opera-
- tional. It MUST be transmitted periodically over every esta-
- blished connection if other message traffic is not flowing, and
- it MAY be sent at any time.
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 18]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-5.1.1. Failover endpoints
-
- The proper operation of the failover protocol requires more than the
- transmission of messages between one server and the other. Each end-
- point might seem to be a single DHCP server, but in fact there are
- many situations where additional flexibility in configuration is use-
- ful.
-
- For instance, there might be several servers which are each primary
- for a distinct set of address pools, and one server which is secon-
- dary for all of those address pools. The situation with the pri-
- maries is straightforward, but the secondary will need to maintain a
- separate failover state, partner state, and communications up/down
- status for each of the separate primary servers for which it is act-
- ing as a secondary.
-
- The failover protocol calls for there to be a unique failover end-
- point per partner per role (where role is primary or secondary).
- This failover endpoint can take actions and hold unique states.
- There are thus a maximum of two failover endpoints per partner (one
- for the partner as a primary and one for that same partner as a
- secondary.)
-
- Thus, in the case where there are two primary servers A and B each
- backed up by a single common secondary server C, there is one fail-
- over endpoint on each of A and B, and two different failover end-
- points on C. The two different failover endpoints on C each have
- unique states and independent TCP connections.
-
- This document frequently describes the behavior of the protocol in
- terms of primary and secondary servers, not primary and secondary
- failover endpoints. However, it is important to remember that every
- 'server' described in this document is in reality a failover endpoint
- that resides in a particular process, and that many failover end-
- points may reside in the same process.
-
- It is not the case that there is a unique failover endpoint for each
- subnet address pool that participates in a failover relationship. On
- one server, there is one failover endpoint per partner per role,
- regardless of how many subnet address pools are managed by that com-
- bination of partner and role. Conversely, on a particular server,
- any given subnet address pool will be associated with exactly one
- failover endpoint.
-
- When a connection is received from the partner, the unique failover
- endpoint to which the message is directed is determined solely by the
- IP address of the partner and the port to which the connection is
- directed by the partner. See section 8.2.
-
-
-
-Droms, et. al. Expires January 2001 [Page 19]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-5.2. Fundamental guarantees
-
- There a several fundamental restrictions this protocol places on what
- one server can do in the absence of knowledge of the other server.
- Operating within these restrictions allows certain guarantees to be
- made to the partner server, and these are key to the correct opera-
- tion of the protocol.
-
-5.2.1. Control of lease time
-
- The key problem with lazy update is that when a server fails after
- updating a client with a particular lease time and before updating
- its partner, the partner will believe that a lease has expired even
- though the client still retains a valid lease on that IP address.
-
- In order to handle this problem, a period of time known as the "Max-
- imum Client Lead Time" (MCLT) is defined and must be known to both
- the primary and secondary servers. Proper use of this time interval
- places an upper bound on the difference allowed between the lease
- time provided to a DHCP client by a server and the lease time known
- by that server's partner. However, the MCLT is typically much less
- than the lease time that a server has been configured to offer a
- client, and so some strategy must exist to allow a server to offer
- the configured lease time to a client. During a lazy update the
- updating server typically updates its partner with a potential
- expiration time which is longer than the lease time previously given
- to the client and which is longer than the lease time that the server
- has been configured to give a client. This allows that server to
- give a longer lease time to the client the next time the client
- renews its lease, since the time that it will give to the client will
- not exceed the MCLT beyond the potential expiration time acknowledged
- by its partner.
-
- The PARTNER-DOWN state exists so that a server can be sure that its
- partner is, indeed, down. Correct operation while in that state
- requires (generally) that the server wait the MCLT after anything
- that happened prior to its transition into PARTNER-DOWN state (or,
- more accurately, when the other server went down if that is known).
- Thus, the server MUST wait the MCLT after the partner server went
- down before allocating any of the partner's addresses which were
- available for allocation. In the event the partner was not in com-
- munication prior to going down, it might have allocated one or more
- of its FREE addresses to a DHCP client and been unable to inform the
- server entering PARTNER-DOWN prior to going down itself. By waiting
- the MCLT after the time the partner went down, the server in
- PARTNER-DOWN state ensures that any clients which have a lease on one
- of the partner's FREE addresses will either time out or contact the
- server in PARTNER-DOWN by the time that period ends.
-
-
-
-Droms, et. al. Expires January 2001 [Page 20]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- In addition, once a server has transitioned to PARTNER-DOWN state, it
- MUST NOT reallocate an IP address from one client to another client
- until an additional MCLT interval after the lease by the original
- client expires. (Actually, until the maximum client lead time after
- what it believes to be the lease expiration time of the client.)
-
- Some optimizations exist for this restriction, in that it only
- applies to leases that were issued BEFORE entering PARTNER-DOWN. Once
- a server has entered PARTNER-DOWN and it leases out an address, it
- need not wait this time as long as it has never communicated with the
- partner since the lease was given out.
-
- The fundamental relationship on which much of the correctness of this
- protocol depends is that the lease expiration time known to a DHCP
- client MUST NOT be more than the maximum client lead time greater
- than the potential expiration time known to a server's partner.
-
- The remainder of this section makes the above fundamental relation-
- ship more explicit.
-
- This protocol requires a DHCP server to deal with several different
- lease intervals and places specific restrictions on their relation-
- ships. The purpose of these restrictions is to allow the other server
- in the pair to be able to make certain assumptions in the absence of
- an ability to communicate between servers.
-
- The different lease times are:
-
- o desired lease interval
-
- The desired lease interval is the lease interval that a DHCP
- server would like to give to a DHCP client in the absence of any
- restrictions imposed by the Failover protocol. Its determina-
- tion is outside of the scope of this protocol. Typically this is
- the result of external configuration of a DHCP server.
-
- o actual lease interval
-
- The actual lease internal is the lease interval that a DHCP
- server gives out to a DHCP client in the dhcp-lease-time option
- of a DHCPACK packet. It may be shorter than the desired client
- lease interval (as explained below).
-
- o potential lease interval
-
- The potential lease interval is the lease expiration interval
- the local server tells to its partner in the potential-
- expiration-time option of a BNDUPD message.
-
-
-
-Droms, et. al. Expires January 2001 [Page 21]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- o acknowledged potential lease interval
-
- The acknowledged potential lease interval is the potential lease
- interval the partner server has most recently acknowledged in
- the potential-expiration-time option of a BNDACK message.
-
- The key restriction (and guarantee) that any server makes with
- respect to lease intervals is that the actual client lease interval
- never exceeds the acknowledged potential lease interval (if any) by
- more than a fixed amount. This fixed amount is called the "Maximum
- Client Lead Time" (MCLT).
-
- The MCLT MAY be configurable on the primary server, but for correct
- server operation it MUST be the same and known to both the primary
- and secondary servers. The secondary server determines the MCLT from
- the MCLT option sent from the primary server to the secondary server
- in the CONNECT message.
-
- A server MUST record in its stable storage both the actual lease
- interval and the most recently acknowledged potential lease interval
- for each IP address binding. It is assumed that the desired client
- lease interval can be determined through techniques outside of the
- scope of this protocol. See section 7.1.5 for more details concern-
- ing the times that the server MUST record in its stable storage and
- the way that they interact with the lease time that may be offered to
- a DHCP client.
-
- Again, the fundamental relationship among these times which MUST be
- maintained is:
-
- actual lease interval <
- ( acknowledged potential lease interval + MCLT )
-
-
- Figure 5.2.1-1 illustrates an initial lease to a client using the
- rules discussed in the example which follows it. Note that this is
- only one example -- as long as the fundamental relationship is
- preserved, the actual times used could be quite different.
-
-
-
-
-
-
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 22]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
- DHCP Primary Secondary
- time Client Server Server
-
- | (time in intervals) | (absolute time) |
- | | |
- | >-DHCPDISCOVER-> | |
- | <---DHCPOFFER-< | |
- | | |
- | >-DHCPREQUEST-> | |
- | (selecting) | |
- | | |
- t | <--------DHCPACK-< | |
- | lease-time=MCLT | |
- | | >-BNDUPD--> |
- | | lease-expiration=t+MCLT
- | | potential-expiration=t+(MCLT/2)+X
- | | |
- | | <-BNDACK-< |
- | | potential-expiration=t+(MCLT/2)+X
- ... ... ...
- | | |
- t+MCLT/2 | >-DHCPREQUEST-> | |
- | (renew) | |
- | | |
- t1 | <--------DHCPACK-< | |
- | lease-time=X | |
- | | >-BNDUPD--> |
- | | lease-expiration=t1+X
- | | potential-expiration=t1+(X/2)+X
- | | |
- | | <-BNDACK-< |
- | | potential-expiration=t1+(X/2)+X
- ... ... ...
-
- Figure 5.2.1-1: Lazy Update Message Traffic
- X = Desired Lease Interval
- Assumes renewal interval = lease interval / 2
-
-
- DISCUSSION:
-
- This protocol mandates only that the above fundamental relation-
- ship concerning lease intervals is preserved.
-
- In the interests of clarity, however, let's examine a specific
- example. The MCLT in this case is 1 hour. The desired lease
- interval is 3 days, and its renewal time is half the lease
-
-
-
-Droms, et. al. Expires January 2001 [Page 23]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- interval.
-
- The rules for this example are:
-
- o What to tell the client:
-
- Take the remainder of the acknowledged potential lease interval.
- If this is a new lease, then this value will be zero. If this
- remainder plus the MCLT is greater than the desired lease inter-
- val, give the client the desired lease interval else give the
- client the remainder plus the MCLT.
-
- o What to tell the failover partner server:
-
- Take the renewal interval (typically half of the actual client
- lease interval), add to it the desired lease interval, and add
- it to the current time to yield the value that goes into the
- potential-expiration-time option.
-
- Also tell the failover partner the actual lease interval by
- adding it to the current time to yield the value that goes into
- the lease-expiration option.
-
- In operation this might work as follows:
-
- When a server makes an offer for a new lease on an IP address to a
- DHCP client, it determines the desired lease interval (in this
- case, 3 days). It then examines the acknowledged potential lease
- interval (which in this case is zero) and determines the remainder
- of the time left to run, which is also zero. To this it adds the
- MCLT. Since the actual lease interval cannot be allowed to exceed
- the remainder of the current acknowledged potential lease interval
- plus the MCLT, the offer made to the client is for the remainder
- of the current acknowledged potential lease interval (i.e., zero)
- plus the MCLT. Thus, the actual lease interval is 1 hour.
-
- Once the server has performed the BNDACK to the DHCP client, it
- will update the secondary server with the lease information. How-
- ever, the desired potential lease interval will be composed of the
- one half of the current actual lease interval added to the desired
- lease interval. Thus, the secondary server is updated with a
- BNDUPD with a lease interval of 3 days + 1/2 hour specified in the
- potential-expiration-time option.
-
- When the primary server receives an ACK to its update of the
- secondary server's (partner's) potential lease interval, it
- records that as the acknowledged potential lease interval. A
- server MUST NOT send a BNDACK in response to a BNDUPD message
-
-
-
-Droms, et. al. Expires January 2001 [Page 24]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- until it is sure that the information in the BNDUPD message
- resides in its stable storage. Thus, the primary server in this
- case can be sure that the secondary server has recorded the poten-
- tial lease interval in its stable storage when the primary server
- receives a BNDACK message from the secondary server.
-
- When the DHCP client attempts to renew at T1 (approximately one
- half an hour from the start of the lease), the primary server
- again determines the desired lease interval, which is still 3
- days. It then compares this with the remaining acknowledged
- potential lease interval (3 days + 1/2 hour) and adjusts for the
- time passed since the secondary was last updated (1/2 hour). Thus
- the time remaining of the acknowledged potential lease interval is
- 3 days. Adding the MCLT to this yields 3 days plus 1 hour, which
- is more than the desired lease interval of 3 days. So the client
- is renewed for the desired lease interval -- 3 days.
-
- When the primary DHCP server updates the secondary DHCP server
- after the DHCP client's renewal ACK is complete, it will calculate
- the desired potential lease interval as the T1 fraction of the
- actual client lease interval (1/2 of 3 days this time = 1.5 days).
- To this it will add the desired client lease interval of 3 days,
- yielding a total desired partner server lease interval of 4.5
- days. In this way, the primary attempts to have the secondary
- always "lead" the client in its understanding of the client's
- lease interval so as to be able to always offer the client the
- desired client lease interval.
-
- Once the initial actual client lease interval of the MCLT is past,
- the protocol operates effectively like the DHCP protocol does
- today in its behavior concerning lease intervals. However, the
- guarantee that the actual client lease interval will never exceed
- the remaining acknowledged partner server lease interval by more
- than the MCLT allows full recovery from a variety of failures.
-
-5.2.2. Controlled re-allocation of IP addresses
-
- When in PARTNER-DOWN state there is a waiting period after which an
- IP address can be re-allocated to another client. For leases which
- are available when the server enters PARTNER-DOWN state, the period
- is the MCLT from entry into PARTNER-DOWN state. For IP addresses
- which are not available when the server enters PARTNER-DOWN state,
- the period is the MCLT after the lease becomes available. See sec-
- tion 9.4.2 for more details.
-
- In any other state, a server cannot reallocate an address from one
- client to another without first notifying its partner (through a
- BNDUPD message) and receiving acknowledgement (through a BNDACK
-
-
-
-Droms, et. al. Expires January 2001 [Page 25]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- message) that its partner is aware that that first client is not
- using the address.
-
- This could be modeled in the following way. Though this specific
- implementation is in no way required, it may serve to better illus-
- trate the concept.
-
- An "available" IP address on a server may be allocated to any client.
- An IP address which was leased to a client and which expired or was
- released by that client would take on a new state, EXPIRED or
- RELEASED respectively. The partner server would then be notified
- that this IP address was EXPIRED or RELEASED through a BNDUPD. When
- the sending server received the BNDACK for that IP address showing it
- was FREE, it would move the IP address from EXPIRED or RELEASED to
- FREE, and it would be available for allocation by the primary server
- to any clients.
-
- A server MAY reallocate an IP address in the EXPIRED or RELEASED
- state to the same client with no restrictions provided it has not
- sent a BNDUPD message to its partner. This situation would exist if
- the lease expired or was released after the transition into PARTNER-
- DOWN state, for instance.
-
-
-5.3. Load balancing
-
- In order to implement load balancing between a primary and secondary
- server pair, each server must respond to DHCPDISCOVER requests from
- some clients and not from other clients. In order to do this suc-
- cessfully, each server must be able to determine immediately upon
- receipt of a DHCP client request whether it is to service this
- request or to ignore it in order to allow the other server to service
- the request.
-
- In addition, it should be possible to configure the percentage of
- clients which will be serviced by either the primary or secondary
- server. This configuration should be more or less continuous, from
- all clients serviced by the primary through an even split with half
- serviced by each, to all clients serviced by the secondary.
-
- The technique chosen to support these goals is described in [LOADB].
-
- A bitmap-style Hash Bucket Assignment (as described in [LOADB]) is
- used to determine which DHCP clients can be processed. There are two
- potential HBA's in a failover server -- a server HBA and a failover
- HBA. The way that a server acquires a server HBA is outside of the
- scope of the failover protocol, but both servers in a failover pair
- MUST have the same server HBA. The failover HBA is sent by the
-
-
-
-Droms, et. al. Expires January 2001 [Page 26]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- primary server to the secondary server whenever a connection is esta-
- blished, using the hash-bucket-assignment option defined in section
- 12.11.
-
- When using the server HBA (if any) and the failover HBA (if any), to
- decide whether to process a DHCP request, the server HBA always
- applies in every failover state, and the failover HBA (which MUST be
- a subset of the server HBA) is used by the secondary server to decide
- which packets to process when in NORMAL state.
-
-5.4. Operating in NORMAL state
-
- When in NORMAL state, each server services DHCPDISCOVER's and all
- other DHCP requests other than DHCPREQUEST/RENEWAL or
- DHCPREQUEST/REBINDING from the client set defined by the load balanc-
- ing algorithm [LOADB]. Each server services DHCPREQUEST/RENEWAL or
- DHCPDISCOVER/REBINDING requests from any client.
-
- In general, whenever the binding database is changed in stable
- storage (other than a change resulting from receiving a BNDUPD from
- the failover partner), then a BNDUPD message is sent with the con-
- tents of that change to the partner server. The partner server then
- writes the information about that binding in its bindings database in
- stable storage and replies with a BNDACK message.
-
- The binding database in a DHCP server would normally be changed as a
- result of DHCP protocol activity with a DHCP client (e.g., granting
- a lease to a DHCP client through the familiar
- DISCOVER/OFFER/REQUEST/ACK cycle or extending a lease due to a
- renewal from a DHCP client) or possibly (on some servers) because a
- lease has expired or undergone another state change that must be
- recorded in the DHCP binding database. These are the state changes
- that would be communicated to the partner server using a BNDUPD mes-
- sage. Of course, receipt of a BNDUPD message itself will normally
- cause an update of the binding database for all of the IP addresses
- contained in the BNDUPD, and a binding database change such as this
- MUST NOT trigger a corresponding BNDUPD message to the partner.
-
-5.5. Operating in COMMUNICATIONS-INTERRUPTED state
-
- When operating in COMMUNICATIONS-INTERRUPTED state, each server is
- operating independently, but does not assume that its partner is not
- operating. The partner server might be operating and simply unable
- to communicate with this server, or might not be operating.
-
- Each server responds to the full range of DHCP client messages that
- it receives, but in such a way that graceful reintegration is always
- possible when its partner comes back into contact with it.
-
-
-
-Droms, et. al. Expires January 2001 [Page 27]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-5.6. Operating in PARTNER-DOWN state
-
- When operating in PARTNER-DOWN state, a server assumes that its
- partner is not currently operating, but does make allowances for the
- possibility that that server was operating in the past, though possi-
- bly out of communications with this server. It responds to all DHCP
- client requests in PARTNER-DOWN state.
-
-5.7. Operating in RECOVER state
-
- A server operating in RECOVER state assumes that it is reintegrating
- with a server that has been operating in PARTNER-DOWN state, and that
- it needs to update its bindings database before it services DHCP
- client requests.
-
- A server may also operate in RECOVER state in order to fully recover
- its bindings database from its partner server.
-
-5.8. Operating in STARTUP state
-
- A server operating in STARTUP state assumes that failover is opera-
- tional, and it spends a short time whenever it comes up attempting to
- contact the partner. During this time (generally a few seconds), the
- server is unresponsive to DHCP client requests. This period exists
- in order to give a server a chance to determine that its partner has
- changed state since it was last in communications, and to react to
- that changed state (if any) prior to responding to DHCP client
- requests.
-
- The period of time a server remains in STARTUP state SHOULD be long
- enough to ensure that it will connect to the other server if that
- server is available for connections.
-
-5.9. Time synchronization between servers
-
- The failover protocol is designed to operate between two servers
- which have time values which differ by an arbitrarily large amount.
- A particular implementation MAY choose to only support servers whose
- time values differ by an arbitrarily small amount.
-
- In any event, whether large or only small differences in time values
- are supported, every message that is received MUST be tagged with a
- time value as soon as possible after receipt. This time value is
- used along with the time value that is sent in every message between
- the failover partners to develop a delta time between the servers.
- This delta time is used during the connection process to establish a
- baseline delta time between the servers, and upon receipt of each
- message, the delta time for that message is used to refine the delta
-
-
-
-Droms, et. al. Expires January 2001 [Page 28]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- time for the server pair.
-
- While the algorithm for this refinement of delta time is not speci-
- fied as part of this protocol, a server SHOULD allow the delta time
- value for a pair of failover servers to be periodically updated to
- account for time drift. In addition, the delta time value between
- servers SHOULD be smoothed in some fashion, so that transient network
- delays will not cause it to vary wildly.
-
- A server SHOULD recognize a drastic change in the delta time value as
- an event to be signaled to a network administrator, as well as reset-
- ting the time delta between the failover partners.
-
- The specific definitions of a minor or drastic change in delta time
- as well as the algorithm used to smooth minor changes into the run-
- ning delta time are implementation issues and are not further
- addresses in this document.
-
-5.10. IP address binding-status
-
- In most DHCP servers an IP address can take on several different
- binding-status values, sometimes also called states. While no two
- DHCP servers probably have exactly the same possible binding-status
- values, the DHCP RFC enforces some commonality among the general
- semantics of the binding-status values used by various DHCP server
- implementations.
-
- In order to transmit binding database updates between one server and
- another using the failover protocol, some common denominator
- binding-status values must be defined. It is not expected that these
- binding-status-values correspond with any actual implementation of
- the DHCP protocol in a DHCP server, but rather that the binding-
- status values defined in this document should be a common denominator
- of those in use by many DHCP server implementations. It is a goal of
- this protocol that any DHCP server can map the various IP address
- binding-status values that it uses internally into these failover IP
- address binding-status values on transmission of binding database
- updates to its partner, and likewise that it can map any failover IP
- address binding-status values it received in a binding update into
- its internal IP address binding-status values.
-
- The IP address binding-status values defined for the failover proto-
- col are listed below. Unless otherwise noted below, there MAY be
- client information associated with each of these binding-status
- values.
-
- o
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 29]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- o ACTIVE -- Lease is assigned to a client. Client identification
- MUST appear.
-
- o EXPIRED -- indicates that a client's binding on an IP address
- has expired. When the partner server ACK's the BNDUPD of an
- EXPIRED IP address, the server sets its internal state to FREE.
- It is then available for allocation to any client of the primary
- server. It may be allocated to the same client on the server
- where the lease expired if a BNDUPD containing the EXPIRED state
- has not yet been sent to the partner (e.g., in the event that
- the servers are not in communication). Client identification
- SHOULD appear.
-
- o RELEASED -- indicates that a DHCP client sent in a DHCPRELEASE
- message. When the partner server ACK's the BNDUPD of an
- RELEASED IP address, the server sets its internal state to FREE,
- and it is available for allocation by the primary server to any
- DHCP client. It may be allocated to the same client if a BNDUPD
- has not yet been sent to the partner. Client identification
- SHOULD appear.
-
- o FREE -- is used when a DHCP server needs to communicate that an
- IP address is unused by any DHCP client, but it was not just
- released, expired, or reset by a network administrator. When
- the partner server ACK's the BNDUPD of a FREE IP address, the
- server sets its internal state such that it is available for
- allocation by the primary DHCP server to any DHCP client. (Note
- that in PARTNER-DOWN state, after waiting the MCLT, the IP
- address MAY be allocated to a DHCP client by the secondary
- server.)
-
- Note that when an IP address that was allocated by the secondary
- reverts to the FREE state, it must (like any other IP address)
- be assigned to the secondary through the POOLREQ/BNDUPD process
- before the secondary can reallocate it.
-
- Client identification MAY appear.
-
- o ABANDONED -- indicates that an IP address is considered unusable
- by the DHCP subsystem. An IP address for which a valid PING
- response was received SHOULD be set to ABANDONED. An IP address
- for which a DHCPDECLINE was received should be set to ABANDONED.
- Client identification MUST NOT appear.
-
- o RESET -- indicates that this IP address was made available by
- operator command. This is a distinct state so that the reason
- that the IP address became FREE can be determined. Client iden-
- tification MAY appear.
-
-
-
-Droms, et. al. Expires January 2001 [Page 30]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- o BACKUP -- indicates that this IP address can be allocated by the
- secondary server to a DHCP client at any time. When the MCLT has
- passed after its time of entry into PARTNER-DOWN state, the IP
- address may be allocated by the primary to any DHCP client.
- Client identification MAY appear.
-
- These binding-status values are communicated from one failover
- partner to another using the binding-status option, see section 12.3
- for details of this option. Unless otherwise noted above there MAY
- be client information associated with each of these binding-status
- values.
-
- An IP address will move between these binding-status values using the
- following state transition diagram:
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 31]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
-
- DHCP client DECLINE or
- server detected problem
- from any state
- +----------+ V +---------+
- External >---->| RESET | | |ABANDONED|
- command | | +-->| |
- +----------+ +---------+
- |
- Comm w/Parter(1)
- V
- +---------+ Comm(1) +----------+ Comm(1) +---------+
- | EXPIRED |--------->| FREE |<----------| RELEASED|
- | | w/Parter | | w/Partner | |
- +---------+ +----------+ +---------+
- ^ ^ | | +-----------+ ^
- | | | | | |
- | Exp. grace IP | IP addr alloc. IP addr |
- | period ends address to sec.(2) reserved |
- | | leasedy V V |
- | | by | +----------+ +---------+ |
- | | primary| BACKUP | | BACKUP- | |
- | wait for | | | | RESERVED| |
- | grace period | +----------+ +---------+ |
- | | | | |
- | | | IP addr leased by |
- | Expired grace | secondary |
- | period exists V V |
- | | +----------+ |
- | | Lease on | ACTIVE | DHCPRELEASE |
- +-----+-IP addr---| |------------------+
- expires +----------+
-
-
- Figure 5.10-1: Transitions between binding-status values.
-
- (1) This transition MAY also occur if the server is in
- PARTNER-DOWN state and the MCLT has passed since the entry
- in the RELEASED, EXPIRED, or RESET states.
-
- (2) This transition MAY occur if the server is the secondary
- and the MCLT has passed since its entry into PARTNER-DOWN state.
-
-
-
- Again, note that a DHCP server implementing the failover protocol
- does not have to implement either this state machine or use these
-
-
-
-Droms, et. al. Expires January 2001 [Page 32]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- particular binding-status values in its normal operation of allocat-
- ing IP addresses to DHCP clients. It only needs to map its internal
- binding-status-values onto these "standard" binding-status values,
- and map these "standard" binding-status values back into its internal
- binding-status values. For example, a server which implements a
- grace period for a IP address binding SHOULD simply wait to update
- its partner server until the grace period on that binding has run
- out.
-
- The process of setting an IP address to FREE deserves some detailed
- discussion. When an IP address is moved to the EXPIRED,RELEASED, or
- RESET binding-status on a server, it will send a BNDUPD with the
- binding-status of EXPIRED, RELEASED, or RESET to its partner. If its
- partner agrees that is acceptable (see sections 7.1.2 and 7.1.3 con-
- cerning why a server might not accept a BNDUPD) it will return a
- BNDACK with no reject-reason, signifying that it accepted the update.
- As part of the BNDUPD processing, the server returning the BNDACK
- will set the binding-status of the IP address to FREE, and upon
- receipt of the BNDACK the server which sent the BNDUPD will set the
- binding-status of the IP address to FREE. Thus, the EXPIRED,
- RELEASED, or RESET binding-status is something of a transitory state.
- This process is encoded in the transition diagram above by "Comm
- w/Partner".
-
-5.11. DNS dynamic update considerations
-
- DHCP servers (and clients) can use DNS Dynamic Updates as described
- in [RFC 2136] to maintain DNS name-mappings as they maintain DHCP
- leases. Many different administrative models for DHCP-DNS integra-
- tion are possible. Descriptions of several of these models, and
- guidelines that DHCP servers and clients should follow in carrying
- them out, are laid out in [DDNS]. The nature of the DHCP failover
- protocol introduces some issues concerning dynamic DNS updates that
- are not part of non-failover DHCP environments. This section
- describes these issues, and defines the information which failover
- partners should exchange and the protocol which they should follow in
- order to ensure consistent behavior. The presence of this section
- should not be interpreted as requiring that implementations of the
- DHCP failover protocol must also support DDNS updates. The purpose
- of this discussion is to clarify the areas where the DHCP failover
- and DHCP-DDNS protocols intersect for the benefit of implementations
- which support both protocols, not to introduce a new requirement into
- the DHCP failover protocol. Thus, a DHCP server which implements the
- failover protocol MAY also support dynamic DNS updates, but if it
- does support dynamic DNS updates it SHOULD utilize the techniques
- described here in order to correctly distribute them between the
- failover partners.
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 33]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- From the standpoint of the failover protocol, there is no reason why
- a server which is utilizing the DDNS protocol to update a DNS server
- should not be a partner with a server which is not utilizing the DDNS
- protocol to update a DNS server. However, a server which is not able
- to support DDNS or is not configured to support DDNS SHOULD output a
- warning message when it receives BNDUPD messages which indicate that
- its failover partner is configured to support the DDNS protocol to
- update a DNS server. An implementation MAY consider this an error
- and refuse to operate, or it MAY choose to operate anyway, having
- warned the user of the problem in some way.
-
-5.11.1. Relationship between failover and dynamic DNS update
-
- The failover protocol describes the conditions under which each fail-
- over server may renew a lease to its current DHCP client, and
- describes the conditions under which it may grant a lease to a new
- DHCP client. An analogous set of conditions determines when a fail-
- over server should initiate a DDNS update, and when it should attempt
- to remove records from the DNS. The failover protocol's conditions
- are based on the desired external behavior: avoiding duplicate
- address assignments; allowing clients to continue using leases which
- they obtained from one failover partner even if they can only commun-
- icate with the other partner; allowing the backup DHCP server to
- grant new leases even if it is unable to communicate with the primary
- server. The desired external DDNS behavior for DHCP failover servers
- is:
-
- 1. Allow timely DDNS updates from the server which grants a
- client a lease. Recognize that there is often a DDNS update
- lifecycle which parallels the DHCP lease lifecycle. This is
- likely to include the addition of records when the lease is
- granted, and the removal of DNS records when the lease is sub-
- sequently made available for allocation to a different client.
-
- 2. Communicate enough information between the two failover
- servers to allow one to complete the DDNS update 'lifecycle'
- even if the other server originally granted the lease.
-
- 3. Avoid redundant or overlapping DDNS updates, where both fail-
- over servers are attempting to perform DDNS updates for the
- same lease-client binding. Avoid situations where one partner
- is attempting to add RRs related to a lease binding while the
- other partner is attempting to remove RRs related to the same
- lease binding.
-
-5.11.2. Use of the DDNS option
-
- In order for either server to be able to complete a DDNS update, or
-
-
-
-Droms, et. al. Expires January 2001 [Page 34]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- to remove DNS records which were added by its partner, both servers
- need to know the FQDN associated with the lease-client binding. The
- FQDN associated with the client's A RR and PTR RR SHOULD be communi-
- cated from the server which adds records into the DNS to its partner.
- The initiating server SHOULD use the DDNS option in the BNDUPD mes-
- sages to inform the partner server of the status of any DDNS updates
- associated with a lease binding. Failover servers MAY choose not to
- include the DDNS option in BNDUPD messages if there has been no
- change in the status of any DDNS update related to the lease binding.
- The partner server receiving BNDUPD messages containing the DDNS
- option SHOULD compare the status flags and the FQDN contained in the
- option data with the current DDNS information it has associated with
- the lease binding, and update its notion of the DDNS status accord-
- ingly.
-
- The initiating server MAY send a BNDUPD to its partner before the
- DDNS update has been successfully completed. If it does so, it SHOULD
- leave the 'C' bit in the Flags field clear, to indicate to the
- partner that the DDNS update may not be complete. When the DDNS
- update has been successfully acknowledged by the DNS server, the ini-
- tiating DHCP server SHOULD include the DDNS option in its next BNDUPD
- message about the binding, so that the partner server will be able to
- record the final status of the DDNS update. The initiating server
- SHOULD set the 'C' bit in the DDNS option if the DDNS update was suc-
- cessfully accepted by the DNS server.
-
- Some implementations will choose to send a BNDUPD without waiting for
- the DDNS update to complete, and then will send a second BNDUPD once
- the DDNS update is complete. Other implementations will delay sending
- the partner a BNDUPD until the DDNS update has been acknowledged by
- the DNS server, or until some time-limit has elapsed, in order to
- avoid sending a second BNDUPD.
-
- The Domain Name field in the DDNS option contains the FQDN that will
- be associated with the A RR (if the server is performing an A RR
- update for the client) and the PTR RR. This FQDN may be composed in
- any of several ways, depending on server configuration and the infor-
- mation provided by the client in its DHCP messages. The client may
- supply a hostname which it would like the server to use in forming
- the FQDN, or it may supply the entire FQDN. The server may be config-
- ured to attempt to use the information the client supplies, it may be
- configured with an FQDN to use for the client, or it may be config-
- ured to synthesize an FQDN. The responsive server SHOULD include the
- FQDN that it will be using in DDNS updates it initiates when it sends
- the DDNS option.
-
- Since the responsive server may not have completed the DDNS update at
- the time it sends the first BNDUPD about the lease binding, there may
-
-
-
-Droms, et. al. Expires January 2001 [Page 35]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- be cases where the FQDN in later BNDUPD messages does not match the
- FQDN included in earlier messages. For example, the responsive
- server may be configured to handle situations where two or more DHCP
- client FQDNs are identical by modifying the most-specific label in
- the FQDNs of some of the clients in an attempt to generate unique
- FQDNs for them (a process sometimes called "disambiguation"). Alter-
- natively, at sites which use some or all of the information which
- clients supply to form the FQDN, it's possible that a client's confi-
- guration may be changed so that it begins to supply new data. The
- responsive server may react by removing the DNS records which it ori-
- ginally added for the client, and replacing them with records that
- refer to the client's new FQDN. In such cases, the responsive server
- SHOULD include the actual FQDN that was used in subsequent DDNS
- options. The responsive server SHOULD include relevant client-option
- data in the client-request-options option in its BNDUPD messages.
- This information may be necessary in order to allow the non-
- responsive partner to detect client configuration changes that change
- the hostname or FQDN data which the client includes in its DHCP
- requests.
-
-5.11.3. Adding RRs to the DNS
-
- A failover server which is going to perform DDNS updates SHOULD ini-
- tiate the DDNS update when it grants a new lease to a client. The
- non-responsive partner SHOULD NOT initiate a DDNS update when it
- receives the BNDUPD after the lease has been granted. The failover
- protocol ensures that only one of the partners will grant a lease to
- any individual client, so it follows that this requirement will
- prevent both partners from initiating updates simultaneously. The
- server initiating the update SHOULD follow the protocol in [DDNS].
- The server may be configured to perform an A RR update on behalf of
- its clients, or not. Ordinarily, a failover server will not initiate
- DDNS updates when it renews leases. In two cases, however, a failover
- server MAY initiate a DDNS update when it renews a lease to its
- existing client:
-
- 1. When the lease was granted before the server was configured to
- perform DDNS updates, the server MAY be configured to perform
- updates when it next renews existing leases. Since both
- servers are responsive to renewals in NORMAL state, it is not
- enough to simply require the non-responsive server to avoid a
- DNS update in this case. The server which would be responsive
- to a DHCPDISCOVER from this client (even though the current
- request is a DHCPREQUEST/RENEW) is the server which should
- initiate the DDNS update.
-
- 2. If a server is in PARTNER-DOWN state, it can conclude that its
- partner is no longer attempting to perform an update for the
-
-
-
-Droms, et. al. Expires January 2001 [Page 36]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- existing client. If the remaining server has not recorded that
- an update for the binding has been successfully completed, the
- server MAY initiate a DDNS update. It MAY initiate this
- update immediately upon entry to PARTNER-DOWN state, it may
- perform this in the background, or it MAY initiate this update
- upon next hearing from the DHCP client.
-
-5.11.4. Deleting RRs from the DNS
-
- The failover server which makes an IP address FREE SHOULD initiate
- any DDNS deletes, if it has recorded that DNS records were added on
- behalf of the client.
-
- A server not in PARTNER-DOWN state "makes an IP address FREE" when it
- initiates a BNDUPD with a binding-status of FREE, EXPIRED, or
- RELEASED. Its partner confirms this status by acking that BNDUPD,
- and upon receipt of the ACK the server has "made the IP address
- FREE". Conversely, a server in PARTNER-DOWN state "makes an IP
- address FREE" when it sets the binding-status to FREE, since in
- PARTNER-DOWN state not communications is required with the partner.
-
- It is at this point that it should initiate the DDNS operations to
- delete RRs from the DDNS. Its partner SHOULD NOT initiate DDNS
- deletes for DNS records related to the lease binding as part of send-
- ing the BNDACK message. The partner MAY have issued BNDUPD messages
- with a binding-status of FREE, EXPIRED, or RELEASED previously, but
- the other server will have NAKed these BNDUPD messages.
-
- The failover protocol ensures that only one of the two partner
- servers will be able to make a lease FREE. The server making the
- lease FREE may be doing so while it is in NORMAL communication with
- its partner, or it may be in PARTNER-DOWN state. If a server is in
- PARTNER-DOWN state, it may be performing DDNS deletes for RRs which
- its partner added originally. This allows a single remaining partner
- server to assume responsibility for all of the DDNS activity which
- the two servers were undertaking.
-
- Another implication of this approach is that no DDNS RR deletes will
- be performed while either server is in COMMUNICATIONS-INTERRUPTED
- state, since no IP addresses are moved into the FREE state during
- that period.
-
-5.12. Reservations and failover
-
- Some DHCP servers support a capability to offer specific pre-
- configured IP addresses to DHCP clients. These are real DHCP
- clients, they do the entire DHCP protocol, but these servers always
- offer the client a specific pre-configured IP address -- and they
-
-
-
-Droms, et. al. Expires January 2001 [Page 37]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- offer that IP address to no other clients. Such a capability has
- several names, but it is sometimes called a "reservation", in that
- the IP address is reserved for a particular DHCP client.
-
- In a situation where there are two DHCP servers serving the same sub-
- net without using failover, the two DHCP server's need to have dis-
- joint IP address pools, but identical reservations for the DHCP
- clients.
-
- In a failover context, both servers need to be configured with the
- proper reservations in an identical manner, but if we stop there
- problems can occur around the edge conditions where reservations are
- made for an IP address that has already been leased to a different
- client. Different servers handle this conflict in different ways,
- but the goal of the failover protocol is to allow correct operation
- with any server's approach to the normal processing of the DHCP pro-
- tocol.
-
- The general solution with regards to reservations is as follows.
- Whenever a reserved IP address becomes FREE (i.e., when first config-
- ured or whenever a client frees it or it expires or is reset), the
- primary server MUST show that IP address as FREE (and thus available
- for its own allocation) and it MUST send it to the secondary server
- as BACKUP-RESERVED, in order that the secondary server be able to
- allocate it as well.
-
- Note that this implies that a reserved IP address goes through the
- normal state changes from FREE to ACTIVE (and possibly back to FREE).
- The failover protcol supports this approach to reservations, i.e.,
- where the IP address undergoes the normal state changes of any IP
- address, but it can only be offered to the client for which it is
- reserved. Other approaches to the support of reservations exist in
- some DHCP server implementations (e.g., where the IP address is
- apparently leased to a particular client forever, without any expira-
- tion). The goal is for the failover protocol to support any of the
- usual approaches to reservations, both those that allow an IP address
- to go through different states when reserved, and those that don't.
-
- From the above, it follows that a reservation soley on the secondary
- will not necessarily allow the secondary to offer that address to
- client to whom it is reserved. The reservation must also appear on
- the primary as well for the secondary to be able to offer the IP
- address to the client to which is is reserved.
-
- When the reservation on an IP address is cancelled, if the IP address
- is currently FREE and the server is the primary, or BACKUP and the
- server is the secondary, the server MUST send a BNDUPD to the other
- server with the binding-status FREE.
-
-
-
-Droms, et. al. Expires January 2001 [Page 38]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-5.13. Dynamic BOOTP and failover
-
- Some DHCP servers support a capability to offer IP addresses to BOOTP
- clients without having a particular address previously allocated for
- those clients. This capability is often called something like
- "dynamic BOOTP". It is discussed briefly in RFC 1534 [RFC 1534].
-
- This capability has a negative interaction with the fundamental ele-
- ments of the failover protocol, in that an address handed out to a
- BOOTP device has no term (or effectively no term, in that usually
- they are considered leases for "forever"). There is no opportunity
- to hand out a lease which is only the MCLT long when first hearing
- from a BOOTP device, because they may only interact once with the
- DHCP server and they have no notion of a lease expiration time. Thus
- the entire concept of the MCLT and waiting the MCLT after entering
- PARTNER-DOWN state is defeated when dealing with BOOTP devices.
-
- With some restrictions, however, dynamic BOOTP devices can be sup-
- ported in a server on a subnet where failover is supported. The only
- restriction (and it is not small) is that on any portion of the sub-
- net (in any address pool) where dynamic BOOTP devices can be allo-
- cated IP addresses, a DHCP server MUST NOT ever use any of the IP
- addresses which were previously available for allocation by its fail-
- over partner. Thus, the addresses allocated by the primary to the
- secondary for allocation that might have been allocated to BOOTP dev-
- ices MUST NOT ever be used by the primary server even if it is in
- PARTNER-DOWN state and has waited the MCLT after entering that state.
- Conversely, addresses available for allocation by the primary MUST
- NOT be used by the secondary even it is in PARTNER-DOWN state. The
- reason for this is because one of those IP address could have been
- allocated by the secondary server to a BOOTP device, and the primary
- server would have no way of ever knowing that happened.
-
-5.14. Guidelines for selecting MCLT
-
- There is no one correct value for the MCLT. There is an explicit
- tradeoff between various factors in selecting an MCLT value.
-
-5.14.1. Short MCLT
-
- A short MCLT value will mean that after entering PARTNER-DOWN state,
- a server will only have to wait a short time before it can start
- allocating its partner's IP addresses to DHCP clients. Furthermore,
- it will only have to wait a short time after the expiration of a
- lease on an IP address before it can reallocate that IP address to
- another DHCP client.
-
- However the downside of a short MCLT value is that the initial lease
-
-
-
-Droms, et. al. Expires January 2001 [Page 39]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- interval that will be offered to every new DHCP client will be short,
- which will cause increased traffic as those clients will need to send
- in their first renew in a half of a short MCLT time. In addition,
- the lease extensions that a server in COMMUNICATIONS-INTERRUPTED
- state can give will be only the MCLT after the server has been in
- COMMUNICATIONS-INTERRUPTED for around the desired client lease
- period. If a server stays in COMMUNICATIONS-INTERRUPTED for that
- long, then the leases it hands out will be short and that will
- increase the load on that server, possibly causing difficulty.
-
-5.14.2. Long MCLT
-
- A long MCLT value will mean that the initial lease period will be
- longer and the time that a server in COMMUNICATIONS-INTERRUPTED state
- will be able to extend leases (after it has been in COMMUNICATIONS-
- INTERRUPTED state for around the desired client lease period) will be
- longer.
-
- However, a server entering PARTNER-DOWN state will have to wait the
- longer MCLT before being able to allocate its partner's IP addresses
- to new DHCP clients. This may mean that additional IP addresses are
- required in order to cover this time period. Further, the server in
- PARTNER-DOWN will have to wait the longer MCLT from every lease
- expiration before it can reallocate an IP address to a different DHCP
- client.
-
-6. Common Message Format
-
- This section discusses the common message format that all failover
- messages have in common, including the message header format as well
- as the common option format. See section 12 for the the definitions
- of the specific options used in the failover protocol.
-
-6.1. Message header format
-
- The options contained in the payload data section of the failover
- message all use a two byte option number and two byte length format.
-
- All failover protocol messages are sent over the TCP connection
- between failover endpoints and encoded using a message format
- specific to the failover protocol.
-
- There exists a common message format for all failover messages, which
- utilizes the options in a way similar to the DHCP protocol. For each
- message type, some options are required and some are optional. In
- addition, when a message is received any options that are not under-
- stood by the receiving server MUST be ignored.
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 40]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- All of the fields in the fixed portion of the message MUST be filled
- with correct data in every message sent.
-
- 0 1 2 3
- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | message length (2) | msg type (1) |payload off (1)|
- +---------------+---------------+---------------+---------------+
- | time (4) |
- +---------------------------------------------------------------+
- | xid (4) |
- +---------------------------------------------------------------+
- | 0 or more additional header bytes (variable) |
- +---------------------------------------------------------------+
- | payload data (variable) |
- | |
- | formatted as DHCP-style options |
- | using a two byte option code and two byte length |
- | See section 6.2 for details. |
- +---------------------------------------------------------------+
-
-
-
- message length - 2 bytes, network byte order
-
- This is the length of the message. It includes the two byte message
- length itself. The maximum length is 2048 bytes. The minimum length
- is 12.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 41]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- msg type - 1 byte
-
- The message type field is used to distinguish between messages.
-
- The following message types are defined:
-
- Value Message Type
- ----- ------------
- 0 reserved not used
- 1 POOLREQ request allocation of addresses
- 2 POOLRESP respond with allocation count
- 3 BNDUPD update partner with binding info
- 4 BNDACK acknowledge receipt of binding update
- 5 CONNECT establish connection with the secondary
- 6 CONNECTACK respond to attempt to establish connection with partner
- 7 UPDREQALL request full transfer of binding info
- 8 UPDDONE ack send and ack of req'd binding info
- 9 UPDREQ req transfer of un-acked binding info
- 10 STATE inform partner of current state or state change
- 11 CONTACT probe communications integrity with partner
- 12 DISCONNECT close a connection
-
-
- New message types should be defined in one of two ranges, 0-127 or
- 129-255. The range of 0-127 is used for messages that MUST be sup-
- ported by every server, and if a server receives a message in the
- range of 0-127 that it doesn't understand, it MUST close the TCP con-
- nection. The range of 128-255 is used for messages which MAY be sup-
- ported but are not required, and if a server receives a message in
- this range that it does not understand it SHOULD ignore the message.
-
- payload offset - 1 byte
-
- The byte offset of the Payload Data, from the beginning of the
- failover message header. The value for the current protocol version
- (version 1) is 8.
-
- time - 4 bytes, network byte order
-
- The absolute time in GMT when the message was transmitted,
- represented as seconds elapsed since Jan 1, 1970 (i.e., similar to
- the ANSI C time_t time value representation). While the ANSI C
- time_t value is signed, the value used in this specification is
- unsigned.
-
- A server SHOULD set this time as close to the actual transmission of
- the message as possible.
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 42]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- xid - 4 bytes, network byte order
-
- This is the transaction id of the failover message. The sender of a
- failover protocol message is responsible for setting this number, and
- the receiver of the message copies the number over into any response
- message, treating it as opaque data. The sender MUST ensure that
- every message sent from a particular failover endpoint over the
- associated TCP connection has a unique transaction id.
-
- For failover messages that have no corresponding response message,
- the XID value is meaningless, but MUST be supplied. The XID value is
- used solely by the receiver of a response message to determine the
- corresponding request message.
-
- Requests messages where the XID is used in the corresponding response
- messages are: POOLREQ, BNDUPD, CONNECT, UPDREQALL, and UPDREQ. The
- corresponding response messages are POOLRESP, BNDACK, CONNECTACK,
- UPDDONE, and UPDDONE, respectively.
-
- As requests/responses don't survive connection reestablishment, XIDs
- only need to be unique during a specific connection.
-
-
- payload data - variable length
-
- The options are placed after the header, after skipping payload
- offset bytes from beginning of the message. The payload data options
- are not preceded by a "cookie" value.
-
- The payload data is formatted as DHCP style options using two byte
- option codes and two byte option lengths. The option codes are in a
- namespace which is unique to the failover protocol.
-
- The maximum length of the payload data in octets is 2048 less the
- size of the header, i.e., the maximum message length is 2048 octets.
-
-6.2. Common option format
-
- The options contained in the payload data section of the failover
- message all use a two byte option number and two byte length format.
-
- The option numbers are drawn from an option number space unique to
- the failover protocol. All of the message types share a common
- option number space and common options definitions, though not all
- options are required or meaningful for every message.
-
- In contrast to the options which appear in DHCP client and server
- messages, the options in failover message are ordered. That is, for
-
-
-
-Droms, et. al. Expires January 2001 [Page 43]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- some messages the order in which the options appear in the payload
- data area is significant. The messages for which option ordering is
- significant explicitly describe the ordering requirements. If no
- ordering requirements are mentioned, then the order is not signifi-
- cant for that message.
-
- For all options which refer to time, they all use an absolute time in
- GMT. Time synchronization has already been achieved between the
- source and the target server using the CONNECT message and is updated
- and refined using the time in every packet.
-
- The time value is an unsigned 32 bit integer in network byte order
- giving the number of seconds since 00:00 UTC, 1st January 1970. This
- can be converted to an NTP timestamp by adding decimal 2208988800.
- This time format will not wrap until the year 2106. Until sometime
- in 2038, it is equal to the ANSI C time_t value (which is a signed 32
- bit value and will overflow into a negative number in 2038).
-
- Options should appear once only in each message (except for BNDUPD
- and BNDACK messages where bulking is used, see section 6.3 for
- details.) An option that appears twice is not concatenated, but
- treated as an error.
-
- Specific option values are described in section 12.
-
- See section 13 for how to define additional options.
-
-6.3. Batching multiple binding update transactions in one BNDUPD mes-
-sage
-
- Implementations of this protocol MAY send multiple binding update
- transactions in one BNDUPD message, where a binding update transac-
- tion is defined as the set of options which are associated with the
- update of a single IP address. All implementations of this protocol
- MUST be prepared to receive BNDUPD messages which contain multiple
- binding update transactions and respond correctly to them, including
- replying with a BNDACK message which contains status for the multiple
- binding update transactions contained in the BNDUPD message.
-
- In the discussion of sending and receiving BNDUPD messages in section
- 7.1 and BNDACK messages in section 7.2, each BNDUPD message and
- BNDACK message is assumed to contain a single binding update transac-
- tion in order to reduce the complexity of the discussions in section
- 7.
-
- Multiple binding update transactions MAY be batched together in one
- BNDUPD protocol message with the data sets for the individual tran-
- sactions delimited by the assigned-IP-address option, which MUST
-
-
-
-Droms, et. al. Expires January 2001 [Page 44]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- appear first in the option set for each transaction. Ordering of
- options between the assigned-IP-address options is not significant.
- This is illustrated in the following schematic representation:
-
-
- Non-IP Address/Non-client specific options first
- assigned-IP-address option for the first IP address
- Options pertaining to first address, including
- at least the binding-status option and others as
- required.
- assigned-IP-address option for the second IP address
- Options pertaining to second address, including
- at least the binding-status option and others as
- required.
- ...
- Trailing options (message digest).
-
-
- There MUST be a one-to-one correspondence between BNDUPD and BNDACK
- messages, and every BNDACK message MUST contain status for all of the
- binding update transactions in the corresponding BNDUPD message.
-
- The BNDACK message corresponding to a BNDUPD message MUST contain
- assigned-IP-address options for all of the binding update transac-
- tions in the BNDUPD message. Thus, every BNDACK message contains
- exactly the same assigned-IP-address options as does its correspond-
- ing BNDUPD message. The order of the assigned-IP-address options
- MAY, however, be different. Here is a schematic representation of a
- BNDACK:
-
-
- Non-IP Address/Non-client specific options first
- assigned-IP-address option for the first IP address
- If rejected, reject-reason option and message option.
- assigned-IP-address option for the second IP address
- If rejected, reject-reason option and message option.
- ...
- Trailing options (message digest).
-
-
- In case the server chooses to reject some or all of the IP address
- binding information in a BNDUPD message in a BNDACK reply, the BNDACK
- message MUST contain a reject-reason option following every
- assigned-IP-address option in order to indicate that the binding
- update transaction for that IP address was not accepted and why. As
- with a BNDACK message containing a single binding update transaction,
- an assigned-IP-address option without any associated reject-reason
- option indicates a successful binding update transaction.
-
-
-
-Droms, et. al. Expires January 2001 [Page 45]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-7. Protocol Messages
-
- This section contains the detailed definition of the protocol mes-
- sages, including the information to include when sending the message,
- as well as the actions to take upon receiving the message. The mes-
- sage type for each message appears as [n] in the heading for the mes-
- sage (see section 6.1).
-
-7.1. BNDUPD message [3]
-
- The binding update (BNDUPD) message is used to send the binding data-
- base changes (known as binding update transactions) to the partner
- server, and the partner server responds with a binding acknowledge-
- ment (BNDACK) message when it has successfully committed those
- changes to its own stable storage.
-
- The rest of the failover protocol exists to determine whether the
- partner server is able to communicate or not, and to enable the
- partners to exchange BNDUPD/BNDACK messages in order to keep their
- binding databases in stable storage synchronized.
-
- The rest of this section is written as though every BNDUPD message
- contains only a single binding update transaction in order to reduce
- the complexity of the discussion. See section 6.3 for information on
- how to create and process BNDUPD and BNDACK messages which contain
- multiple binding update transactions. Note that while a server MAY
- generate BNDUPD messages with multiple binding update transactions,
- every server MUST be able to process a BNDUPD message which contains
- multiple binding update transactions and generate the corresponding
- BNDACK messages with status for multiple binding update transactions.
-
- The following table summarizes the various options for the BNDUPD
- message.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 46]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
-
- binding-status BACKUP
- RESET
- ABANDONED
- Option ACTIVE EXPIRED RELEASED FREE
- ------ ------ ------- -------- ----
- assigned-IP-address (3) MUST MUST MUST MUST
- binding-status MUST MUST MUST MUST
- client-identifier MAY MAY MAY MAY(2)
- client-hardware-address MUST MUST MUST MAY(2)
- lease-expiration-time MUST MUST NOT MUST NOT MUST NOT
- potential-expiration-time MUST MUST NOT MUST NOT MUST NOT
- start-time-of-state SHOULD SHOULD SHOULD SHOULD
- client-last-trans.-time MUST SHOULD MUST MAY
- DDNS(1) SHOULD SHOULD SHOULD SHOULD
- client-request-options SHOULD SHOULD NOT SHOULD SHOULD NOT
- client-reply-options SHOULD SHOULD NOT SHOULD NOT SHOULD NOT
-
- (1) MUST if server is performing dynamic DNS for this IP address, else
- MUST NOT.
- (2) MUST NOT if binding-status is ABANDONED.
- (3) assigned-IP-address MUST be the first option for an IP address
-
- Table 7.1-1: Options used in a BNDUPD message
-
-
-7.1.1. Sending the BNDUPD message
-
- A BNDUPD message SHOULD be generated whenever any binding changes. A
- change might be in the binding-status, the lease-expiration-time, or
- even just the last-transaction-time. In general, any time a DHCP
- server writes its stable storage, a BNDUPD message SHOULD be gen-
- erated. This will often be the result of the processing of a DHCP
- client request, but it might also be the result of a successful
- dynamic DNS update operation.
-
- BNDUPD (and BNDACK) messages refer to the binding-status of the IP
- address, and this protocol defines a series of binding-statuses, dis-
- cussed in more detail below. Some servers may not support all of
- these binding-statuses, and so in those cases they will not be sent.
- Upon receipt of a BNDUPD message which contains an unsupported
- binding-status, a reasonable interpretation should be made (see sec-
- tion 5.10).
-
- All BNDUPD messages MUST contain the IP address of the binding update
- transaction in the assigned-IP-address option.
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 47]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- All binding update transactions contain a binding-status option, and
- it will have one of the values found in section 5.10. Client infor-
- mation consists of client-hardware-address and possibly a client-
- identifier, and is explained in more detail later in this section.
- The following table indicates whether client information should or
- should not appear with each binding-status in a binding update tran-
- saction:
-
-
- binding-status includes client information
- ------------------------------------------------
- ACTIVE MUST
- EXPIRED SHOULD
- RELEASED SHOULD
- FREE MAY
- ABANDONED MUST NOT
- RESET MAY
- BACKUP MAY
-
- Table 7.1.1-1: Client information required by various
- binding-status values.
-
-
- The ACTIVE binding-status requires some options to indicate the
- length of the binding:
-
-
- o lease-expiration-time
-
- The lease-expiration-time option MUST appear, and be set to the
- expiration time most recently ACKed to the DHCP client. Note
- that the time ACKed to a DHCP client is a lease duration in
- seconds, while the lease-expiration-time option in a BNDUPD mes-
- sage is an absolute time value.
-
- o potential-expiration-time
-
- The potential-expiration-time option MUST appear, and be set to
- a value beyond that of the lease-expiration time. This is the
- value that is ACKed by the BNDACK message. A server sending a
- BNDUPD message MUST be able to recover the potential-
- expiration-time sent in every BNDUPD, not just those that
- receive a corresponding BNDACK, in order to be able to protect
- against possible duplicate allocation of IP addresses after
- transitioning to PARTNER-DOWN state. See section 5.2.1 for
- details as to why the potential-expiration-time exists and
- guidelines for how to decide on the value.
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 48]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- The following option information applies to all BNDUPD messages,
- regardless of the value of the binding-status, unless otherwise
- noted.
-
- o Identifying the client
-
- For many of the binding-status values a client MUST appear while
- for others a client MAY appear, and for some a client MUST NOT
- appear.
-
- A client is identified in a BNDUPD message by at least one and pos-
- sibly two options. The client-hardware-address option MUST appear
- any time that a client appears in a BNDUPD message, and contains
- the hardware type and chaddr information from the DHCP request
- packet. A failover client-identifier option MUST appear any time
- that a client appears in a BNDUPD message if and only if that
- client used a DHCP client-identifier option when communicating with
- the DHCP server. See section 12.5 and 12.4 for details of how to
- construct these two options from a DHCP request packet.
-
- o start-time-of-state
-
- The start-time-of-state SHOULD appear. It is set to the time at
- which this IP address first took on the state that corresponds to
- the current value of binding-status.
-
- o last-transaction-time
-
- The last-transaction-time value SHOULD appear. This is the time at
- which this DHCP server last received a packet from the DHCP client
- referenced by the client-identifier or client-hardware-address that
- was associated with the IP address referenced by the assigned-IP-
- address.
-
- o DDNS
-
- If the DHCP server is performing dynamic DNS operations on behalf
- of the DHCP client represented by the client-identifier or client-
- hardware-address, then it should include a DDNS option containing
- the domain name and status of any dynamic DNS operations enabled.
-
- o client-request-options
-
- If the BNDUPD was triggered by a request from a DHCP client (typi-
- cally those with binding-status of ACTIVE and RELEASED), then the
- server SHOULD include options of interest to a failover partner
- from the client's request packet in the client-request-options for
- transmission to its partner (see section 12.8).
-
-
-
-Droms, et. al. Expires January 2001 [Page 49]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- A server sending a BNDUPD SHOULD remember the "interesting" options
- or the information that would appear in an "interesting" option for
- transmission at a time when the BNDUPD is not closely associated
- with a DHCP client request.
-
- A server SHOULD send the following "interesting" options. It MAY
- send any DHCP client options. As new options are defined, the RFC
- defining these options SHOULD include information that they are
- "interesting to failover servers" if they should be sent as part of
- a BNDUPD.
-
-
- option option
- number name
- -----------------------------------------
-
- 12 host-name
- 81 client-FQDN [DDNS]
- 82 relay-agent-information [AGENTINFO]
- TBD user-class [USERCLASS]
- 60 vendor-class-identifier
-
- Table 7.1.1-2: Options which SHOULD be sent in
- the client-request-options option in a BNDUPD message.
-
-
- o client-reply-options
-
- If the BNDUPD was triggered by a request from a DHCP client (typi-
- cally those with binding-status of ACTIVE and RELEASED), then the
- server SHOULD include options of interest to a failover partner
- from the server's DHCP reply packet in the client-reply-options for
- transmission to its partner (see section 12.7).
-
- A server sending a BNDUPD SHOULD remember the "interesting" options
- or the information that would appear in an "interesting" option for
- transmission at a time when the BNDUPD is not closely associated
- with a DHCP client request.
-
- A server SHOULD send the following "interesting" options. It MAY
- send any DHCP client options. As new options are defined, the RFC
- defining these options SHOULD include information that they are
- "interesting to failover servers" if they should be sent as part of
- a BNDUPD.
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 50]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
-
- option option
- number name
- -----------------------------------------
-
- 58 renewal-time
- 59 rebinding-time
-
- Table 7.1.1-3: Options which SHOULD be sent in
- the client-reply-options option in a BNDUPD message.
-
-
- The BNDUPD message SHOULD be sent as soon as possible from the time
- that the DHCP client received a response and the lease bindings data-
- base is written on stable storage.
-
-7.1.2. Receiving the BNDUPD message
-
- When a server receives a BNDUPD message, it needs to decide how to
- process the binding update transaction it contains and whether that
- transaction represents a conflict of any sort. The conflict resolu-
- tion process MUST be used on the receipt of every BNDUPD message, not
- just those that are received while in POTENTIAL-CONFLICT state, in
- order to increase the robustness of the protocol.
-
- There are three sorts of conflicts:
-
- o Two clients, one IP address conflict
-
- This is the duplicate IP address allocation conflict. There are
- two different clients each allocated the same address. See sec-
- tion 7.1.3 for how to resolve this conflict.
-
- o Two IP addresses, one client conflict
-
- This conflict exists when a client on one server is associated
- with a one IP address, and on the other server with a different
- IP address in the same or a related subnet. This does not refer
- to the case where a single client has addresses in multiple dif-
- ferent subnets or administrative domains, but rather the case
- where on the same subnet the client has as lease on one IP
- address in one server and on a different IP address on the other
- server.
-
- This conflict may or may not be a problem for a given DHCP
- server implementation. In the event that a DHCP server requires
- that a DHCP client have only one outstanding lease for an IP
-
-
-
-Droms, et. al. Expires January 2001 [Page 51]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- address on one subnet, this conflict should be resolved by
- accepting the update which has the latest client-last-
- transaction-time.
-
- o binding-status conflict
-
- This is normal conflict, where one server is updating the other
- with newer information. See section 7.1.3 for details of how to
- resolve these conflicts.
-
-7.1.3. Deciding whether to accept the binding update transaction in a
-BNDUPD message
-
- IP addresses undergo binding status changes for several reasons,
- including receipt and processing of DHCP client requests, administra-
- tive inputs and receipt of BNDUPD messages. Every DHCP server needs
- to respond to DHCP client requests and administrative inputs with
- changes to its internal record of the binding-status of an IP
- address, and this response is not in the scope of the failover proto-
- col. However, the receipt of BNDUPD messages implies at least a pos-
- sible change of the binding-status for an IP address, and must be
- discussed here. See section 7.1.2 for general actions to take upon
- receipt of a BNDUPD message.
-
- When receiving a BNDUPD message, it is important to note that it may
- not be current, in that the server receiving the BNDUPD message may
- have had a more recent interaction with the DHCP client than its
- partner who sent the BNDUPD message. In this case, the receiving
- server MUST reject the BNDUPD message. In addition, it is worth not-
- ing that two (and possibly three) binding-status values are the
- direct result of interaction with a DHCP client, ACTIVE and RELEASED
- (and possibly ABANDONED). All other binding-status values are either
- the result of the expiration of a time period or interaction with an
- external agency (e.g., a network administrator).
-
- Every BNDUPD message SHOULD contain a client-last-transaction-time
- option, which MUST, if it appears, be the time that the server last
- interacted with the DHCP client. It MUST NOT be, for instance, the
- time that the lease on an IP address expired. If there has been no
- interaction with the DHCP client in question (or there is no DHCP
- client presently associated with this IP address), then there will be
- no client-last-transaction-time option in the BNDUPD message.
-
- The list in Figure 7.1.3-1 is indexed by the binding-status that a
- server receives in a BNDUPD message. In many cases, the binding-
- status of an IP address within the receiving server's data storage
- will have an affect upon the checks performed prior to accepting the
- new binding-status in a BNDUPD message.
-
-
-
-Droms, et. al. Expires January 2001 [Page 52]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- In Figure 7.1.3-1, to "accept" a BNDUPD means to update the server's
- bindings database with the information contained in the BNDUPD and
- once that update is complete, send a BNDACK message corresponding to
- the BNDUPD message. To "reject" a BNDUPD means to respond to the
- BNDUPD with a BNDACK with a reject-reason option included.
-
- When interpreting the rules in the following list, if a BNDUPD
- doesn't have a client-last-transaction-time value, then it MUST NOT
- be considered later than the client-last-transaction-time in the
- receiving server's binding. If the BNDUPD contains a client-last-
- transaction-time value and the receiving server's binding does not,
- then the client-last-transaction-time value in the BNDUPD MUST be
- considered later than the server's.
-
- The second rule concerns clients and IP addresses. If the clients in
- a BNDUPD message and in a receiving server's binding differ, then if
- the receiving server's binding-status is ACTIVE and the binding-
- status in the BNDUPD is ACTIVE, then if the receiving server is a
- secondary server accept it, else reject it.
-
-
- binding-status in received BNDUPD
- binding-status
- in receiving FREE RESET
- server ACTIVE EXPIRED RELEASED BACKUP ABANDONED
-
- ACTIVE accept time(2) time(1) time(2) accept
- EXPIRED time(1) accept accept accept accept
- RELEASED time(1) time(1) accept accept accept
- FREE/BACKUP accept accept accept accept accept
- RESET time(3) accept accept accept accept
- ABANDONED reject reject reject reject accept
-
- time(1): If the client-last-transaction-time in the BNDUPD
- is later than the client-last-transaction-time in the
- receiving server's binding, accept it, else reject it.
-
- time(2): If the current time is later than the receiving
- servers' lease-expiration-time, accept it, else reject it.
-
- time(3): If the client-last-transaction-time in the BNDUPD
- is later than the start-time-of-state in the receiving server's
- binding, accept it, else reject it.
-
-
- Figure 7.1.3-1: Accepting BNDUPD messages
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 53]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-7.1.4. Accepting the BNDUPD message
-
- When accepting a BNDUPD message, the information contained in the
- client-request-options and client-reply-options SHOULD be examined
- for any information of interest to this server. For instance, a
- server which wished to detect changes in client specified host names
- might want to examine and save information from the host-name or
- client-FQDN options. Servers which expect to utilize information
- from the relay-agent-information option would want to store this
- information.
-
-7.1.5. Time values related to the BNDUPD message
-
- There are four time values that MAY be sent in a BNDUPD message.
-
- o lease-expiration-time
-
- The time that the server gave to the client, i.e., the time that
- the server believes that the client's lease will expire.
-
- o potential-expiration-time
-
- The time that the server wants to be sure its partner waits
- (added to the MCLT) before assuming that this lease has expired.
- Typically some time beyond the desired client lease time.
-
- o client-last-transaction-time
-
- The time that the client last interacted with this server.
-
- o start-time-of-state
-
- The time at which the binding first went into the current state.
-
- As discussed in section 5.2, each server knows what its partner has
- ACKed with regard to potential-expiration time. In addition, each
- server needs to remember what it has told its partner as the
- potential-expiration-time. Moreover, each server must remember what
- it has acked to the *other* server as the most recent potential-
- expiration-time from that server.
-
- Remember that each server sends a potential-expiration-time and
- receives an ACK for that as well as receiving a potential-
- expiration-time and needing to remember what it has acked for that.
-
- While they don't have to be named in any particular way, the times
- that a server needs to remember for every IP address in order to
- implement the failover protocol are:
-
-
-
-Droms, et. al. Expires January 2001 [Page 54]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- o lease-expiration-time
-
- The time that a server gave to the DHCP client. A DHCP server
- needs to remember this time already, just to be a DHCP server.
- A server SHOULD update this time with the lease-expiration time
- received from a partner in a BNDUPD if the received lease-
- expiration time is later than the lease-expiration time recorded
- for this binding.
-
- o sent-potential-expiration-time
-
- The latest time sent to the partner for a potential-expiration-
- time.
