Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

NIOS DNS DHCP IPAM

Reply

Can I convince Infoblox DHCP server to violate the RFC? (vendor option 43 with encapsulated option 0
alestrix
New Member
Posts: 1

‎11-30-2022 02:27 AM

2152     0

In the Juniper documentation for zero touch provisioning of their switches and on various sites on the web you can find a dhcpd.conf configuration like this to bootstrap Juniper switches:

option space ztp-ops;
option ztp-ops.image-file-name code 0 = text;
[...]
option ztp-ops-encapsulation code 43 = encapsulate ztp-ops;

So it encapsulates several ("sub-")options in vendor option 43, one of which using option code 0. However, RFC2132 states:

Codes other than 0 or 255 MAY be redefined by the vendor within the encapsulated vendor-specific extensions field

I still attempted to set this in Infoblox, but the GUI wouldn't let me define code 0 in a vendor option (i.e. it wouldn't let me violate the RFC):

xwcA0

Same with using the API:

$ curl -u user:pass -X POST -k "https://<gridIP>/wapi/v2.11.2/dhcpoptiondefinition" -d "space=Juniper&code=0&name=image-file-name&type=text"
{ "Error": "AdmConDataError: Invalid option code value",
"code": "Client.Ibap.Data",
"text": "Invalid option code value"
}

How can I convince Infoblox to serve the Juniper hardware its image-file-name in vendor option code 0?

Labels:
Reply
0 Kudos

Re: Can I convince Infoblox DHCP server to violate the RFC? (vendor option 43 with encapsulated opti
paulr
Expert
Posts: 188

‎12-07-2022 07:38 AM

2153     0

Seems like the problem is Juniper violating the RFC, not sure Infoblox should be expected to change their product to support this - did you log a ticket with Juniper yet?

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Reply

Re: Can I convince Infoblox DHCP server to violate the RFC? (vendor option 43 with encapsulated opti

[ Edited ]
paulr
Expert
Posts: 188

‎12-08-2022 05:33 AM - edited ‎12-08-2022 05:34 AM

2153     0

Check out this URL, use sub-option 4 instead of 0:

 

https://www.juniper.net/documentation/us/en/software/junos/junos-install-upgrade/topics/topic-map/ze...

 

  • Suboption 04: The name of the software image file to install.

     
    NOTE: 

    If the DHCP server does not support suboption 00, configure the image file using suboption 04. If both suboption 00 and suboption 4 are defined, suboption 04 is ignored.

     
    option NEW_OP.alt-image-file-name "/dist/images/jinstall-ex-4200-13.2R1.1-domestic-signed.tgz";
Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements