Package: kea-dhcp4-server Version: 2.2.0-6 Hi, this version (and from what I believe all versions) of kea-dhcp4-server (and probably kea-dhcp6-server) handles vlan tagged traffic in a quite unintuitive way. When the server is set up in raw socket mode it will accept all broadcasted DHCP requests regardless of VLAN tagging. It will then send a response untagged, again regardless of initial VLAN tag. See below for a packet trace where this happens.
This has been reported to the ISC team quite some time ago here: https://gitlab.isc.org/isc-projects/kea/-/issues/1117. A patch has been provided to the ISC team which they have not applied (I can't say why): https://github.com/isc-projects/kea/pull/119. The file that is patched has been more or less unchanged since the patch was created and should still apply (it did for me on 2.2.0-6). This behavior was not present in isc-dhcp-server as they filtered out VLAN tagged broadcasts from what I can tell, so the behavior is changed between the two DHCP server services. As I see it there are two things that shouldn't happen here: 1. A DHCP server not explicitly configured to listen to VLAN traffic should not respond to that traffic. 2. If a DHCP server answers DHCP broadcasts on a VLAN tagged network it should respond on the same VLAN network. My suggestion would be to include the patch (https://github.com/isc-projects/kea/pull/119) to filter out any tagged traffic, as this is inline with how dhcpd from isc-dhcp-server worked. Packet trace of a DHCP broadcast offer/request comming in on VLAN 20 and being returned untagged. $ tcpdump -evnni eth0 port bootps or port bootpc tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 11:09:56.861903 98:90:96:c1:ff:a0 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 20, p 0, ethertype IPv4 (0x0800), (tos 0x0, ttl 64, id 60207, offset 0, flags [none], proto UDP (17), length 328) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 98:90:96:c1:ff:a0, length 300, xid 0xf7a80c8d, Flags [none] Client-Ethernet-Address 98:90:96:c1:ff:a0 Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message (53), length 1: Discover Parameter-Request (55), length 14: Subnet-Mask (1), Classless-Static-Route (121), Default-Gateway (3), Domain-Name-Server (6) Hostname (12), Domain-Name (15), MTU (26), BR (28) Static-Route (33), Lease-Time (51), Server-ID (54), RN (58) RB (59), Unknown (119) MSZ (57), length 2: 1472 Client-ID (61), length 19: hardware-type 255, 96:c1:ff:a0:00:01:00:01:2d:14:50:63:98:90:96:c1:ff:a0 SLP-NA (80), length 0"" Unknown (145), length 1: 1 11:09:56.862416 e2:82:0f:6b:8e:b9 > 98:90:96:c1:ff:a0, ethertype IPv4 (0x0800), length 341: (tos 0x10, ttl 128, id 0, offset 0, flags [DF], proto UDP (17), length 327) 10.101.64.1.67 > 10.101.64.100.68: BOOTP/DHCP, Reply, length 299, xid 0xf7a80c8d, Flags [none] Your-IP 10.101.64.100 Client-Ethernet-Address 98:90:96:c1:ff:a0 Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message (53), length 1: Offer Subnet-Mask (1), length 4: 255.255.255.0 Default-Gateway (3), length 4: 10.101.64.1 Domain-Name-Server (6), length 4: 10.101.64.1 MTU (26), length 2: 1350 Lease-Time (51), length 4: 600 Server-ID (54), length 4: 10.101.64.1 Client-ID (61), length 19: hardware-type 255, 96:c1:ff:a0:00:01:00:01:2d:14:50:63:98:90:96:c1:ff:a0 11:09:56.862829 98:90:96:c1:ff:a0 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 20, p 0, ethertype IPv4 (0x0800), (tos 0x0, ttl 64, id 45786, offset 0, flags [none], proto UDP (17), length 328) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 98:90:96:c1:ff:a0, length 300, xid 0xf7a80c8d, Flags [none] Client-Ethernet-Address 98:90:96:c1:ff:a0 Vendor-rfc1048 Extensions Magic Cookie 0x63825363 Requested-IP (50), length 4: 10.101.64.100 DHCP-Message (53), length 1: Request Server-ID (54), length 4: 10.101.64.1 Parameter-Request (55), length 14: Subnet-Mask (1), Classless-Static-Route (121), Default-Gateway (3), Domain-Name-Server (6) Hostname (12), Domain-Name (15), MTU (26), BR (28) Static-Route (33), Lease-Time (51), Server-ID (54), RN (58) RB (59), Unknown (119) MSZ (57), length 2: 1472 Client-ID (61), length 19: hardware-type 255, 96:c1:ff:a0:00:01:00:01:2d:14:50:63:98:90:96:c1:ff:a0 Unknown (145), length 1: 1 11:09:56.864127 e2:82:0f:6b:8e:b9 > 98:90:96:c1:ff:a0, ethertype IPv4 (0x0800), length 341: (tos 0x10, ttl 128, id 0, offset 0, flags [DF], proto UDP (17), length 327) 10.101.64.1.67 > 10.101.64.100.68: BOOTP/DHCP, Reply, length 299, xid 0xf7a80c8d, Flags [none] Your-IP 10.101.64.100 Client-Ethernet-Address 98:90:96:c1:ff:a0 Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message (53), length 1: ACK Subnet-Mask (1), length 4: 255.255.255.0 Default-Gateway (3), length 4: 10.101.64.1 Domain-Name-Server (6), length 4: 10.101.64.1 MTU (26), length 2: 1350 Lease-Time (51), length 4: 600 Server-ID (54), length 4: 10.101.64.1 Client-ID (61), length 19: hardware-type 255, 96:c1:ff:a0:00:01:00:01:2d:14:50:63:98:90:96:c1:ff:a0 Below is requested system info, I do not believe it is relevant to this issue but will provide it, let me know if you want anything else. Note this is a Debian based OS, so for instance the Kernel is a different version, but everything else is basicaly taken from Bookworm. uname -a: Linux imp 6.1.24-4-imp #1 SMP Sat Jan 13 01:56:24 UTC 2024 x86_64 GNU/Linux dpkg -l libc6 libstdc++6 Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-================-==============-============-================================= ii libc6:amd64 2.36-9+deb12u3 amd64 GNU C Library: Shared libraries ii libstdc++6:amd64 12.2.0-14 amd64 GNU Standard C++ Library v3 Regards Kristofer EQUANS Mail Disclaimer: https://www.equans.com/disclaimer/disclaimer-mail/en