-
- o acked-potential-expiration-time
-
- The latest time that the partner has acked for a potential
- expiration time. Typically the same as sent-potential-
- expiration-time if there is not a BNDUPD outstanding.
-
- o received-potential-expiration-time
-
- The latest time that this server has ever received as a
- potential-expiration-time from its partner in a BNDUPD that this
- server ACKed.
-
- So, a server has to remember two additional times concerning BNDUPD
- messages that it has initiated, and one additional time concerning
- BNDUPD message that it has received. How are these times used?
-
- First, let's look at the time that a DHCP server can offer to a DHCP
- client. A server can offer to a DHCP client a time that is no longer
- than the MCLT beyond the max( received-potential-expiration-time,
- acked-potential-expiration-time). One might think that the server
- should be able to offer only the MCLT beyond the acked-potential-
- expiration-time, and while that is certainly simple and easy to
- understand, it has negative consequences in actual operation.
-
- To illustrate this, in the simple case where the primary updates the
- secondary for a while and then fails, if the secondary can then renew
- the client for only the MCLT beyond the acked-potential-expiration-
- time, then the secondary will only be able to renew the client for
- the MCLT, because the secondary has never sent a BNDUPD packet to the
- primary concerning this IP address and client, and so its acked-
- potential-expiration-time is zero.
-
- However, since the secondary is allowed to renew the client with the
- MCLT beyond the max( received-potential-expiration-time, acked-
-
-
-
-Droms, et. al. Expires January 2001 [Page 55]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- potential-expiration-time), then the secondary can usually renew the
- client for the full lease period, at least for the first renew it
- sees from the client, since the received-potential-expiration-time is
- generally longer than the client's desired lease interval. The
- difference in renew times could make a big difference in server load
- on the secondary in this case.
-
- What are the consequences of allowing a server to offer a DHCP client
- a lease term of the MCLT beyond the max( received-potential-
- expiration-time, acked-potential-expiration-time)? The consequences
- appear whenever a server enters PARTNER-DOWN state, and affect how
- long that server has to wait before reallocating expired leases.
- With this approach, when a server goes into PARTNER-DOWN state, it
- must wait the MCLT beyond the max( lease-expiration-time, sent-
- potential-expiration-time, acked-potential-expiration-time,
- received-potential-expiration-time ) for each IP address before it
- can reallocate that IP address to another DHCP client. One might
- normally think that it needed to wait only the MCLT beyond the max(
- lease-expiration-time, received-potential-expiration-time ), i.e.,
- beyond what it has told the client and what it has explicitly acked
- to the other server. But with the optimization discussed above --
- where either server can offer the DHCP client a lease term of the
- MCLT beyond the max( received-potential-expiration-time, acked-
- potential-expiration-time), then the additional times sent-
- potential-expiration-time and acked-potential-expiration-time must be
- added into the expression, since the partner could have used those
- times as part of its own lease time calculation.
-
- Thus this optimization may require a longer waiting time when enter-
- ing PARTNER-DOWN state, but will generally allow servers to operate
- considerably more effectively when running in COMMUNICATIONS-
- INTERRUPTED state.
-
-7.2. BNDACK message [4]
-
- A server sends a binding acknowledgement (BNDACK) message when it has
- processed a BNDUPD message and after it has successfully committed to
- stable storage any binding database changes made as a result of pro-
- cessing the BNDUPD message. A BNDACK message is used to both accept
- or reject a BNDUPD message. A BNDACK message which contains a
- reject-reason option is a rejection of the corresponding BNDUPD mes-
- sage.
-
- In order to reduce the complexity of the discussion, the rest of this
- section is written as though every BNDUPD message contains only a
- single binding update transaction and thus every corresponding BNDACK
- message would also contain reply information about only a single
- binding update transaction. See section 6.3 for information on how
-
-
-
-Droms, et. al. Expires January 2001 [Page 56]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- to create and process BNDUPD and BNDACK messages which contain multi-
- ple binding update transactions.
-
- Note that while a server MAY generate BNDUPD messages with multiple
- binding update transactions, every server MUST be able to process a
- BNDUPD message which contains multiple binding update transactions
- and generate the corresponding BNDACK messages with status for multi-
- ple binding update transactions. If a server does not ever create
- BNDUPD messages which contain multiple binding update transactions,
- then it does not need to be able to process a received BNDACK message
- with multiple binding update transactions. However, all servers MUST
- be able to create BNDACK messages which deal with multiple binding
- update transactions received in a BNDUPD message.
-
- Every BNDUPD message that is received by a server MUST be responded
- to with a corresponding BNDACK message. The receiving server SHOULD
- respond quickly to every BNDUPD message but it MAY choose to respond
- preferentially to DHCP client requests instead of BNDUPD messages,
- since there is no absolute time period within which a BNDACK must be
- sent in response to a BNDUPD message, while DHCP clients frequently
- have strict time constraints.
-
- A BNDACK message can only be sent in response to a BNDUPD message
- using the same TCP connection from which the BNDUPD message was
- received, since the XID's in BNDUPD messages are guaranteed unique
- only during the life of a single TCP connection. When a connection
- to a partner server goes down, a server with unprocessed BNDUPD mes-
- sages MAY simply drop all of those messages, since it can be sure
- that the partner will resend them when they are next in communica-
- tions (albeit with a different XID), or it MAY instead choose to pro-
- cess those BNDUPD messages, but it MUST NOT send any BNDACK messages
- in response.
-
- The following table summarizes the options for the BNDACK message.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 57]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
-
- binding-status BACKUP
- RESET
- ABANDONED
- Option ACTIVE EXPIRED RELEASED FREE
- ------ ------ ------- -------- ----
- assigned-IP-address (3) MUST MUST MUST MUST
- binding-status MUST MUST MUST MUST
- client-identifier MAY MAY MAY MAY(2)
- client-hardware-address MUST MUST MUST MAY(2)
- reject-reason MAY MAY MAY MAY
- message MAY MAY MAY MAY
- lease-expiration-time MUST MUST NOT MUST NOT MUST NOT
- potential-expiration-time MUST MUST NOT MUST NOT MUST NOT
- start-time-of-state SHOULD SHOULD SHOULD SHOULD
- client-last-trans.-time SHOULD SHOULD SHOULD MAY
- DDNS(1) SHOULD SHOULD SHOULD SHOULD
-
- (1) MUST if server is performing dynamic DNS for this IP address, else
- MUST NOT.
- (2) MUST NOT if binding-status is ABANDONED.
- (3) assigned-IP-address MUST be the first option for an IP address
-
- Table 7.2-1: Options used in a BNDACK message
-
-
-7.2.1. Sending the BNDACK message
-
- The BNDACK message MUST contain the same xid as the corresponding
- BNDUPD message.
-
- The assigned-IP-address option from the BNDUPD message MUST be
- included in the BNDACK message. Any additional options from the
- BNDUPD message SHOULD NOT appear in the BNDACK message. Note that
- any information sent in options (e.g, a later lease-expiration time)
- in the BNDACK message MUST NOT be assumed to necessarily be recorded
- in the stable storage of the server who receives the BNDACK message
- because there is no corresponding ACK of the BNDACK message. Any
- information that SHOULD be recorded in the partner server's stable
- storage MUST be transmitted in a subsequent BNDUPD.
-
- If the server is accepting the BNDUPD, the BNDACK message includes
- only the assigned-IP-address option. If the server is rejecting the
- BNDUPD, the additional option reject-reason MUST appear in the BNDACK
- message, and the message option SHOULD appear in this case containing
- a human-readable error message describing in some detail the reason
- for the rejection of the BNDUPD message.
-
-
-
-Droms, et. al. Expires January 2001 [Page 58]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- If the server rejects the BNDUPD message with a BNDACK and a reject-
- reason option, it may be because the server believes that it has
- binding information that the other server should know. A server
- which is rejecting a BNDUPD may initiate a BNDUPD of its own in order
- to update its partner with what it believes is better binding infor-
- mation, but it MUST ensure through some means that it will not end up
- in a situation where each server is sending BNDUPD messages as fast
- as possible because they can't agree on which server has better bind-
- ing data. Placing a considerable delay on the initiation of a BNDUPD
- message after sending a BNDACK with a reject-reason would be one way
- to ensure this situation doesn't occur.
-
-7.2.2. Receiving the BNDACK message
-
- When a server receives a BNDACK message, if it doesn't contain a
- reject-reason option that means that the BNDUPD message was accepted,
- and the server which sent the BNDUPD SHOULD update its stable storage
- with the potential-expiration-time value sent in the BNDUPD message
- and returned in the BNDACK message. Other values sent in the BNDUPD
- message MAY be used as desired.
-
- If the BNDACK message contains a reject-reason option, that means
- that the BNDUPD was rejected. There SHOULD be a message option in
- the BNDACK giving a text reason for the rejection, and the server
- SHOULD log the message in some way. The server MUST NOT immediately
- try to resend the BNDUPD message as there is no reason to believe the
- partner won't reject it a second time. However a server MAY choose
- to send another BNDUPD at some future time, for instance when the
- server next processes an update request from its partner.
-
-7.3. UPDREQ message [9]
-
- The update request (UPDREQ) message is used by one server to request
- that its partner send it all of the binding database information that
- it has not already seen. Since each server is required to keep
- track at all times of the binding information the other server has
- received and ACKed, one server can request transmission of all un-
- ACKed binding database information held by the other server by using
- the UPDREQ message.
-
- The UPDREQ message is used whenever the sending server cannot proceed
- before it has processed all previously un-ACKed binding update infor-
- mation, since the UPDREQ message should yield a corresponding UPDDONE
- message. The UPDDONE message is not sent until the server that sent
- the UPDREQ message has responded to all of the BNDUPD messages gen-
- erated by the UPDREQ message with BNDACK messages (they may either be
- accepted or rejected by the BNDACK messages, but they MUST have been
- responded to). Thus, the sender of the UPDREQ message can be sure
-
-
-
-Droms, et. al. Expires January 2001 [Page 59]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- upon receipt of an UPDDONE message that it has received and committed
- to stable storage all outstanding binding database updates.
-
- See section 9, Failover Endpoint States, for the details of when the
- UPDREQ message is sent.
-
-7.3.1. Sending the UPDREQ message
-
- The UPDREQ message has no message specific options.
-
-7.3.2. Receiving the UPDREQ message
-
- A server receiving an UPDREQ message MUST send all binding database
- changes that have not yet been ACKed by the sending server. These
- changes are sent as undistinguished BNDUPD messages.
-
- However, the server which received and is processing the UPDREQ mes-
- sage MUST track the BNDACK messages that correspond to the BNDUPD
- messages triggered by the UPDREQ message and, when they are all
- received, the server MUST send an UPDDONE message.
-
- The server processing the UPDREQ message and sending BNDUPD messages
- to its partner SHOULD only track the BNDUPD and BNDACK message pairs
- for unACKed binding database changes that were present upon the
- receipt of the UPDREQ message. A server which has received an UPDREQ
- message SHOULD send BNDUPD messages for binding database changes that
- occur after receipt of the UPDREQ message, but it SHOULD NOT include
- those additional BNDUPD messages and their corresponding BNDACK mes-
- sages in the accounting necessary to consider the UPDREQ complete and
- subsequently send the UPDDONE message. If some additional binding
- database changes end up becoming part of the set of BNDUPD messages
- considered as part of the UPDREQ (due to whatever algorithm the
- server uses to scan its bindings database for unacked changes) it
- will probably not cause any difficulty, but a server MUST NOT attempt
- to include all such later BNDUPD messages in the accounting for the
- UPDREQ in order to be able to transmit an UPDDONE message.
-
- When queuing up the BNDUPD messages for transmission to the sender of
- the UPDREQ message, the server processing the UPDREQ message MUST
- honor the value returned in the max-unacked-bndupd option in the CON-
- NECT or CONNECTACK message that set up the connection with the send-
- ing server. It MUST NOT send more BNDUPD messages without receiving
- corresponding BNDACKs than the value returned in max-unacked-bndupd.
-
-7.4. UPDREQALL message [7]
-
- The update request all (UPDREQALL) message is used by one server to
- request that its partner send it all of the binding database
-
-
-
-Droms, et. al. Expires January 2001 [Page 60]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- information. This message is used to allow one server to recover
- from a failure of stable storage and to restore its binding database
- in its entirety from the other server.
-
- A server which sends an UPDREQALL message cannot proceed until all of
- its binding update information is restored, and it knows that all of
- that information is restored when an UPDDONE message is received.
-
- See section 9, Protocol state transitions, for the details of when
- the UPDREQALL message is sent.
-
- The UPDREQALL message has no message specific options.
-
-7.4.1. Sending the UPDREQALL message
-
- The UPDREQALL is sent.
-
-7.4.2. Receiving the UPDREQALL message
-
- A server receiving an UPDREQALL message MUST send all binding data-
- base information to the sending server. These changes are sent as
- undistinguished BNDUPD messages. Otherwise the processing is the same
- as for the UPDREQ message. See section 7.3.2 for details.
-
-7.5. UPDDONE message [8]
-
- The update done (UPDDONE) message is used by a server receiving an
- UPDREQ or UPDREQALL message to signify that it has sent all of the
- BNDUPD messages requested by the UPDREQ or UPDREQALL request and that
- it has received a BNDACK for each of those messages.
-
- While a BNDACK message MUST have been received for each BNDUPD mes-
- sage prior to the transmission of the UPDDONE message, this doesn't
- necessarily mean that all of the BNDUPD messages were accepted, only
- that all of them were responded to with a BNDACK message. Thus, a
- NAK (comprised of a BNDACK message containing a reject-reason option)
- could be used to reject a BNDUPD, but for the purposes of the UPDDONE
- message, such NAK would count as a response to the associated BNDUPD
- message, and would not block the eventual transmission of the UPDDONE
- message.
-
- The xid in an UPDDONE message MUST be identical to the xid in the
- UPDREQ or UPDREQALL message that initiated the update process.
-
- The UPDDONE message has no message specific options.
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 61]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-7.5.1. Sending the UPDDONE message
-
- The UPDDONE message SHOULD be sent as soon as the last BNDACK message
- corresponding to a BNDUPD message requested by the UPDREQ or
- UPDREQALL is received from the server which sent the UPDREQ or
- UPDREQALL. The XID of the UPDDONE message MUST be the same as the
- XID of the corresponding UPDREQ or UPDREQALL message.
-
-7.5.2. Receiving the UPDDONE message
-
- A server receiving the UPDDONE message knows that all of the informa-
- tion that it requested by sending an UPDREQ or UPDREQALL message has
- now been sent and that it has recorded this information in its stable
- storage. It typically uses the receipt of an UPDDONE message to move
- to a different failover state. See sections 9.5.2 and 9.8.3 for
- details.
-
-7.6. POOLREQ message [1]
-
- The pool request (POOLREQ) message is used by the secondary server to
- request an allocation of IP addresses from the primary server. It
- MUST be sent by a secondary server to a primary server to request IP
- address allocation by the primary. The IP addresses allocated are
- transmitted using normal BNDUPD messages from the primary to the
- secondary.
-
- The POOLREQ message SHOULD be sent from the secondary to the primary
- whenever the secondary transitions into NORMAL state. It SHOULD
- periodically be resent in order that any change in the number of
- available IP addresses on the primary be reflected in the pool on the
- secondary. The period may be influenced by the secondary server's
- leasing activity.
-
- The POOLREQ message has no message specific options.
-
-7.6.1. Sending the POOLREQ message
-
- The POOLREQ message is sent.
-
-7.6.2. Receiving the POOLREQ message
-
- When a primary server receives a POOLREQ message it SHOULD examine
- the binding database and determine how many IP addresses the secon-
- dary server should have, and set these IP addresses to BACKUP state.
- It SHOULD then send BNDUPD messages concerning all of these IP
- addresses to the secondary server.
-
- Servers frequently have several kinds of IP addresses available on a
-
-
-
-Droms, et. al. Expires January 2001 [Page 62]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- particular network segment. The failover protocol assumes that both
- primary and secondary servers are configured in such a way that each
- knows the type and number of IP addresses on every network segment
- participating in the failover protocol. The primary server is
- responsible for allocating the secondary server the correct propor-
- tion of available IP addresses of each kind, and the secondary server
- is responsible for being configured in such a way that it can tell
- the kind of every IP address based solely on the IP address itself.
-
- A primary server MUST keep track of how many IP addresses were allo-
- cated as a result of processing the POOLREQ message, and send that
- number in the POOLRESP message.
-
- A primary server MAY choose to defer processing a POOLREQ message
- until a more convenient time to process it, but it should not depend
- on the secondary server to resend the POOLREQ message in that case.
-
- If a secondary server receives a POOLREQ message it SHOULD report an
- error.
-
-7.7. POOLRESP message [2]
-
- A primary server sends a POOLRESP message to a secondary server after
- the allocation process for available addresses to the secondary
- server is complete. Typically this message will precede some of the
- BNDUPD messages that the primary uses to send the actual allocated IP
- addresses to the secondary.
-
- The xid in the POOLRESP message MUST be identical to the xid in the
- POOLREQ message for which this POOLRESP is a response.
-
-
-7.7.1. Sending the POOLRESP message
-
- The POOLRESP message MUST contain the same xid as the corresponding
- POOLREQ message.
-
- Only one option MUST appear in a POOLREQ message:
-
- o addresses-transferred
-
- The number of addresses allocated to the secondary server by the
- primary server as a result of a POOLREQ is contained in the
- addresses-transferred option in a POOLRESP message. Note this
- is the number of addresses that are transferred to the secondary
- in the primary's binding database as a result of the correspond-
- ing POOLREQ message, and that it may be some time before they
- can all be transmitted to the secondary server through the use
-
-
-
-Droms, et. al. Expires January 2001 [Page 63]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- of BNDUPD messages.
-
-7.7.2. Receiving the POOLRESP message
-
- When a secondary server receives a POOLRESP message, it SHOULD send
- another POOLREQ message if the value of the addresses-transferred
- option is non-zero.
-
- Typically, no other action is taken on the reception of a POOLRESP
- message.
-
-7.8. CONNECT message [5]
-
- The connect message is used to establish an applications level con-
- nection over a newly created TCP connection. It gives the source
- information for the connection, and critical configuration informa-
- tion. It MUST be sent only by the primary server. Either server can
- initiate a TCP connection, but the CONNECT message is only sent by
- the primary server.
-
- The CONNECT message MUST be the first message sent down a newly esta-
- blished connection, and it MUST be sent only by the primary server.
-
- The following table summarizes the options that are associated with
- the CONNECT message:
-
-
- Option
- ------
- sending-server-IP-address MUST
- max-unacked-bndupd MUST
- receive-timer MUST
- vendor-class-identifier MUST
- protocol-version MUST
- TLS-request MUST (1)
- MCLT MUST
- hash-bucket-assignment MUST
-
- (1) MUST NOT if CONNECT is being sent over a TLS connection
-
- Table 7.8-1: Options used in a CONNECT message
-
-
-7.8.1. Sending the CONNECT message
-
- The CONNECT message MUST be the first message sent by the primary
- server after the establishment of a new TCP connection with a secon-
- dary server participating in the failover protocol.
-
-
-
-Droms, et. al. Expires January 2001 [Page 64]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- The xid of the CONNECT message must be unique.
-
- The IP address of the primary server MUST be placed in the sending-
- server-IP-address option. This information is placed in an option
- inside of the message in order to allow the identity of the sender to
- be covered by a shared secret.
-
- The number of BNDUPD messages the primary server can accept without
- blocking the TCP connection MUST be placed in the max-unacked-bndupd
- option. This MUST be a number equal to or greater than 1, SHOULD be
- a number greater than 10, and SHOULD be a number less than 100.
-
- The length of the receive timer (tReceive, see section 8.3) MUST be
- placed in the receive-timer option.
-
- The MCLT MUST be placed in the MCLT option.
-
- The hash-bucket-assignment option MUST be included in the CONNECT
- message. In the event that load balancing is not configured for this
- server, the hash-bucket-assignment option will indicate that. The
- value of the hash-bucket-assignment option is determined from the
- specific buckets that the primary server has determined that the
- secondary server MUST service as part of the load-balancing algo-
- rithm. The way in which the primary server determines this informa-
- tion is outside the scope of this protocol definition. The primary
- server SHOULD be configured with a percentage of clients that the
- secondary server will be instructed to service, and the primary
- server SHOULD use the algorithm in [LOADB] to generate a Hash Bucket
- Assignment which it sends to the secondary server.
-
- The vendor class identifier MUST be placed in the vendor-class-
- identifier option.
-
- The protocol-version option MUST be included in every CONNECT mes-
- sage. The current value of the protocol version is 1.
-
- The TLS-request option MUST be sent and contains the desired TLS con-
- nection request as well as information concerning whether TLS is sup-
- ported. If this CONNECT message is being sent over a already
- created TLS connection, the TLS-request MUST NOT appear.
-
-7.8.2. Receiving the CONNECT message
-
- When a server receives a TCP connection on the failover port, if it
- is a PRIMARY server it should send a CONNECT message, and if it is a
- secondary server it should wait for a CONNECT message before sending
- any messages. To avoid denial of service attacks, a secondary should
- only wait for a CONNECT message on a new connection for a limited
-
-
-
-Droms, et. al. Expires January 2001 [Page 65]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- amount of time and close the connection if none is received during
- that time.
-
- When a secondary server receives a CONNECT message it should:
-
- 1. Record the time at which the message was received.
-
- 2. Examine the protocol-version option, and decide if this server
- is capable of interoperating with another server running that
- protocol version. If not, send the CONNECTACK message with
- the appropriate reject-reason. The server MUST include its
- protocol-version in the CONNECTACK message.
-
- 3. Examine the TLS-request option. Figure out the TLS-reply
- value based on the capabilities and configuration of this
- server. If the result for the TLS-reply value is a 1 and the
- connection is accepted, indicating use of TLS, then immedi-
- ately send the CONNECTACK message and go into TLS negotiation.
- If the TLS-reply value implies rejection of the connection,
- then immediately send the CONNECTACK message with the TLS-
- reply value and the appropriate reject-reason option value.
- In all other cases, save the TLS-reply option information for
- the eventual CONNECTACK message.
-
- The possibilities for TLS-request and TLS-reply are:
-
- CONNECT CONNECTACK
- TLS TLS
- request reply
- Reject
- t1 t1 Reason Comments
- -- -- ------ --------
- 0 0 no TLS used
- 0 1 11 primary won't use TLS, secondary requires TLS
- 1 0 primary desires TLS, secondary doesn't
- 1 1 primary desires TLS, secondary will use TLS
- 2 0 9, 10 primary requires TLS and secondary won't
- 2 1 primary requires TLS and secondary will use TLS
-
-
-
- 4. Check to see if there is a message-digest option in the CON-
- NECT message. If there was, and the server does not support
- message-digests, then reject the connection with the appropri-
- ate reject-reason in the CONNECTACK. If the server does sup-
- port message-digests, then check this message for validity
- based on the message-digest, and reject it if the digest indi-
- cates the message was altered.
-
-
-
-Droms, et. al. Expires January 2001 [Page 66]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- 5. Determine if the sender (from the sending-server-IP-address
- option) and the implicit role of the sender (i.e., primary)
- represents a server with which the receiver was configured to
- engage in failover activity. This is performed after any TLS
- or message digest processing so that it occurs after a secure
- connection is created, to ensure that there is no tampering
- with the IP address of the partner.
-
- If not, then the receiving server should reject the CONNECT
- request by sending a CONNECTACK message with a reject-reason
- value of: 8, invalid failover partner.
-
- If it is, then the receiving failover endpoint should be
- determined.
-
- 6. Decide if the time delta between the sending of the message,
- in the time field, and the receipt of the message, recorded in
- step 1 above, is acceptable. A server MAY require an arbi-
- trarily small delta in time values in order to set up a fail-
- over connection with another server. See section 5.9 for
- information on time synchronization.
-
- If the delta between the time values is too great, the server
- should reject the CONNECT request by sending a CONNECTACK mes-
- sage with a reject-reason of 4, time mismatch too great.
-
- If the time mismatch is not considered too great then the
- receiving server MUST record the delta between the servers.
- The receiving server MUST use this delta to correct all of the
- absolute times received from the other server in all time-
- valued options. Note that servers can participate in failover
- with arbitrarily great time mismatches, as long as it is more
- or less constant.
-
- 7. Examine the MCLT option in the CONNECT request and use the
- value of the MCLT as the MCLT for this failover endpoint.
-
- The secondary server SHOULD be able to operate with any MCLT
- sent by the primary, but if it cannot, then it should send a
- CONNECTACK with a reject-reason of 5, MCLT mismatch.
-
- 8. The server MUST store hash-bucket-assignment option for use
- during processing during NORMAL state. If this hash bucket
- assignment conflicts with the secondary server's configured
- hash bucket assignment for use in other than NORMAL state, the
- secondary server should send a CONNECTACK with a reject reason
- of 19, Hash bucket assignment conflict.
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 67]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- 9. The receiving server MAY use the vendor-class-identifier to do
- vendor specific processing.
-
-7.9. CONNECTACK message [6]
-
- The CONNECTACK message is sent to accept or reject a CONNECT message.
- It is sent by the secondary server which received a CONNECT message.
-
- Attempting immediately to reconnect after either receiving a CONNEC-
- TACK with a reject-reason or after sending a CONNECTACK with a
- reject-reason could yield unwanted looping behavior, since the reason
- that the connection was rejected may well not have changed since the
- last attempt. A simple suggested solution is to wait a minute or two
- after sending or receiving a CONNECTACK message with a reject-reason
- before attempting to reestablish communication.
-
- The following table summarizes the options associated with the CON-
- NECTACK message:
-
-
- Option
- ------
- sending-server-IP-address MUST
- max-unacked-bndupd MUST
- receive-timer MUST
- vendor-class-identifier MUST
- protocol-version MUST
- TLS-request MUST(1)
- reject-reason MAY(2)
- message MAY
- MCLT MUST NOT
- hash-bucket-assignment MUST NOT
-
- (1) MUST NOT if sending CONNECTACK after TLS negotiation
- (2) Indicates a rejection of the CONNECT message.
-
- Table 7.9-1: Options used in a CONNECTACK message
-
-
-7.9.1. Sending the CONNECTACK message
-
- The xid of the CONNECTACK message MUST be that of the corresponding
- CONNECT message.
-
- The IP address of the sending server MUST be placed in the sending-
- server-IP-address option. This information is placed in an option
- inside of the message in order to allow the identity of the sender to
- be covered by a shared secret.
-
-
-
-Droms, et. al. Expires January 2001 [Page 68]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- The protocol-version option MUST be included in every CONNECTACK mes-
- sage. The current value of the protocol version is 1.
-
- If the connection has been rejected, the reject-reason option MUST be
- placed in the CONNECTACK message with an appropriate reason, and a
- message option SHOULD be included with a human-readable error message
- describing the reason for the rejection in some detail. If the
- reject-reason option appears, then the remaining options listed below
- do not appear. The sending server should close the connection after
- sending the CONNECTACK if the connection was rejected.
-
- The results of the TLS negotiation MUST be placed in the TLS-reply
- option. If this CONNECTACK message is being sent over an already TLS
- secured connection, then there MUST NOT be a TLS-reply option.
-
- If there was a message-digest option in the CONNECT message, then
- there MUST be a message-digest in the CONNECTACK message and any sub-
- sequent messages if the CONNECTACK does not contain a reject-reason.
-
- The number of BNDUPD messages the server can accept without blocking
- the TCP connection MUST be placed in the max-unacked-bndupd option.
- This SHOULD be a number greater than 10, and SHOULD be a number less
- than 100.
-
- The length of the receive timer (tReceive, see section 8.3) MUST be
- placed in the receive-timer option.
-
- The vendor class identifier MUST be placed in the vendor-class-
- identifier option.
-
- After a connection is created (either by sending a CONNECTACK message
- to the first CONNECT message, or sending a CONNECTACK message to a
- CONNECT message received over a TLS connection), the server MUST send
- a STATE message.
-
- After a connection is created, the server MUST start two timers for
- the connection: tSend and tReceive. The tSend timer SHOULD be
- approximately 33 percent of the time in the receiver-timer option in
- the corresponding CONNECT message. The tReceive timer SHOULD be the
- time sent in the receiver-timer option in the CONNECTACK message.
-
- The tReceive timer is reset whenever a message is received from this
- TCP connection. If it ever expires, the TCP connection is dropped
- and communications with this partner is considered not ok.
-
- The tSend timer is reset whenever a message is sent over this connec-
- tion. When it expires, a CONTACT message MUST be sent.
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 69]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-7.9.2. Receiving the CONNECTACK message
-
- If a CONNECTACK message is received with a different XID from the one
- in the CONNECT that was sent, it SHOULD be ignored.
-
- When a CONNECTACK message is received, the following actions should
- be taken:
-
- 1. Record the time the message was received.
-
- 2. Check to see if the xid on the CONNECTACK matches an outstand-
- ing CONNECT message on this TCP connection.
-
- 3. Check to see if there is a reject-reason option in the CONNEC-
- TACK message. If not, continue with step 3. If there is a
- reject-reason option, the server SHOULD report the error code.
- If a message option appears a server SHOULD display the string
- from the message option in a user visible way. The server
- MUST close the connection if a reject-reason option appears.
-
- 4. Check the value of the TLS-reply option (if any, which there
- won't be if this CONNECT is taking place utilizing TLS), and
- if it was 1, then skip processing of the rest of the CONNEC-
- TACK message, and immediately enter into TLS connection setup.
-
- This step occurs prior to steps 5 and 6 in order to allow
- creation of a secure connection (if required) prior to pro-
- cessing the protocol version and IP address information.
-
- 5. Examine the value of the protocol-version option. If this
- server is able to establish connections with another server
- running this protocol version, then continue, else close the
- connection.
-
- 6. Decide if the time delta between the sending of the message,
- in the time field, and the receipt of the message, recorded in
- step 1 above, is acceptable. A server MAY require an arbi-
- trarily small delta in time values in order to set up a fail-
- over connection with another server.
-
- If the delta between the time values is too great, the server
- should drop the TCP connection.
-
- If the time mismatch is not considered too great then the
- receiving server MUST record the delta between the servers.
- The receiving server MUST use this delta to correct all of the
- absolute times received from the other server in all time-
- valued options. Note that the failover protocol is
-
-
-
-Droms, et. al. Expires January 2001 [Page 70]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- constructed so that two servers can be failover partners with
- arbitrarily great time mismatches.
-
- 7. The receiving server MAY use the vendor-class-identifier to do
- vendor specific processing.
-
- 8. After accepting a CONNECTACK message, the server MUST send a
- STATE message.
-
- After receiving a CONNECTACK message, the server MUST start
- two timers for the connection: tSend and tReceive. The tSend
- timer SHOULD be approximately 20 percent of the time in the
- receiver-timer option in the corresponding CONNECTACK message.
- The tReceive timer SHOULD be set to the time sent in the
- receiver-timer option in the CONNECT message.
-
- The tReceive timer is reset whenever a message is received
- from this TCP connection. If it ever expires, the TCP connec-
- tion is dropped and communications with this partner is con-
- sidered not ok.
-
- The tSend timer is reset whenever a message is sent over this
- connection. When it expires, a CONTACT message MUST be sent.
-
-7.10. STATE message [10]
-
- The state (STATE) message is used to communicate the current failover
- state to the partner server.
-
- The STATE message MUST be sent after sending a CONNECTACK message
- that didn't contain a reject-reason option, and MUST be sent after
- receiving a CONNECTACK message without a reject-reason option.
-
- A STATE message MUST be sent whenever the failover endpoint changes
- its failover state and a connection exists to the partner.
-
- The STATE message requires no response from the failover partner.
-
- The following table shows the options that MUST appear in a STATE
- message:
-
-
-
-
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 71]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
-
- Option
- ------
- sending-state MUST
- server-flags MUST
- start-time-of-state MUST
-
- Table 7.10-1: Options used in a STATE message
-
-
-
-7.10.1. Sending the STATE message
-
- The current failover state is placed in the server-state option and
- the current state of the STARTUP flag is placed in the server-flags
- option.
-
- The message is sent with a unique xid.
-
- A server SHOULD only send the STATE message either when the connec-
- tion is created (i.e, after sending or receiving a CONNECTACK message
- with no reject-reason option), or when there is a change from the
- values sent in a previous STATE message.
-
-7.10.2. Receiving the STATE message
-
- Every STATE message SHOULD indicate a change in state or a change in
- the flags.
-
- When a STATE message is received, any state transitions specified in
- section 9 are taken.
-
- No response to a STATE message is required.
-
-7.11. CONTACT message [11]
-
- The contact (CONTACT) message is sent to verify communications
- integrity with a failover partner. The CONTACT message is sent when
- no messages have been sent to the failover partner for a specified
- period of time. This is determined by the tSend timer expiring (see
- section 8.3).
-
- The CONTACT message has no message specific options.
-
-7.11.1. Sending the CONTACT message
-
- The CONTACT message is sent.
-
-
-
-Droms, et. al. Expires January 2001 [Page 72]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-7.11.2. Receiving the CONTACT message
-
- When a CONTACT message is received, the tReceive timer is reset (as
- it is with any message that is received).
-
- A server SHOULD use the time in the time field and the time the mes-
- sage was received to refine the delta time calculations between the
- servers.
-
-7.12. DISCONNECT message [12]
-
- The DISCONNECT is the last message sent over a connection before
- dropping an established connection (note that an established connec-
- tion is one where a CONNECTACK has been sent without a reject rea-
- son).
-
- After sending or receiving a DISCONNECT message, a server needs to
- have some mechanism to prevent an error loop. Simply reconnecting to
- the partner immediately is not the best option, especially after
- several consecutive attempts.
-
- A simple suggested solution is to wait a minute or two after sending
- or receiving a DISCONNECT before attempting to reestablish communica-
- tion.
-
- The DISCONNECT message MUST be the last message sent down a connec-
- tion before it is closed.
-
- The following table summarizes the options that are associated with
- the DISCONNECT message:
-
-
- Option
- ------
- reject-reason MUST
- message SHOULD
-
- Table 7.12-1: Options used in a DISCONNECT message
-
-
-
-7.12.1. Sending the DISCONNECT message
-
- The DISCONNECT message MUST be the last message sent by the a server
- which is dropping a TCP connection.
-
- The xid of the DISCONNECT message must be unique.
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 73]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- The reject-reason option MUST appear giving a reason why the connec-
- tion was dropped. A message option SHOULD appear giving a human
- readable error message with possibly more details.
-
-7.12.2. Receiving the DISCONNECT message
-
- When a server receives a DISCONNECT message it should log the message
- if there was one and possibly raise an alarm of some sort if the
- reject reason was one that was sufficiently serious.
-
-8. Connection Management
-
- Servers participating in the failover protocol communicate over TCP
- connections. These TCP connections are used both to transmit bind-
- ing information from one server to another as well as to allow each
- server to determine whether communications is possible with the other
- server.
-
- Central to the operation of the failover protocol is a notion of
- "communications okay" or "communications failed". Failover state
- transitions are taken in many cases when the status of communications
- with the partner changes, and the existence or non-existence of a TCP
- connections between failover endpoints is used to determine if com-
- munications is "okay" or "failed".
-
- A single TCP connection exists which connects two failover endpoints.
-
-8.1. Connection granularity
-
- There exists one TCP connection between each set of failover end-
- points. See section 5.1.1 for an explanation of failover endpoints.
-
- There are a maximum of two TCP connections between any two servers
- implementing the failover protocol, one for each of the possible
- failover endpoints between these two servers. There is a minimum of
- one TCP connection between one server and every other failover server
- with which it implements the failover protocol.
-
-8.2. Creating the TCP connection
-
- There are two ports used for initiating TCP connections, correspond-
- ing to the two roles that a server can fill with respect to another
- server. Every server implementing the failover protcol MUST listen
- on at least one of these ports. Port 647 is the port to which pri-
- mary servers will attempt a connection, and port TBD is the port to
- which secondary servers will attempt a connection. When a connection
- attempt is received on port 647 it is therefore from a primary
- server, and it is attempting to connect to this server to become a
-
-
-
-Droms, et. al. Expires January 2001 [Page 74]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- secondary server for it. Likewise, when an attempt to connect is
- received on port TBD the connection attempt is from a secondary
- server, and it is attempting to connect to this server to be a pri-
- mary server. The source port of any TCP connection is unimportant.
- See the schematic representation below:
-
-
- Primary Server
- --------------
- Listens on port TBD for secondary server to connect to it
- Periodically connects on port 647 to contact secondary
-
- Secondary Server
- --------------
- Listens on port 647 for primary server to connect to it
- Periodically connects on port TDB to contact primary
-
-
- Every server implementing the failover protocol SHOULD attempt to
- connect to all of its partners periodically, where the period is
- implementation dependent and SHOULD be configurable. In the event
- that a connection has been rejected by a CONNECTACK message with a
- reject-reason option contained in it or a DISCONNECT message, a
- server SHOULD reduce the frequency with which it attempts to connect
- to that server but it SHOULD continue to attempt to connect periodi-
- cally.
-
- If a connection attempt has been received from another server in a
- particular role (i.e., from a specific failover endpoint) then the
- receiving server MUST NOT initiate a connection attempt to the
- partner server in that same role.
-
- If both servers happen to attempt to connect simultaneously, the
- secondary server MUST drop its attempt in favor of the primary's
- attempt. Thus, in the event that a secondary server receives a con-
- nection attempt to port 647 from a primary server when it has already
- initiated a connection attempt to port TBD on the same primary
- server, it MUST accept the connection to port 647 and it MUST drop
- drop the connection attempt to port TBD. In the event that a primary
- server receives a connection attempt to port TBD from a secondary
- server when it has already initiated a connection attempt to port 647
- on that same server, it MUST reject the connection attempt to port
- TBD and continue to pursue the connection attempt on port 647.
-
- Once a connection is established, the primary server MUST send a CON-
- NECT message across the connection. A secondary server MUST wait for
- the CONNECT message from a primary server.
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 75]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- Every CONNECT message includes a TLS-request option, and if the CON-
- NECTACK message does not reject the CONNECT message and the TLS-reply
- option says TLS MUST be used, then the servers will immediately enter
- into TLS negotiation.
-
- Once TLS negotiation is complete, the primary server MUST resend the
- CONNECT message on the newly secured TLS connection and then wait for
- the CONNECTACK message in response. The TLS-request and TLS-reply
- options MUST NOT appear in either this second CONNECT or its associ-
- ated CONNECTACK message as they had in the first messages.
-
- The second message sent over a new connection (either a bare TCP con-
- nection or a connection utilizing TLS) is a STATE message. Upon the
- receipt of this message, the receiver can consider communications up.
-
- It is entirely possible that two servers will attempt to make connec-
- tions to each other essentially simultaneously, and in this case the
- secondary server will be waiting for a CONNECT message on each con-
- nection. The primary server MUST send a CONNECT message over one
- connection and it MUST close the other connection.
-
- A secondary server MUST NOT respond to the closing of a TCP connec-
- tion with a blind attempt to reconnect -- there may be another TCP
- connection to the same failover partner already in use.
-
-8.3. Using the TCP connection for determining communications status
-
- The TCP connection is used to determine the communications status of
- the other server, i.e., communications-ok, or communications-
- interrupted.
-
- Three things must happen for a server to consider that communications
- are ok with respect to another server:
-
-
- 1. A TCP connection must be established to the other server.
-
- 2. A CONNECT message must be received and a CONNECTACK message
- sent in response. The CONNECT message is used to determine
- the identify of the failover endpoint of the other end of the
- TCP connection -- without it, the failover endpoint cannot be
- uniquely determined. Without knowledge of the failover end-
- point, then the entity with which communications is ok is
- undetermined.
-
- 3. A STATE message must be received from the other server over
- the connection. This STATE message initializes important
- information necessary to the operation of the state machine
-
-
-
-Droms, et. al. Expires January 2001 [Page 76]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- the governs the behavior of this failover endpoint.
-
- There are two ways that a server can determine that communications
- has failed:
-
-
- 1. The TCP connection can go down, yielding an error when
- attempting to send or receive a message. This will happen at
- least as often as the period of the tSend timer.
-
- 2. The tReceive timer can expire.
-
- In either of these cases, communications is considered interrupted.
-
- Several difficulties arise when trying to use one TCP connection for
- both bulk data transfer as well as to sense the communications status
- of the other server. One aspect of the problem stems from the dif-
- ferent requirements of both uses. The bulk data transfer is of
- course critically important to the protocol, but the speed with which
- it is processed is not terribly significant. It might well be
- minutes before a BNDUPD message is processed, and while not optimal,
- such an occasional delay doesn't compromise the correctness of the
- protocol. However, the speed with which one server detects the other
- server is up (or, more importantly, down) is more highly constrained.
- Generally one server should be able to detect that the other server
- is not communicating within a minute or less.
-
- These differing time constraints makes it difficult to use the same
- TCP connection for data transfer as well as to sense communications
- integrity. See section 3.5 for additional details on TCP.
-
- The solution to this problem is to require that some message be
- received by each end of the connection within a limited time or that
- the connection will be considered down. If no messages have been
- sent recently, then a CONTACT message is sent.
-
- In the case where there is no data queued to be sent, this is not a
- problem, but in the case where there is data queued to be sent to the
- partner, then the CONTACT message will not actually be transmitted
- until the queued data is sent. Section 3.5 explains why waiting for
- TCP to determine that the connection is down is not acceptable, and
- leads a requirement that the receiving server never block the sending
- server from sending CONTACT messages.
-
- In order to meet this requirement, each server tells the other server
- the number of outstanding BNDUPD messages that it will accept. The
- receiving server is required to always be able to accept that many
- BNDUPD messages off of the connection's input queue even if it cannot
-
-
-
-Droms, et. al. Expires January 2001 [Page 77]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- process them immediately, and to accept all other messages immedi-
- ately.
-
- Thus, the sending server's TCP is never blocked from sending a mes-
- sage except for very short periods, less than a few seconds unless
- the network connection itself has problems. In this case, if the
- CONTACT messages don't make it to the partner then the partner will
- close the connection.
-
- DISCUSSION:
-
- When implementing this capability, one needs to be careful when
- sending any message on the TCP connection as TCP can easily block
- the server if the local TCP send buffers are full. This can't be
- prevented because if the receiver is not reachable (via the net-
- work), the sending TCP can't send and thus it will be unable to
- empty the local TCP send buffers. So, all send operations either
- need to assume they may block for some time or non-blocking sends
- must be used.
-
-8.4. Using the TCP connection for binding data
-
- Binding data, in the form of BNDUPD messages and BNDACK messages to
- respond to them, are sent across the TCP connection.
-
- In order to support timely detection of any failure in the partner
- server, the TCP connection MUST NOT block for more than a very short
- time, on the order of a few seconds. Therefore, a server that is
- sending BNDUPD messages MUST send only a restricted number before
- receiving BNDACK messages about previous messages sent.
-
- The number of outstanding BNDUPD messages that each server will
- accept without causing TCP to block transmission of additional data
- (i.e, CONTACT messages) is sent by each server in the CONNECT and
- CONNECTACK messages in the max-unacked-bndupd option.
-
-8.5. Using the TCP connection for control messages
-
- The TCP connection is used for control messages: POOLREQ, UPDREQ,
- STATE, CONTACT, UPDREQALL and the corresponding reply messages: POOL-
- RESP, UPDDONE. A server MUST immediately accept all of these mes-
- sages from the TCP connection. A server MUST immediately accept any
- BNDACK which is received as well.
-
-8.6. Losing the TCP connection
-
- When the TCP connection is lost, then communications is not ok with
- the other server. A server which has lost communications SHOULD
-
-
-
-Droms, et. al. Expires January 2001 [Page 78]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- immediately attempt to reconnect to the other server, and should
- retry these connection attempts periodically.
-
- An acknowledgement message (BNDACK, POOLRESP, UPDDONE) message can
- only be sent in response to a request message (BNDUPD, POOLREQ,
- UPDREQ, UPDREQALL) on the same TCP connection from which the request
- was received, in part since the XID's in the request messages are
- guaranteed unique only during the life of a single TCP connection.
-
- When a connection to a partner server goes down, a server with unpro-
- cessed request messages MAY simply drop all of those messages, since
- it can be sure that the partner will resend them when they are next
- in communications. A server with unprocessed BNDUPD messages when a
- TCP connection goes down MAY instead choose to process those BNDUPD
- messages, but it MUST NOT send any BNDACK messages in response (again
- because of the issues surrounding XID uniqueness).
-
- When the TCP connection is closed explicitly, the DISCONNECT message
- with a reject-reason option (and, ideally, a message option) MUST be
- sent over the TCP connection.
-
-9. Failover Endpoint States
-
- This section discusses the various states that a failover endpoint
- may take, and the server actions required when entering the state,
- operating in the state, and leaving the state, as well as the events
- that cause transitions out of the state into another state.
-
- The state transition diagram in Figure 9.2-1 is relevant for this
- section. This is the common state transition diagram for both servers
- in a failover pair. In the event that the textual description of a
- state differs from the state transition diagram, the textual descrip-
- tion is to be considered authoritative.
-
-9.1. Server Initialization
-
- When a server starts it starts out in STARTUP state. See section 9.3
- below for details.
-
-9.2. Server State Transitions
-
- Whenever a server transitions into a new state, it MUST record the
- state and the time at which it entered that state in stable storage.
- If communications is "ok", it MUST also send a STATE message to its
- failover partner.
-
- Figure 9.2-1 is the diagram of the server state transitions. The
- remainder of this section contains information important to the
-
-
-
-Droms, et. al. Expires January 2001 [Page 79]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- understanding of that diagram.
-
- The server stays in the current state until all of the actions speci-
- fied on the state transition are complete. If communications fails
- during one of the actions, the server simply stays in the current
- state and attempts a transition whenever the conditions for a transi-
- tion are later fulfilled.
-
- In the state transition diagram below, the "+" or "-" in the upper
- right corner of each state is a notation about whether communication
- is ongoing with the other server.
-
- The legend "responsive", "balanced", or "unresponsive" in each state
- indicates whether the server is responsive to all DHCP client
- requests, running in load balanced mode, or totally unresponsive in
- the respective state. The terms "responsive" and "unresponsive" have
- the obvious meanings, while "balanced" means that a DHCP server may
- respond to all DHCPREQUEST messages that are RENEWAL or REBINDING,
- and to all other messages from clients for which the load balancing
- algorithm indicates that it MUST respond to. See sections 5.3 and
- 9.6.2 for details on load balancing.
-
- In the state transition diagram below, when communication is reesta-
- blished between the two servers, each must record the state of the
- partner when communication was restored. State transitions on one
- server in some cases imply state transitions on the partner server,
- so a record of the current state of the partner server must be kept
- by each server.
-
- If the state of the partner changes while communicating a server
- moves through the communications-failed transition and into whatever
- state results. It then immediately moves through whatever state
- transition is appropriate given the current state of the partner
- server. A server performing this operation SHOULD NOT close the TCP
- connection to its partner.
-
- DISCUSSION:
-
- The point of this technique is simplicity, both in explanation of
- the protocol and in its implementation. The alternative to this
- technique of memory of partner state and automatic state transi-
- tion on change of partner state is to have every state in the fol-
- lowing diagram have a state transition for every possible state of
- the partner. With the approach adopted, only the states in which
- communications are reestablished require a state transition for
- each possible partner state.
-
- The current state of a server MUST be recorded in stable storage and
-
-
-
-Droms, et. al. Expires January 2001 [Page 80]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- thus be available to the server after a server restart.
-
-
- +---------------+ V +--------------+
- | RECOVER - | | | STARTUP - |
- |(unresponsive) | +->|(unresponsive)|
- +---------------+ +--------------+
- Comm. OK +-----------------+
- Other State:-RECOVER | PARTNER DOWN - |<-----------------+
- | | | (responsive) | |
- All POTENTIAL- +-----------------+ +--------------+ |
- Others CONFLICT------------ | --------+ | RESOLUTION -| |
- | Comm. OK | | INTERRUPTED | |
- UPDREQ(ALL) Other State: | +-| (responsive) | |
- Wait UPDDONE | | | | +--------------+ |
- Wait MCLT from fail RECOVER All Others| Comm. OK ^ | |
- +--------------+ | V V V | Ext. |
- |RECOVER-DONE +| +--+ +--------------+ Comm. Cmd. |
- |(unresponsive)| | | POTENTIAL + | Failed | |
- +--------------+ Wait for +>| CONFLICT |------+ +-->|
- Comm. OK Other | |(unresponsive)|<--------+ |
- +--Other State:-+ State: | +--------------+ | |
- | | | RECOVER | | | |
- | All POTENT. DONE | Resolve Conflict | |
- | Others: CONFLICT-- | ----+ (see 9.8) | |
- | Wait for V V | |
- | Other State: NORMAL +-----------------+ | |
- | V | NORMAL + | External | |
- | +--+----------+-->| (balanced) |-Command---+-- | -----+
- | ^ ^ +-----------------+ | |
- | | | | | |
- | Wait for Comm. OK Comm. External |
- | Other Other Failed Command |
- | State: State: | or | |
- |RECOVER-DONE NORMAL Start Safe Safe | |
- | | COMM. INT. Period Timer Period | |
- | Comm. OK. | V expiration |
- | Other State: | +------------------+ | |
- | RECOVER +--| COMMUNICATIONS - |-----------+ |
- V +-------------| INTERRUPTED | Comm. OK |
- RECOVER | (responsive) |--Other State:-+
- RECOVER-DONE--------->+------------------+ All Others
-
- Figure 9.2-1: Server state diagram.
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 81]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
-9.3. STARTUP state
-
- The STARTUP state affords an opportunity for a server to probe its
- partner server, before starting to service DHCP clients.
-
- DISCUSSION:
-
- Without the STARTUP state, a server would likely start in a state
- derived from its previously stored state (held in stable storage),
- if any. However, this may be inconsistent with the current state
- of the partner. The STARTUP state affords the opportunity for a
- server to potentially learn the partner's state and determine if
- that state is consistent with its derived starting state or
- whether some significant state change has occurred at the partner
- that forces the server to start in another state. This is
- especially critical if significant time has elapsed while the
- server was down.
-
-
-9.3.1. Operation while in STARTUP state
-
- Whenever a server is in STARTUP state, it MUST be unresponsive to
- DHCP client requests, and so the time spent in the STARTUP state is
- necessarily short, typically on the order of a few seconds to a few
- tens of seconds. The exact time spent in the STARTUP state is imple-
- mentation dependent, and the primary and secondary server are not
- required to spend the same amount of time in the STARTUP state.
-
- Whenever a STATE message is sent to the partner while in STARTUP
- state the STARTUP bit MUST be set in the server-flags option and the
- previously recorded failover state MUST be placed in the server-state
- option.
-
-
-9.3.2. Transition out of STARTUP state
-
- Each server starts out in startup state every time it initializes
- itself, and performs the following algorithm as part of its initiali-
- zation:
-
- 1. Is there any record in stable storage of a previous failover
- state? If yes, set previous-state to the last recorded state
- in stable storage, and continue with step 2.
-
- Is there any configuration information that indicates that
- this server was previously running but lost its stable
- storage? Such information must typically come from some
-
-
-
-Droms, et. al. Expires January 2001 [Page 82]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- administrative intervention, since it is difficult for a
- server to distinguish first startup from a startup after it
- has lost its stable storage. If yes, then set the previous-
- state to RECOVER, and set the time-of-failure to whatever time
- was configured, and go on to step 2. This time-of-failure
- will be used in the transition out of the RECOVER state into
- the RECOVER-DONE state, below.
-
- If there is no record of any previous failover state in stable
- storage nor of any previous operational activity for this
- server, then set the previous-state to PARTNER-DOWN if this
- server is a primary and RECOVER if this server is a secondary,
- and set the time-of-failure to a time before the maximum-
- client-lead-time before now. If using standard Posix times, 0
- would typically do quite well.
-
- 2. Is the previous-state NORMAL? If yes, set the previous-state
- to COMMUNICATIONS-INTERRUPTED.
-
- 3. Start the STARTUP state timer. The time that a server remains
- in the STARTUP state (absent any communications with its
- partner) is implementation dependent and SHOULD be configur-
- able. It SHOULD be long enough for a TCP connection to be
- created to a heavily loaded partner across a slow network.
-
- 4. Attempt to create a TCP connection to the failover partner.
- See section 8.2.
-
- 5. Wait for "communications okay", i.e., the process discussed in
- section 8.2 "Creating the TCP Connection", to complete,
- including the receipt of a STATE message from the partner.
-
- When and if communications become "okay", clear the STARTUP
- flag, and set the current state to the previous-state.
-
- If the partner is in PARTNER-DOWN state, and if the time at
- which it entered PARTNER-DOWN state (as received in the
- start-time-of-state option in the STATE message) is later than
- the last recorded time of operation of this server, then set
- the current state to RECOVER. If the time at which it entered
- PARTNER-DOWN state is earlier than the last recorded time of
- operation of this server, then set the current state to
- POTENTIAL-CONFLICT.
-
- Then, transition to the current state and take the "communica-
- tions okay" state transition based on the current state of
- this server and the partner.
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 83]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- 7. If the startup time expires, take an implementation dependent
- action: The server MAY go to the previous-state, or the
- server MAY wait.
-
- Reasons to go to previous-state and begin processing:
-
- If the current server is the only operational server, then if
- it waits, there will be no operational DHCP servers. This
- situation could occur very easily where one server fails and
- then the other crashes and reboots. If the rebooting server
- doesn't start processing DHCP client requests without first
- being in communication with the other server, then the level
- of DHCP redundancy is not particularly high. This is an
- appropriate approach if the possibility of partition is low,
- or if the safe period expiration time is well beyond the time
- at which an operator would notice and react to a partition
- situation. It is also quite appropriate if the safe period
- will never expire.
-
- Reasons to wait:
-
- If the current server has been down for longer than the
- maximum-client-lead-time, and it is partitioned from the other
- server, then when it returns it will attempt to use its own
- available addresses to allocate to new DHCP clients, and the
- other server may well be in PARTNER-DOWN state and may have
- already allocated some of those available addresses to DHCP
- clients. In cases where the possibility of partition is high,
- and the safe period expiration time is less than the likely
- operator reaction time, this is a good approach to use.
-
-9.4. PARTNER-DOWN state
-
- PARTNER-DOWN state is a state either server can enter. When in this
- state, the server does not assume that the other server could still
- be operating and servicing a different set of clients, but instead
- assumes that it is the only server operating. If one server is in
- PARTNER-DOWN state, the other server MUST NOT be operating.
-
-
-9.4.1. Upon entry to PARTNER-DOWN state
-
- No special actions are required when entering PARTNER-DOWN state.
-
- The server should continue to attempt to connect to the partner
- periodically.
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 84]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-9.4.2. Operation while in PARTNER-DOWN state
-
- A server in PARTNER-DOWN state MUST respond to DHCP client requests.
- It will allow renewal of all outstanding leases on IP addresses, and
- will allocate IP addresses from its own pool, and after a fixed
- period of time (the MCLT interval) has elapsed from entry into
- PARTNER-DOWN state, it will allocate IP addresses from the set of all
- available IP addresses.
-
- Once a server has entered NORMAL state, the PARTNER-DOWN state is
- entered only on command of an external agency (typically an adminis-
- trator of some sort) or after the expiration of an externally config-
- ured minimum safe-time after the beginning of COMMUNICATIONS-
- INTERRUPTED state.
-
- Any available IP address tagged as available for allocation by the
- other server (at entry to PARTNER-DOWN state) MUST NOT be allocated
- to a new client until the maximum-client-lead-time beyond the entry
- into PARTNER-DOWN state has elapsed.
-
- A server in PARTNER-DOWN state MUST NOT allocate an IP address to a
- DHCP client different from that to which it was allocated at the
- entrance to PARTNER-DOWN state until the maximum-client-lead-time
- beyond the maximum of the following times: client expiration time,
- most recently transmitted potential-expiration-time, most recently
- received ack of potential-expiration-time from the partner, and most
- recently acked potential-expiration-time to the partner. See section
- 7.1.5 for details. If this time would be earlier than the current
- time plus the maximum-client-lead-time, then the time the server
- entered PARTNER-DOWN state plus the maximum-client-lead-time is used.
-
- Two options exist for lease times given out while in PARTNER-DOWN
- state, with different ramifications flowing from each.
-
- If the server wishes the Failover protocol to protect it from loss of
- stable storage in PARTNER-DOWN state, then it should ensure that the
- MCLT based lease time restrictions in Section 5.1 are maintained,
- even in PARTNER-DOWN state.
-
- If the server wishes to forego the protection of the Failover proto-
- col in the event of loss of stable storage, then it need recognize no
- restrictions on actual client lease times while in PARTNER-DOWN
- state.
-
- A server in PARTNER-DOWN state MUST continue to attempt to establish
- communications and synchronization with its partner.
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 85]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-9.4.3. Transitions out of PARTNER-DOWN state
-
- When a server in PARTNER-DOWN state succeeds in establishing a con-
- nection to its partner, its actions are conditional on the state and
- flags received in the STATE message from the other server as part of
- the process of establishing the connection.
-
- If the STARTUP bit is set in the server-flags option of a received
- STATE message, a server in PARTNER-DOWN state MUST NOT take any state
- transitions based on reestablishing communications. Essentially, if a
- server is in PARTNER-DOWN state, it ignores all STATE messages from
- its partner that have the STARTUP bit set in the server-flags option
- of the STATE message.
-
- If the STARTUP bit is not set in the server-flags option of a STATE
- message received from its partner, then a server in PARTNER-DOWN
- state takes the following actions based on the value of the server-
- state option in the received STATE message:
-
- o partner in NORMAL, COMMUNICATIONS-INTERRUPTED, PARTNER-DOWN or
- POTENTIAL-CONFLICT state
-
- transition to POTENTIAL-CONFLICT state
-
- o partner in RECOVER state
-
- stay in PARTNER-DOWN state
-
- o partner in RECOVER-DONE state
-
- transition into NORMAL state
-
-9.5. RECOVER state
-
- This state indicates that the server has no information in its stable
- storage or that it is re-integrating with a server in PARTNER-DOWN
- state after it has been down. A server in this state MUST attempt to
- refresh its stable storage from the other server.
-
-9.5.1. Operation in RECOVER state
-
- A server in RECOVER MUST NOT respond to DHCP client requests.
-
- A server in RECOVER state will attempt to reestablish communications
- with the other server.
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 86]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-9.5.2. Transitions out of RECOVER state
-
- If the other server is in POTENTIAL-CONFLICT state when communica-
- tions are reestablished, then the server in RECOVER state will move
- to POTENTIAL-CONFLICT state itself.
-
- If the other server is in RECOVER state, then this server SHOULD sig-
- nal an error and halt processing.
-
- If the other server is in any other state, then the server in RECOVER
- state will request an update of missing binding information by send-
- ing an UPDREQ message. If the server has been instructed (through
- configuration or other external agency) that it has lost its stable
- storage, or if it has deduced that from the fact that it has no
- record of ever having talked to its partner, while its partner does
- have a record of communicating with it, it MUST send an UPDREQALL
- message, otherwise it MUST send an UPDREQ message.
-
- It will wait for an UPDDONE message, and upon receipt of that message
- it will start a timer whose expiration is set to a time equal to the
- time the server went down (if known) or the current time (if the
- down-time is unknown) plus the maximum-client-lead-time. When this
- timer goes off, the server will transition into RECOVER-DONE state.
- This is to allow any IP addresses that were allocated by this server
- prior to loss of its client binding information in stable storage to
- contact the other server or to time out.
-
- See Figure 9.5.2-1.
-
- DISCUSSION:
-
- The actual requirement on this wait period in RECOVER is that it
- start not before the recovering server went down, not necessarily
- when it came back up. If the time when the recovering server
- failed is known, it could be communicated to the recovering server
- (perhaps through actions of the network administrator), and the
- wait period could be reduced to the maximum-client-lead-time less
- the difference between the current time and the time the server
- failed. In this way, the waiting period could be minimized.
- Various heuristics could be used to estimate this time, for exam-
- ple if the recovering server periodically updates stable storage
- with a time stamp, the wait period could be calculated to start at
- the time of the last update of stable storage plus the time
- required for the next update (which never occurred). This esti-
- mate is later than the server went down, but probably not too much
- later.
-
- If an UPDDONE message isn't received within an implementation
-
-
-
-Droms, et. al. Expires January 2001 [Page 87]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- dependent amount of time, and no BNDUPD messages are being received,
- the connection SHOULD be dropped.
-
-
-
-
- A B
- Server Server
-
- | |
- RECOVER PARTNER-DOWN
- | |
- | >--UPDREQ--------------------> |
- | |
- | <---------------------BNDUPD--< |
- | >--BNDACK--------------------> |
- ... ...
- | |
- | <---------------------BNDUPD--< |
- | >--BNDACK--------------------> |
- | |
- | <--------------------UPDDONE--< |
- | |
- Wait MCLT from last known |
- time of operation |
- | |
- RECOVER-DONE |
- | |
- | >--STATE-(RECOVER-DONE)------> |
- | NORMAL
- | <-------------(NORMAL)-STATE--< |
- NORMAL |
- | >---- State-(NORMAL)--------------->
- | |
- | |
-
- Figure 9.5.2-1: Transition out of RECOVER state
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 88]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
-9.6. NORMAL state
-
- NORMAL state is the state used by a server when it is communicating
- with the other server, and any required resynchronization has been
- performed. While some bindings database synchronization is performed
- in NORMAL state, potential conflicts are resolved prior to entry into
- NORMAL state as is binding database data loss.
-
-
-9.6.1. Upon entry to NORMAL state
-
- When entering NORMAL state, a server will send to the other server
- all currently unacknowledged binding updates as BNDUPD messages.
-
- When the above process is complete, if the server entering NORMAL
- state is a secondary server, then it will request IP addresses for
- allocation using the POOLREQ message.
-
-
-9.6.2. Processing DHCP client requests and load balancing
-
- In NORMAL state, a server MUST process every DHCPREQUEST/RENEWAL or
- DHCPREQUEST/REBINDING request it receives. And, it processes other
- requests only for those clients as dictated by the load balancing
- algorithm specified in [LOADB].
-
- As discussed in section 5.3, each server will take the client-
- identifier from each DHCP client request (or the client-hardware-
- address, i.e., the htype concatenated to the front of the chaddr if
- no client-identifier is present in the request) and use it as the
- 'Request ID' specified in [LOADB]. After applying the algorithm
- specified in [LOADB] and comparing the result with the hash bucket
- assignment (performed during connect processing between failover
- servers), each failover server will be able to unambiguously deter-
- mine if it should process the DHCP client request.
-
-9.6.3. Operation in NORMAL state
-
- When in NORMAL state, for every DHCP client request that it
- processes, as determined by the algorithm described in section 9.6.2,
- above, a server will operate in the following manner:
-
- o Lease time calculations
-
- As discussed in section 5.2.1, "Control of lease time", the
- lease interval given to a DHCP client can never be more than the
- MCLT greater than the most recently received potential-
-
-
-
-Droms, et. al. Expires January 2001 [Page 89]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- expiration-time from the failover partner or the current time,
- whichever is later.
-
- As long as a server adheres to this constraint, the specifics of
- the lease interval that it gives to a DHCP client or the value
- of the potential-expiration-time sent to its failover partner
- are implementation dependent. One possible approach is dis-
- cussed in section 5.2.1, but that particular approach is in no
- way required by this protocol.
-
- See section 7.1.5 for details concerning the storage of time
- associated IP addresses and how to use these times when calcu-
- lating lease times for DHCP clients.
-
- o Lazy update of partner server
-
- After an ACK of a IP address binding, the server servicing a
- DHCP client request attempts to update its partner with the new
- binding information. The lease time used in the update of the
- secondary MUST be at least that given to the DHCP client in the
- DHCPACK, and the potential-expiration-time MUST be at least the
- lease time, and SHOULD be considerably longer.
-
- o Reallocation of IP addresses between clients
-
- Whenever a client binding is released or expires, a BNDUPD mes-
- sage must be sent to partner, setting the binding state to
- RELEASED or EXPIRED. However, until a BNDACK is received for
- this message, the IP address cannot be allocated to another
- client. It can be allocated to the same client again.
-
- In normal state, each server receives binding updates from its
- partner server in BNDUPD messages. It records these in its client
- binding database in stable storage and then sends a corresponding
- BNDACK message to the primary server. It MUST ensure that the infor-
- mation is recorded in stable storage prior to sending the BNDACK mes-
- sage back to its partner.
-
-
-9.6.4. Transitions out of NORMAL state
-
- If an external command is received by a server in NORMAL state
- informing it that its partner is down, then transition into PARTNER-
- DOWN state. Generally, this would be an unusual situation, where
- some external agency knew the partner server was down. Using the
- command in this case would be appropriate if the polling interval and
- timeout were long.
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 90]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- If a server in NORMAL state fails to receive acks to messages sent to
- its partner for an implementation dependent period of time, it MAY
- move into COMMUNICATIONS-INTERRUPTED state. This situation might
- occur if the partner server was capable of maintaining the TCP con-
- nection between the server and also capable of sending a CONTACT mes-
- sage every tSend seconds, but was (for some reason) incapable of pro-
- cessing BNDUPD messages.
-
- If the communications is determined to not be "ok" (as defined in
- section 8), then transition into COMMUNICATIONS-INTERRUPTED state.
-
- If a server in NORMAL state receives any messages from its partner
- where the partner has changed state from that expected by the server
- in NORMAL state, then the server should transition into
- COMMUNICATIONS-INTERRUPTED state and take the appropriate state tran-
- sition from there. For example, it would be expected for the partner
- to transition from POTENTIAL-CONFLICT into NORMAL state, but not for
- the partner to transition from NORMAL into POTENTIAL-CONFLICT state.
-
-9.7. COMMUNICATIONS-INTERRUPTED State
-
- A server goes into COMMUNICATIONS-INTERRUPTED state whenever it is
- unable to communicate with the other server. Primary and secondary
- servers cycle automatically (without administrative intervention)
- between NORMAL and COMMUNICATIONS-INTERRUPTED state as the network
- connection between them fails and recovers, or as the partner server
- cycles between operational and non-operational. No duplicate IP
- address allocation can occur while the servers cycle between these
- states.
-
-
-9.7.1. Upon entry to COMMUNICATIONS-INTERRUPTED state
-
- When a server enters COMMUNICATIONS-INTERRUPTED state, if it has been
- configured to support an automatic transition out of COMMUNICATIONS-
- INTERRUPTED state and into PARTNER-DOWN state (i.e., a "safe period"
- has been configured, see section 10), then a timer MUST be started
- for the length of the configured safe period.
-
- A server transitioning into the COMMUNICATIONS-INTERRUPTED state from
- the NORMAL state SHOULD raise some alarm condition to alert adminis-
- trative staff to a potential problem in the DHCP subsystem.
-
-
-9.7.2. Operation in COMMUNICATIONS-INTERRUPTED State
-
- In this state a server MUST respond to all DHCP client requests, and
- the algorithm for load balancing described in section 5.3 MUST NOT be
-
-
-
-Droms, et. al. Expires January 2001 [Page 91]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- used. When allocating new IP addresses, each server allocates from
- its own IP address pool, where the primary MUST allocate only FREE IP
- addresses, and the secondary MUST allocate only BACKUP IP addresses.
- When responding to renewal requests, each server will allow continued
- renewal of a DHCP client's current lease on an IP address irrespec-
- tive of whether that lease was given out by the receiving server or
- not, although the renewal period MUST NOT exceed the maximum client
- lead time (MCLT) beyond the latest of: 1) the potential-expiration-
- time already acknowledged by the other server, or 2) the lease-
- expiration-time, or 3) the potential-expiration-time received from
- the partner server.
-
- However, since the server cannot communicate with its partner in this
- state, the acknowledged-potential-expiration time will not be updated
- in any new bindings. This is likely to eventually cause the actual-
- client-lease-times to be the current time plus the maximum-client-
- lead-time (unless this is greater than the desired-client-lease-
- time).
-
-
-9.7.3. Transition out of COMMUNICATIONS-INTERRUPTED State
-
- If the safe period timer expires while a server is in the
- COMMUNICATIONS-INTERRUPTED state, it will transition immediately into
- PARTNER-DOWN state.
-
- If an external command is received by a server in COMMUNICATIONS-
- INTERRUPTED state informing it that its partner is down, it will
- transition immediately into PARTNER-DOWN state.
-
- If communications is restored with the other server, then the server
- in COMMUNICATIONS-INTERRUPTED state will transition into another
- state based on the state of the partner:
-
- o partner in NORMAL or COMMUNICATIONS-INTERRUPTED
-
- The partner SHOULD NOT be in NORMAL state here, since upon res-
- toration of communications it MUST have created a new TCP con-
- nection which would have forced it into COMMUNICATIONS-
- INTERRUPTED state. Still, we should account for every state
- just in case.
-
- Transition into the NORMAL state.
-
- o partner in RECOVER
-
- Stay in COMMUNICATIONS-INTERRUPTED state.
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 92]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- o partner in RECOVER-DONE
-
- Transition into NORMAL state.
-
- o partner in PARTNER-DOWN or POTENTIAL-CONFLICT
-
- Transition into POTENTIAL-CONFLICT state.
-
- o partner in PAUSED
-
- Stay in COMMUNICATIONS-INTERRUPTED state.
-
- o partner in SHUTDOWN
-
- Transition into PARTNER-DOWN state.
-
- The following figure illustrates the transition from NORMAL to
- COMMUNICATIONS-INTERRUPTED state and then back to NORMAL state again.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 93]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
- Primary Secondary
- Server Server
-
- NORMAL NORMAL
- | >--CONTACT-------------------> |
- | <--------------------CONTACT--< |
- | [TCP connection broken] |
- COMMUNICATIONS : COMMUNICATIONS
- INTERRUPTED : INTERRUPTED
- | [attempt new TCP connection] |
- | [connection succeeds] |
- | |
- | >--CONNECT-------------------> |
- | <-----------------CONNECTACK--< |
- | <-------------------STATE-----< |
- | NORMAL
- | >--STATE---------------------> |
- NORMAL |
- | >--BNDUPD--------------------> |
- | <---------------------BNDACK--< |
- | |
- | <---------------------BNDUPD--< |
- | >------BNDACK----------------> |
- ... ...
- | |
- | <--------------------POOLREQ--< |
- | >--POOLRESP-(2)--------------> |
- | |
- | >--BNDUPD-(#1)---------------> |
- | <---------------------BNDACK--< |
- | |
- | <--------------------POOLREQ--< |
- | >--POOLRESP-(0)--------------> |
- | |
- | >--BNDUPD-(#2)---------------> |
- | <---------------------BNDACK--< |
- | |
-
- Figure 9.7.3-1: Transition from NORMAL to COMMUNICATIONS-
- INTERRUPTED and back (example with 2
- addresses allocated to secondary)
-
-
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 94]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
-9.8. POTENTIAL-CONFLICT state
-
- This state indicates that the two servers are attempting to re-
- integrate with each other, but at least one of them was running in a
- state that did not guarantee automatic reintegration would be
- possible. In POTENTIAL-CONFLICT state the servers may determine that
- the same IP address has been offered and accepted by two different
- DHCP clients.
-
- It is a goal of this protocol to minimize the possibility that
- POTENTIAL-CONFLICT state is ever entered.
-
-9.8.1. Upon entry to POTENTIAL-CONFLICT state
-
- When a primary server enters POTENTIAL-CONFLICT state it should
- request that the secondary send it all updates of which it is
- currently unaware by sending an UPDREQ message to the secondary
- server.
-
- A secondary server entering POTENTIAL-CONFLICT state will wait for
- the primary to send it an UPDREQ message.
-
-9.8.2.
-
- Any server in POTENTIAL-CONFLICT state MUST NOT process any incoming
- DHCP requests.
-
-
-9.8.3. Transitions out of POTENTIAL-CONFLICT state
-
- If communications fails with the partner while in POTENTIAL-CONFLICT
- state, then the server will transition to RESOLUTION-INTERRUPTED
- state.
-
- Whenever either server receives an UPDDONE message from its partner
- while in POTENTIAL-CONFLICT state, it MUST transition to NORMAL
- state. This will cause the primary server to leave POTENTIAL-
- CONFLICT state prior to the secondary, since the primary sends an
- UPDREQ message and receives an UPDDONE before the secondary sends an
- UPDREQ message and receives its UPDDONE message.
-
- When a secondary server receives an indication that the primary
- server has transitioned from POTENTIAL-CONFLICT to NORMAL state, it
- SHOULD send an UPDREQ message to the primary server.
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 95]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
-
- Primary Secondary
- Server Server
-
- | |
- POTENTIAL-CONFLICT POTENTIAL-CONFLICT
- | |
- | >--UPDREQ--------------------> |
- | |
- | <---------------------BNDUPD--< |
- | >--BNDACK--------------------> |
- ... ...
- | |
- | <---------------------BNDUPD--< |
- | >--BNDACK--------------------> |
- | |
- | <--------------------UPDDONE--< |
- NORMAL |
- | >--STATE--(NORMAL)-----------> |
- | <---------------------UPDREQ--< |
- | |
- | >--BNDUPD--------------------> |
- | <---------------------BNDACK--< |
- ... ...
- | >--BNDUPD--------------------> |
- | <---------------------BNDACK--< |
- | |
- | >--UPDDONE-------------------> |
- | NORMAL
- | |
- | <--------------------POOLREQ--< |
- | >------POOLRESP-(n)----------> |
- | addresses |
-
- Figure 9.8.3-1: Transition out of POTENTIAL-CONFLICT
-
-
-9.9. RESOLUTION-INTERRUPTED state
-
- This state indicates that the two servers were attempting to re-
- integrate with each other in POTENTIAL-CONFLICT state, but
- communications failed prior to completion of re-integration.
-
- If the servers remained in POTENTIAL-CONFLICT while communications
- was interrupted, neither server would be responsive to DHCP client
- requests, and if one server had crashed, then there might be no
- server able to process DHCP requests.
-
-
-
-Droms, et. al. Expires January 2001 [Page 96]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-9.9.1. Upon entry to RESOLUTION-INTERRUPTED state
-
- When a server enters RESOLUTION-INTERRUPTED state it SHOULD raise an
- alarm condition to alert administrative staff of a problem in the
- DHCP subsystem.
-
-9.9.2. Operation in RESOLUTION-INTERRUPTED state
-
- In this state a server MUST respond to all DHCP client requests, and
- any load balancing (described in section 5.3) MUST NOT be used. When
- allocating new IP addresses, each server SHOULD allocate from its own
- IP address pool (if that can be determined), where the primary SHOULD
- allocate only FREE IP addresses, and the secondary SHOULD allocate
- only BACKUP IP addresses. When responding to renewal requests, each
- server will allow continued renewal of a DHCP client's current lease
- on an IP address irrespective of whether that lease was given out by
- the receiving server or not, although the renewal period MUST not
- exceed the maximum client lead time (MCLT) beyond the latest of: 1)
- the potential-expiration-time already acknowledged by the other
- server or 2) the lease-expiration-time or 3) `potential-expiration-
- time received from the partner server.
-
- However, since the server cannot communicate with its partner in this
- state, the acknowledged-potential-expiration time will not be updated
- in any new bindings.
-
-
-9.9.3. Transitions out of RESOLUTION-INTERRUPTED state
-
- If an external command is received by a server in RESOLUTION-
- INTERRUPTED state informing it that its partner is down, it will
- transition immediately into PARTNER-DOWN state.
-
- If communications is restored with the other server, then the server
- in RESOLUTION-INTERRUPTED state will transition into POTENTIAL-
- CONFLICT state.
-
-9.10. RECOVER-DONE state
-
- This state exists to allow an interlocked transition for one server
- from RECOVER state and another server from PARTNER-DOWN or
- COMMUNICATIONS-INTERRUPTED state into NORMAL state.
-
-9.10.1. Operation in RECOVER-DONE state
-
- A server in RECOVER-DONE state MUST respond only to
- DHCPREQUEST/RENEWAL and DHCPREQUEST/REBINDING DHCP messages.
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 97]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-9.10.2. Transitions out of RECOVER-DONE state
-
- When a server in RECOVER-DONE state determines that its partner
- server has entered NORMAL state, then it will transition into NORMAL
- state as well.
-
- If communications fails while in RECOVER-DONE state, a server will
- stay in RECOVER-DONE state.
-
-
-9.11. PAUSED state
-
- This state exists to allow one server to inform another that it will
- be out of service for what is predicted to be a relatively short
- time, and to allow the other server to transition to COMMUNICATIONS-
- INTERRUPTED state immediately and to begin servicing all DHCP clients
- with no interruption in service to new DHCP clients.
-
- A server which is aware that it is shutting down temporarily SHOULD
- send a STATE message with the server-state option containing PAUSED
- state and close the TCP connection.
-
- While a server may or may not transition internally into PAUSED
- state, the 'previous' state determined when it is restarted MUST be
- the state the server was in prior to receiving the command to shut-
- down and restart and which precedes its entry into the PAUSED state.
- See section 9.3.2 concerning the use of the previous state upon
- server restart.
-
-9.11.1. Upon entry to PAUSED state
-
- When entering PAUSED state, the server MUST store the previous state
- in stable storage, and use that state as the previous state when it
- is restarted.
-
-9.11.2. Transitions out of PAUSED state
-
- A server transitions out of PAUSED state by being restarted. At that
- time, the previous state MUST be the state the server was in prior to
- entering the PAUSED state.
-
-
-9.12. SHUTDOWN state
-
- This state exists to allow one server to inform another that it will
- be out of service for what is predicted to be a relatively long time,
- and to allow the other server to transition immediately to PARTNER-
- DOWN state, and take over completely for the server going down.
-
-
-
-Droms, et. al. Expires January 2001 [Page 98]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- A server which is aware that it is shutting down SHOULD send a STATE
- message with the server-state field containing SHUTDOWN.
-
- While a server may or may not transition internally into SHUTDOWN
- state, the 'previous' state determined when it is restarted MUST be
- the state active prior to the command to shutdown. See section 9.3.2
- concerning the use of the previous state upon server restart.
-
-9.12.1. Upon entry to SHUTDOWN state
-
- When entering SHUTDOWN state, the server MUST record the previous
- state in stable storage for use when the server is restarted. It
- also MUST record the current time as the last time operational.
-
- A server which is aware that it is shutting down SHOULD send a STATE
- message with the server-state field containing SHUTDOWN.
-
-9.12.2. Operation in SHUTDOWN state
-
- A server in SHUTDOWN state MUST NOT respond to any DHCP client input.
-
- If a server receives any message indicating that the partner has
- moved to PARTNER-DOWN state while it is in SHUTDOWN state then it
- MUST record RECOVER state as the previous state to be used when it is
- restarted.
-
- A server SHOULD wait for a few seconds after informing the partner of
- entry into SHUTDOWN state (if communications are okay) to determine
- if the partner entered PARTNER-DOWN state.
-
-
-9.12.3. Transitions out of SHUTDOWN state
-
- A server transitions out of SHUTDOWN state by being restarted.
-
-10. Safe Period
-
- Due to the restrictions imposed on each server while in
- COMMUNICATIONS-INTERRUPTED state, long-term operation in this state
- is not feasible for either server. One reason that these states
- exist at all, is to allow the servers to easily survive transient
- network communications failures of a few minutes to a few days
- (although the actual time periods will depend a great deal on the
- DHCP activity of the network in terms of arrival and departure of
- DHCP clients on the network).
-
- Eventually, when the servers are unable to communicate, they will
- have to move into a state where they no longer can re-integrate
-
-
-
-Droms, et. al. Expires January 2001 [Page 99]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- without some possibility of a duplicate IP address allocation. There
- are two ways that they can move into this state (known as PARTNER-
- DOWN).
-
- They can either be informed by external command that, indeed, the
- partner server is down. In this case, there is no difficulty in mov-
- ing into the PARTNER-DOWN state since it is an accurate reflection of
- reality and the protocol has been designed to operate correctly (even
- during reintegration) as long as, when in PARTNER-DOWN state the
- partner is, indeed, down.
-
- The more difficult scenario is when the servers are running unat-
- tended for extended periods, and in this case an option is provided
- to configure something called a "safe-period" into each server. This
- OPTIONAL safe-period is the period after which either the primary or
- secondary server will automatically transition to PARTNER-DOWN from
- COMMUNICATIONS-INTERRUPTED state. If this transition is completed
- and the partner is not down, then the possibility of duplicate IP
- address allocations will exist.
-
- The goal of the "safe-period" is to allow network operations staff
- some time to react to a server moving into COMMUNICATIONS-INTERRUPTED
- state. During the safe-period the only requirement is that the net-
- work operations staff determine if both servers are still running --
- and if they are, to either fix the network communications failure
- between them, or to take one of the servers down before the expira-
- tion of the safe-period.
-
- The length of the safe-period is installation dependent, and depends
- in large part on the number of unallocated IP addresses within the
- subnet address pool and the expected frequency of arrival of previ-
- ously unknown DHCP clients requiring IP addresses. Many environments
- should be able to support safe-periods of several days.
-
- During this safe period, either server will allow renewals from any
- existing client. The only limitation concerns the need for IP
- addresses for the DHCP server to hand out to new DHCP clients and the
- need to re-allocate IP addresses to different DHCP clients.
-
- The number of "extra" IP addresses required is equal to the expected
- total number of new DHCP clients encountered during the safe period.
- This is dependent only on the arrival rate of new DHCP clients, not
- the total number of outstanding leases on IP addresses.
-
- In the unlikely event that a relatively short safe period of an hour
- is all that can be used (given a dearth of IP addresses or a very
- high arrival rate of new DHCP clients), even that can provide sub-
- stantial benefits in allowing the DHCP subsystem to ride through
-
-
-
-Droms, et. al. Expires January 2001 [Page 100]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- minor problems that could occur and be fixed within that hour. In
- these cases, no possibility of duplicate IP address allocation
- exists, and re-integration after the failure is solved will be
- automatic and require no operator intervention.
-
-11. Security
-
- The Failover protocol communicates DHCP lease activity and this data
- is generally easily discovered via other means, such as by pinging
- addresses and doing DNS lookups. Therefore, the need to encrypt the
- data over the wire is likely not great (though some sites may feel
- differently).
-
- However, it is very desirable to assure the integrity of failover
- partners and to thus ensure proper operation of the servers. For
- example, denial of service attacks are possible by the communication
- of invalid state information to one or both servers.
-
- Therefore, the Failover protocol MUST be capable of being secured by
- using a simple shared secret message digest which covers each mes-
- sage. This provides authentication of the servers, but does not pro-
- vide encryption of the data exchange.
-
- The Failover protocol MAY also be secured by using TLS [RFC 2246]
- (Transport Layer Security) if encryption of the data exchange is
- desired. The use of the shared secret or TLS will not protect
- against TCP or IP layer attacks (such as someone sending fake TCP RST
- segments). IPsec SHOULD be used to protect against most (if not all)
- of these kinds of attacks.
-
-11.1. Simple shared secret
-
- Messages between the failover partners are authenticated through the
- use of a shared secret, which is never sent over the network and must
- be known by each server. How each server is told about this shared
- secret and secures its storage of the shared secret is outside the
- scope of this document. If a server is configured with a shared
- secret for a partner, it MUST send the message-digest option in ALL
- messages to that partner and it MUST treat any messages received from
- that partner without a message-digest option as failing authentica-
- tion.
-
- If a server is not configured with a shared secret for a partner, it
- MUST NOT send the message-digest option in any message to that
- partner and it MUST treat any messages received from that partner
- with a message-digest option as failing authentication.
-
- The shared secret is used to calculate a 16 octet message-digest
-
-
-
-Droms, et. al. Expires January 2001 [Page 101]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- which is sent in every failover message as the message-digest option.
- See section 12.16. The message-digest contains a one-way 16 octet MD5
- [RFC 1321] hash calculated over a stream of octets consisting of the
- entire message concatenated with the shared secret.
-
- For calculation, the message includes the message-digest option with
- the message-digest data zeroed (16-octets of zero). Once the calcula-
- tion is complete, these 16 octets of zero are replaced by the 16-
- octet MD5 hash and the message is sent.
-
- For verification, the 16-octet message-digest is saved and replaced
- with 16-octets of zero and calculated per above. The resulting MD5
- hash is compared to the received hash and if they match, the message
- is assumed authenticated.
-
- A failover partner that fails to authenticate a received message or
- receives a message without a message-digest option when configured
- with a shared secret MUST close the connection immediately and take
- steps to notify operators.
-
- This use of the shared secret is very similar to that used for RADIUS
- Accounting [RFC 2139].
-
-11.2. TLS
-
- TLS, Transport Layer Security, as specified in [RFC 2246] MAY be
- used. The use of TLS would be similar to the way it is used with
- SMTP [RFC 2487] and IMAP/POP3/ACAP [RFC 2595].
-
- To request the use of TLS, the server that successfully opened a con-
- nection to its peer MUST send the TLS option as part of the CONNECT
- message. The server receiving the TLS option MUST respond with a
- TLS-reply option indicating its acceptance or rejection of the TLS-
- request in the CONNECT message.
-
- If the CONNECTACK message contained a TLS-reply of 1 , then both
- servers begin TLS negotiation.
-
- Upon completion of this negotiation, the server which originally sent
- the CONNECT message MUST resend its CONNECT message without any TLS-
- request, and must wait for a corresponding CONNECTACK.
-
- Implementation of the TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA [RFC 2246]
- cipher suite is REQUIRED in Failover servers supporting TLS. This is
- important as it assures that any two compliant implementations can be
- configured to interoperate.
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 102]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-12. Failover Options
-
- This section lists all of the options that are currently defined to
- be used with the failover protocol. See section 6.2 for details con-
- cerning time values.
-
-
-12.1. addresses-transferred
-
- A 32 bit unsigned long in network byte order. Reports the number of
- addresses transferred by the primary to the secondary server
- (addresses to be used for the secondary server's private address
- pool).
-
- Code Len Number of Addresses
- +-----+-----+-----+-----+----+-----+-----+-----+
- | 0 | 1 | 0 | 4 | n1 | n2 | n3 | n4 |
- +-----+-----+-----+-----+----+-----+-----+-----+
-
-
-12.2. assigned-IP-address
-
- The DHCP managed IP address to which this message refers.
-
- Code Len Address
- +-----+-----+-----+-----+----+-----+-----+-----+
- | 0 | 2 | 0 | 4 | a1 | a2 | a3 | a4 |
- +-----+-----+-----+-----+----+-----+-----+-----+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 103]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
-12.3. binding-status
-
- This option is used to convey the current state of a binding.
-
- Code Len Type
- +-----+-----+-----+-----+-----+
- | 0 | 3 | 0 | 1 | 1-7 |
- +-----+-----+-----+-----+-----+
-
- Legal values for this option are:
-
- Value Binding Status
- ----- ------------------------------------------------
- 1 FREE Lease is currently available
- 2 ACTIVE Lease is assigned to a client
- 3 EXPIRED Lease has expired
- 4 RELEASED Lease has been released by client
- 5 ABANDONED A server, or client flagged address as unusable
- 6 RESET Lease was freed by some external agent
- 7 BACKUP Lease belongs to secondary's private address pool
- 8 BACKUP-RESERVED Lease belongs to secondary's private address pool
- as well as primary's since it is reserved on primary.
-
-
-12.4. client-identifier
-
- This is the client-identifier for the client associated with a
- binding. The client-identifier data is subject to the same
- conventions as DHCP option 81 [RFC 2132].
-
- Code Len Client Identifier
- +-----+-----+-----+-----+----+-----+---
- | 0 | 4 | 0 | n | i1 | i2 | ...
- +-----+-----+-----+-----+----+-----+--
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 104]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
-12.5. client-hardware-address
-
- This is the hardware address for the client associated with a
- binding. Byte t1 (type) MUST be set to the proper ARP hardware
- address code, as defined in the ARP section of RFC 1700 (it MUST NOT
- be zero!)
-
- Code Len htype chaddr
- +-----+-----+-----+-----+----+-----+-----+---
- | 0 | 5 | 0 | n | t1 | c1 | c2 | ...
- +-----+-----+-----+-----+----+-----+-----+---
-
-
-12.6. client-last-transaction-time
-
- The time at which this server last received a DHCP request from a
- particular client expressed as an absolute time (see section 6.2).
-
-
- Code Len client last transaction time
- +-----+-----+-----+-----+----+-----+-----+-----+
- | 0 | 6 | 0 | 4 | t1 | t2 | t3 | t4 |
- +-----+-----+-----+-----+----+-----+-----+-----+
-
-
-12.7. client-reply-options
-
- This option contains options from a DHCP server's reply to a DHCP
- client request. It is sent in a BNDUPD message. The first 4 bytes
- of the option contain the "magic number" of the option area from
- which the DHCP reply options were taken and serves to define the
- format of the rest of the sub-options contained in this option.
- After the magic number, the options included are in the normal
- options format appropriate for that magic number.
-
- A server SHOULD NOT include all of the options in a DHCP server's
- reply to a client's request in this option, but rather a server
- SHOULD include only those options which are of likely interest to its
- partner server. See section 7.1 for details.
-
- Code Len Magic Number Embedded options
- +-----+-----+-----+-----+----+----+----+----+----+----+--
- | 0 | 7 | 0 | n | m1 | m2 | m3 | m4 | b1 | b2 | ...
- +-----+-----+-----+-----+----+----+----+----+----+----+--
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 105]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
-12.8. client-request-options
-
- This option contains options from a DHCP client's request. It is
- sent in a BNDUPD message. The first 4 bytes of the option contain
- the "magic number" of the option area from which the DHCP client's
- request options were taken and serves to define the format of the
- rest of the sub-options contained in this option. After the magic
- number, the options included are in the normal options format
- appropriate for that magic number.
-
- A server SHOULD NOT include all of the options in a DHCP client
- request in this option, but rather a server SHOULD include only those
- options which are of likely interest to its partner server. See
- section 7.1 for details.
-
- Code Len Magic Number Embedded options
- +-----+-----+-----+-----+----+----+----+----+----+----+--
- | 0 | 8 | 0 | n | m1 | m2 | m3 | m4 | b1 | b2 | ...
- +-----+-----+-----+-----+----+----+----+----+----+----+--
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 106]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
-12.9. DDNS
-
- If an implementation supports Dynamic DNS updates, this option is
- used to communicate the status of the DDNS update associated with a
- particular lease binding. The Flags field conveys the types of DNS
- RRs that are to be updated by the DHCP server, and the status of the
- DDNS update. The Domain Name field conveys the DNS FQDN that the
- DHCP server is using to refer to the client, in DNS encoding as
- specified in [RFC 1035].
-
- Code Len Flags Domain Name
- +-----+-----+-----+-----+-----+------+------+-----+------
- | 0 | 9 | 0 | n | flags | d1 | d2 | ...
- +-----+-----+-----+-----+-----+------+------+-----+------
-
- The Flags field is a 16-bit field; several bit positions are
- specified here.
-
- 1 1 1 1 1 1
- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- |C|A|D|P| MBZ |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
- The bits (numbered from the least-significant bit in network
- byte-order) are used as follows:
-
- 0 (C): A RR update successfully completed
- 1 (A): Server is controlling A RR on behalf of the client
- 2 (D): PTR RR update successfully completed (Done)
- 3 (P): Server is controlling PTR RR on behalf of the client
- 4-15 : Must be zero
-
- All of the unspecified bit positions SHOULD be set to 0 by servers
- sending the Failover-DDNS option, and they MUST be ignored by servers
- receiving the option.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 107]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
-12.10. delayed-service-parameter
-
- The delayed-service-parameter is an optional load balancing tuning
- parameter, defined in [LOADB]. If it is used, it MUST be sent in the
- same message as the hash-bucket-assignment option (see section
- 12.11). Format :
-
-
- Code Len Seconds
- +-----+-----+-----+-----+----+
- | 0 | 10 | 0 | 1 | S |
- +-----+-----+-----+-----+----+
-
- S is a one byte value, 1..255.
-
-
-12.11. hash-bucket-assignment
-
- A set of load balancing hash values for the secondary server. See
- section 5.3 for more information on how this option is used.
-
- The format and usage of the data in this option is defined in
- [LOADB].
-
- Code Len Hash Buckets
- +-----+-----+-----+-----+-----+-----+-----+-----+
- | 0 | 11 | 0 | 32 | b1 | b2 | ... | b32 |
- +-----+-----+-----+-----+-----+-----+-----+-----+
-
-
-12.12. lease-expiration-time
-
- The lease expiration time is the lease interval that a DHCP server
- has ACKed to a DHCP client added to the time at which that ACK was
- transmitted -- expressed as an absolute time (see section 6.2).
-
-
- Code Len Time
- +-----+-----+-----+-----+----+-----+-----+-----+
- | 0 | 12 | 0 | 4 | t1 | t2 | t3 | t4 |
- +-----+-----+-----+-----+----+-----+-----+-----+
-
-
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 108]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
-12.13. max-unacked-bndupd
-
- The maximum number of BNDUPD message that this server is prepared to
- accept over the TCP connection without causing the TCP connection to
- block. A 32 bit unsigned integer value, in network byte order.
-
-
- Code Len Maximum Unacked BNDUPD
- +-----+-----+-----+-----+----+-----+-----+-----+
- | 0 | 13 | 0 | 4 | n1 | n2 | n3 | n4 |
- +-----+-----+-----+-----+----+-----+-----+-----+
-
-
-12.14. MCLT
-
- Maximum Client Lead Time, an interval, in seconds. A 32 bit unsigned
- integer value, in network byte order.
-
- Code Len Time
- +-----+-----+-----+-----+----+-----+-----+-----+
- | 0 | 14 | 0 | 4 | t1 | t2 | t3 | t4 |
- +-----+-----+-----+-----+----+-----+-----+-----+
-
-
-12.15. message
-
- This option is used to supply a human readable message text. It may
- be used in association with the Reject Reason Code to provide a human
- readable error message for the reject.
-
-
- Code Len Text
- +-----+-----+-----+-----+------+-----+--
- | 0 | 15 | 0 | n | c1 | c2 | ...
- +-----+-----+-----+-----+------+-----+--
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 109]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
-12.16. message-digest
-
- The message digest for this message.
-
- This option consists of a variable number of bytes which contain the
- message digest of the message prior to the inclusion of this option.
-
- When this option appears in a message, it MUST appear as the last
- option in the message. It MUST appear in every message if message
- digests are required.
-
- Code Len Message Digest
- +-----+-----+-----+-----+----+-----+-----
- | 0 | 16 | 0 | n | d1 | d2 | ...
- +-----+-----+-----+-----+----+-----+-----
-
-
-12.17. potential-expiration-time
-
- The potential expiration time is the time that one server tells
- another server that it may wish to grant in a lease to a DHCP client.
- It is an absolute time. See section 6.2.
-
-
- Code Len Time
- +-----+-----+-----+-----+----+-----+-----+-----+
- | 0 | 17 | 0 | 4 | t1 | t2 | t3 | t4 |
- +-----+-----+-----+-----+----+-----+-----+-----+
-
-
-12.18. receive-timer
-
- The number of seconds (an interval) within which the server must
- receive a message from its partner, or it will assume that
- communications with the partner is not ok. An unsigned 32 bit
- integer in network byte order.
-
- Code Len Receive Timer
- +-----+-----+-----+-----+----+-----+-----+-----+
- | 0 | 18 | 0 | 4 | s1 | s2 | s3 | s4 |
- +-----+-----+-----+-----+----+-----+-----+-----+
-
-
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 110]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
-12.19. protocol-version
-
- The protocol version being used by the server. It is only sent in the
- CONNECT and CONNECTACK messages. The current value for the version
- is 1.
-
- Code Len Version
- +-----+-----+-----+-----+-----+
- | 0 | 19 | 0 | 1 | 1 |
- +-----+-----+-----+-----+-----+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 111]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
-12.20. reject-reason
-
- This option is used to selectively reject binding updates. It MAY be
- used in a BNDACK message or a CONNECTACK message, always associated
- with an assigned-IP-address option, which contains the IP address of
- the update being rejected.
-
- Code Len Reason Code
- +-----+-----+-----+-----+-----+
- | 0 | 20 | 0 | 1 | R1 |
- +-----+-----+-----+-----+-----+
-
- Reason codes :
-
- 0 Reserved
- 1 Illegal IP address (not part of any address pool).
- 2 Fatal conflict exists: address in use by other client.
- 3 Missing binding information.
- 4 Connection rejected, time mismatch too great.
- 5 Connection rejected, invalid MCLT.
- 6 Connection rejected, unknown reason.
- 7 Connection rejected, duplicate connection.
- 8 Connection rejected, invalid failover partner.
- 9 TLS not supported.
- 10 TLS supported but not configured.
- 11 TLS required but not supported by partner.
- 12 Message digest not supported.
- 13 Message digest not configured.
- 14 Protocol version mismatch.
- 15 Outdated binding information.
- 16 Less critical binding information.
- 17 No traffic within sufficient time.
- 18 Hash bucket assignment conflict.
- 19-253, reserved.
- 254 Unknown: Error occurred but does not match any reason code.
- 255 Reserved for code expansion.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 112]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
-12.21. sending-server-IP-address
-
- The IP address of the server sending this message. This option is
- required for all messages if the message digest option used.
-
- Code Len Address
- +-----+-----+-----+-----+----+-----+-----+-----+
- | 0 | 21 | 0 | 4 | a1 | a2 | a3 | a4 |
- +-----+-----+-----+-----+----+-----+-----+-----+
-
-
-12.22. server-flags
-
- This option is used to convey the current flags of the failover
- endpoint in the sending server.
-
- Code Len Server Flags
- +-----+-----+-----+-----+-------+
- | 0 | 22 | 0 | 1 | flags |
- +-----+-----+-----+-----+-------+
-
- The flags field is an 8-bit field; one bit position is
- specified here.
-
-
- 0 1 2 3 4 5 6 7
- +-+-+-+-+-+-+-+-+
- |S| MBZ |
- +-+-+-+-+-+-+-+-+
-
- The bits (numbered from the least-significant bit in network
- byte-order) are used as follows:
-
- 0 (S): STARTUP,
- Bit 0 MUST be set to 1 whenever the server is in STARTUP state,
- and set to 0 otherwise. (Note that when in STARTUP state, the
- state transmitted in the server-state option is usually the last
- recorded state from stable storage, but see section 9.3 for
- details.)
- 1-7 : Must be zero
-
-
-
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 113]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
-12.23. server-state
-
- This option is used to convey the current state of the failover
- endpoint in the sending server.
-
- Code Len Server State
- +-----+-----+-----+-----+-----+
- | 0 | 23 | 0 | 1 | 1-9 |
- +-----+-----+-----+-----+-----+
-
- Legal values for this option are:
-
- Value Server State
- ----- -------------------------------------------------------------
- 0 reserved
- 1 STARTUP Startup state (1)
- 2 NORMAL Normal state
- 3 COMMUNICATIONS-INTERRUPTED Communication interrupted (safe)
- 4 PARTNER-DOWN Partner down (unsafe mode)
- 5 POTENTIAL-CONFLICT Synchronizing
- 6 RECOVER Recovering bindings from partner
- 7 PAUSED Shutting down for a short period.
- 8 SHUTDOWN Shutting down for an extended
- period.
- 9 RECOVER-DONE Interlock state prior to NORMAL
- 10 RESOLUTION-INTERRUPTED Comm. failed during resolution
-
- (1) The STARTUP state is never sent to the partner server, it is
- indicated by the STARTUP bit in the server-flags options (see section
- 12.22).
-
-
-12.24. start-time-of-state
-
- This option is used for different states in different messages. In a
- BNDUPD message it represents the start time of the state of the lease
- in the BNDUPD message. In a STATE message, it represents the start
- time of the partner server's failover state. In all cases it is an
- absolute time.
-
-
- Code Len Start Time of State
- +-----+-----+-----+-----+----+-----+-----+-----+
- | 0 | 24 | 0 | 4 | t1 | t2 | t3 | t4 |
- +-----+-----+-----+-----+----+-----+-----+-----+
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 114]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
-12.25. TLS-reply
-
- This option contains information relating to TLS security
- negotiation. It is sent in a CONNECTACK message
-
- A t1 value of 0 indicates no TLS operation, a value of 1 indicates
- that TLS operation is required.
-
- Code Len TLS
- +-----+-----+-----+-----+-----+
- | 0 | 25 | 0 | 1 | t1 |
- +-----+-----+-----+-----+-----+
-
-
-12.26. TLS-request
-
- This option contains information relating to TLS security
- negotiation. It is sent in a CONNECT message.
-
- The t1 byte is the TLS request from this server. A value of 0
- indicates no TLS operation (to communicate the other server MUST NOT
- require TLS), a value of 1 indicates that TLS operation is desired
- but not required (to communicate, the other server MAY utilize TLS),
- and a value of 2 indicates that TLS operation is required (to
- communicate the other server MUST utilize TLS) to establish
- communications with this server.
-
- Code Len TLS
- +-----+-----+-----+-----+-----+
- | 0 | 26 | 0 | 1 | t1 |
- +-----+-----+-----+-----+-----+
-
-
-12.27. vendor-class-identifier
-
- A string which identifies the vendor of the failover protocol
- implementation.
-
- Code Len vendor class string
- +-----+-----+-----+-----+----+-----+---
- | 0 | 27 | 0 | n | c1 | c2 | ...
- +-----+-----+-----+-----+----+-----+---
-
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 115]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-
-12.28. vendor-specific-options
-
- This option is used to convey options specific to a particular
- vendor's implementation. The vendor class identifier is used to
- specify which option space the embedded options are drawn from.
-
- It functions similarly to the vendor class identifier and vendor
- specific options in the DHCP protocol.
-
- This option contains other options in the same two byte code, two
- byte length format. If this option appears in a message without a
- corresponding vendor class identifier, it MUST be ignored.
-
- Code Len Embedded options
- +-----+-----+-----+-----+----+-----+---
- | 0 | 28 | 0 | n | c1 | c2 | ...
- +-----+-----+-----+-----+----+-----+---
-
-
-
-
-13. IANA Considerations
-
- This document defines several number spaces (failover options, fail-
- over message types, and failover reject reason codes). For all of
- these number spaces, certain values are defined in this specifica-
- tion. New values may only be defined by IETF Consensus, as described
- in [RFC 2434]. Basically, this means that they are defined by RFCs
- approved by the IESG.
-
-
-14. Acknowledgments
-
- Ralph Droms started it all, by sketching out an initial interserver
- draft that embodied ideas from several past IETF meetings. In that
- draft, he acknowledged contributions by Jeff Mogul, Greg Minshall,
- Rob Stevens, Walt Wimer, Ted Lemon, and the DHC working group.
-
- Kim Kinnear and Bob Cole each extended that draft, separately and
- then together, until they created an interserver draft that supported
- any number of servers. The complexity of that approach was just too
- great, and that draft wasn't greeted with enthusiasm by many, includ-
- ing its authors.
-
- It did however lead to a much simpler approach embodied in the first
- Failover draft by Greg Rabil, Mike Dooley, Arun Kapur and Ralph
- Droms. This draft posited only two servers -- a primary and a
-
-
-
-Droms, et. al. Expires January 2001 [Page 116]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- secondary.
-
- Kim Kinnear then wrote the Safe Failover draft to layer on top of the
- Failover Draft and increase its robustness in the face of certain
- rare network failures.
-
- At the spring 1998 IETF meeting in LA, the DHC working group said
- that they wanted a merged Failover and Safe Failover draft. Steve
- Gonczi and Bernie Volz stepped up and produced the raw material for
- such a merged draft, along with a new message format designed around
- DHCP options and other extensions and clarifications. Kim Kinnear
- edited their work into draft format and made other changes in time
- for the Summer Chicago IETF meeting.
-
- During the summer and fall of 1998, two groups worked on separate
- implementations of the UDP failover draft. Bernie Volz and Steve
- Gonczi constituted one group, and Kim Kinnear, Mark Stapp and Paul
- Fox made up the other. These two groups worked together to produce
- considerable changes and simplifications of the protocol during that
- period, and Steve Gonczi and Kim Kinnear edited those changes into
- -03 draft in time for submission to the December 1998 Orlando IETF
- meeting.
-
- In February of 1999 Kim Kinnear and Mark Stapp hosted a meeting on
- people interested in the failover draft. During that meeting a gen-
- eral agreement was reached to recast the failover protocol to use TCP
- instead of UDP. In addition, the group together brainstormed a work-
- able load-balancing technique. Kim Kinnear rewrote the entire draft
- to include the changes made at that meeting as well as to restructure
- the draft along guidelines suggested by Thomas Narten. The result
- was the -04 draft, submitted prior to the Oslo IETF meeting.
-
- The initial idea for a hash-based load balancing approach was offered
- by Ted Lemon, and the determination of an algorithm and its integra-
- tion into the draft was done by Steve Gonczi. The security section
- was spearheaded by Bernie Volz. Both contributed considerably to the
- ideas and text in the rest of the draft with several reviews.
-
- In early October of 1999, three conference calls were held to discuss
- the -04 draft. The -05 includes changes as a result of those calls,
- perhaps the largest of which was to remove the load balancing
- approach into a separate draft. Thanks to all of the many people
- who participated in the conference calls. Changes were made because
- of contributions by: Ted Lemon, David Erdmann, Richard Jones, Rob
- Stevens, Thomas Narten, Diana Lane, and Andre Kostur.
-
- Another conference call was held in mid-January of 2000, and the -06
- draft was produced to tighten up the the -05 draft both technically
-
-
-
-Droms, et. al. Expires January 2001 [Page 117]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- as well as editorially.
-
- This, the -07 draft was edited by Kim Kinnear and was based in part
- on reviews by Richard Jones, Bernie Volz, and Steve Gonczi. It embo-
- dies several technical updates as well as numerous editorial revi-
- sions that enhance both correctness as well as clarity.
-
- These most recent changes have not been widely circulated among the
- other authors prior to submission to the IETF.
-
- Many people have reviewed the various earlier drafts that went into
- this result. At American Internet, ideas were contributed by Brad
- Parker. At Cisco Systems Paul Fox and Ellen Garvey contributed to
- the design of the protocol.
-
- Glenn Waters of Nortel Networks contributed ideas and enthusiasm to
- make a Failover protocol that was both "safe" and "lazy".
-
-
-15. References
-
-
- [AGENTINFO] Patrick, M., "draft-ietf-dhc-agent-options-11.txt", July,
- 2000.
-
- [DDNS] Rekhter, Y., Stapp, M., "draft-ietf-dhc-dhcp-dns-12.txt",
- March, 2000.
-
- [LOADB] Volz, B., Gonczi, S., Lemon, T., Stevens, R., "draft-ietf-
- dhc-loadb-02.txt", July, 1999.
-
- [RFC 1035] Mockapetris, P., "Domain Names - Implementation and
- Specification", November, 1987.
-
- [RFC 1321] Rivest, R., and Dusse, S., "The MD5 Message-Digest Algo-
- rithm", RFC 1321, MIT Laboratory for Computer Science, RSA Data
- Security Inc., April 1992.
-
- [RFC 1534] Droms, R., "Interoperation between DHCP and BOOTP", RFC
- 1534, October 1993.
-
- [RFC 2119] Bradner, S. "Key words for use in RFCs to Indicate
- Requirement Levels", RFC 2119.
-
- [RFC 2131] Droms, R., "Dynamic Host Configuration Protocol", RFC
- 2131, March 1997.
-
- [RFC 2132] Alexander, S., Droms, R., "DHCP Options and BOOTP Vendor
-
-
-
-Droms, et. al. Expires January 2001 [Page 118]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- Extensions", Internet RFC 2132, March 1997.
-
- [RFC 2136] P. Vixie, S. Thomson, Y. Rekhter, J. Bound, "Dynamic
- Updates in the Domain Name System (DNS UPDATE)", RFC 2136, April
- 1997
-
- [RFC 2139] Rigney, C., "Radius Accounting", RFC 2139, Livingston
- Enterprises, April 1997.
-
- [RFC 2246] Dierks, T., "The TLS Protocol, Version 1.0", RFC 2246,
- January 1999.
-
- [RFC 2434] Alvestrand, H. and T. Narten, "Guidelines for Writing an
- IANA Considerations Section in RFCs", BCP 26, RFC 2434, October
- 1998.
-
- [RFC 2487] Hoffman, P., "SMTP Service Extension for Secure SMTP over
- TLS", RFC 2487, January 1999.
-
- [RFC 2595] Newman, C., "Using TLS with IMAP, POP3, and ACAP", RFC
- 2595, June 1999.
-
- [USERCLASS] Droms, R., Demirtjis A., Stump, G., Gu, Y., Vyaghrapuri,
- R., Beser, B., Privat, J. "draft-ietf-dhc-userclass-08.txt", July,
- 2000.
-
-16. Author's information
-
- Ralph Droms
- 323 Dana Engineering
- Bucknell University
- Lewisburg, PA 17837
-
- Phone: (717) 524-1145
- EMail: droms@bucknell.edu
-
-
- Kim Kinnear
- Mark Stapp
- Cisco Systems
- 250 Apollo Drive
- Chelmsford, MA 01824
-
- Phone: (978) 244-8000
-
- EMail: kkinnear@cisco.com
- mjs@cisco.com
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 119]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
- Bernie Volz
- IPWorks, Inc.
- 959 Concord St.
- Framingham, MA 01701
-
- Phone: (508) 879-1809
-
- EMail: volz@ipworks.com
-
-
- Steve Gonczi
- Network Engines, Inc.
- 25 Dan Road
- Canton, MA 02021-2817
-
- Phone: (781) 332-1165
-
- Email: steve.gonczi@networkengines.com
-
-
-
- Greg Rabil, Mike Dooley, Arun Kapur
- Lucent Technologies
- 400 Lapp Road
- Malvern, PA 19355
-
- Phone: (800) 208-2747
-
- EMail: grabil@lucent.com
- mdooley@lucent.com
- akapur@lucent.com
-
-
-17. Full Copyright Statement
-
-Copyright (C) The Internet Society (1999). All Rights Reserved.
-
-This document and translations of it may be copied and furnished to oth-
-ers, and derivative works that comment on or otherwise explain it or
-assist in its implementation may be prepared, copied, published and dis-
-tributed, in whole or in part, without restriction of any kind, provided
-that the above copyright notice and this paragraph are included on all
-such copies and derivative works. However, this document itself may not
-be modified in any way, such as by removing the copyright notice or
-references to the Internet Society or other Internet organizations,
-except as needed for the purpose of developing Internet standards in
-which case the procedures for copyrights defined in the Internet Stan-
-dards process must be followed, or as required to translate it into
-
-
-
-Droms, et. al. Expires January 2001 [Page 120]
-
-Internet Draft DHCP Failover Protocol July 2000
-
-
-languages other than English.
-
-The limited permissions granted above are perpetual and will not be
-revoked by the Internet Society or its successors or assigns.
-
-This document and the information contained herein is provided on an "AS
-IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK
-FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT
-LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT
-INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FIT-
-NESS FOR A PARTICULAR PURPOSE.
-
-Open Issues
-
- These issues need to be resolved:
-
-
- 1. Get another port number for connections.
-
- 2. Resolve how to handle secondary IP address allocation.
-
- 3. Figure out a better way to identify vendors. How about an
- SNMP Enterprise MIB value?
-
- 4. Need to tie reject-reasons to text of draft, remove obsolete
- reject-reasons.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Droms, et. al. Expires January 2001 [Page 121]
-
View Lorry Controller Status