- play_arrow AAA for Subscriber Management
- play_arrow AAA for Subscriber Management
- play_arrow RADIUS for Subscriber Management
- RADIUS Servers and Parameters for Subscriber Access
- Storage and Reporting of Interface Descriptions to Uniquely Identify Subscribers
- Session Options for Subscriber Access
- RADIUS NAS Port Attributes and Options
- RADIUS Logical Line Identification
- RADIUS Authentication and Accounting Basic Configuration
- RADIUS Reauthentication As an Alternative to RADIUS CoA for DHCP Subscribers
- Configuring RADIUS Reauthentication for DHCP Subscribers
- RADIUS Accounting for Subscriber Access
- Verifying and Managing Subscriber AAA Information
- Session Termination Causes and RADIUS Termination Cause Codes
- AAA Termination Causes and Code Values
- DHCP Termination Causes and Code Values
- L2TP Termination Causes and Code Values
- PPP Termination Causes and Code Values
- VLAN Termination Causes and Code Values
- play_arrow Domain Maps for Subscriber Management
- play_arrow Testing and Troubleshooting AAA
- play_arrow RADIUS Dictionary Files
- Junos OS Release 15.1 Subscriber Management RADIUS Dictionary [DCT]
- Junos OS Release 16.1 Subscriber Management RADIUS Dictionary [DCT]
- Junos OS Release 16.2 Subscriber Management RADIUS Dictionary [DCT]
- Junos OS Release 17.1 Subscriber Management RADIUS Dictionary [DCT]
- Junos OS Release 17.4 Subscriber Management RADIUS Dictionary [DCT]
- Junos OS Release 18.2 Subscriber Management RADIUS Dictionary [DCT]
- Junos OS Release 18.4 Subscriber Management RADIUS Dictionary [DCT]
-
- play_arrow IPv6 for Subscriber Management
- play_arrow IPv6 for Subscriber Management
- Introduction to IPv6 Addresses
- Migration to IPv6 Using IPv4 and IPv6 Dual Stack
- IPv6 WAN Link Addressing with NDRA
- IPv6 WAN Link Addressing with DHCPv6 IA_NA
- Subscriber LAN Addressing with DHCPv6 Prefix Delegation
- WAN and LAN Addressing Using DHCPv6 IA_NA and DHCPv6 Prefix Delegation
- Designs for IPv6 Addressing in a Subscriber Access Network
- Dual-Stack Access Models in a DHCP Network
- Dual-Stack Access Models in a PPPoE Network
- Best Practices for Configuring IPv4 and IPv6 Dual Stack in a PPPoE Access Network
- Dual Stack for PPPoE Access Networks Using DHCP
- Dual Stack for PPPoE Access Networks Using NDRA
- IP Demultiplexing Interfaces on Packet-Triggered Subscriber Services
- Conservation of IPv4 Addresses for Dual-Stack PPP Subscribers Using On-Demand IPv4 Address Allocation
- Dual Stack Subscribers Monitoring and Management
-
- play_arrow DHCPv6 for Subscriber Management
- play_arrow Packet Triggered Subscriber Services
- play_arrow Packet Triggered Subscriber Services
-
- play_arrow Address-Assignment Pools for Subscriber Management
- play_arrow Address-Assignment Pools for Subscriber Management
-
- play_arrow DNS Addresses for Subscriber Management
- play_arrow DNS Addresses for Subscriber Management
-
- play_arrow M:N Subscriber Redundancy
- play_arrow Access Node Control Protocol and the ANCP Agent for Subscriber Services
- play_arrow Access Node Control Protocol and the ANCP Agent for Subscriber Services
-
- play_arrow Diameter Base Protocol and its Applications
- play_arrow Diameter Base Protocol and its Applications
- Diameter Base Protocol
- Gx-Plus for Provisioning Subscribers
- 3GPP Policy and Charging Control for Wireline Provisioning and Accounting
- NASREQ for Authentication and Authorization
- JSRC for Subscriber Provisioning and Accounting
- JSRC and Subscribers on Static Interfaces
- Monitoring and Management Diameter Information
- Tracing Diameter Base Protocol Events for Troubleshooting
- Troubleshooting Diameter Networks
- Monitoring and Managing Static Subscriber Information
- Tracing Static Subscriber Events for Troubleshooting
-
- play_arrow Configuration Statements and Operational Commands
DHCP Short Cycle Protection
DHCP Short Cycle Protection Against Frequent Brief or Failed Client Sessions
In highly scaled networks, a significant number of DHCP client negotiations fail before the session is established, resulting in high loading on the router and external authentication servers. Some CPE devices automatically retry negotiation on failure, some with very short retry intervals. A malicious client might mount an authentication attack by sending repeated, frequent login requests. These events can result in a significant load on the router and the external authentication server.
Starting in Junos OS Release 18.2R1, DHCP short cycle protection, also called DHCP client lockout, enables the router to reduce these loads by identifying and temporarily locking out clients that continually fail negotiation and have short negotiation cycles as well as clients that frequently complete connections but log out soon after logging in.
Identified clients are prevented from access by temporarily locking them out for an exponentially increasing lockout period. The router drops DHCP discover or solicit messages from these clients while they are locked-out. The router tracks clients by the client identifier for DHCPv4 clients or DHCP unique identifier (DUID) for DHCPv6 clients. Both types of client identifiers can be referred to as client keys. The client key enables the DHCP server to associate a client with its lease and configuration parameters. Using the client key for DHCP short-cycle protection tracking enables the router to prevent one client from negotiating a session while allowing other clients using the same logical interface to successfully negotiate sessions.
The initial lockout period for a client has a short duration. The goal here is to not negatively affect legitimate clients, for example, those that fail just once or that log in periodically to check their email and then log out again. By targeting clients that continually fail negotiation or log in and out frequently at short intervals, short-cycle protection reduces both the connection processing load on the router and the authentication load on external authentication servers. It has the effect of improving throughput by deferring client sessions that do not make progress in favor of sessions that complete.
- Conditions That Can Cause Failed or Short-Lived DHCP Client Sessions
- How DHCP Short-Cycle Protection Works
- Termination of the Lockout Condition
- Benefits of Using DHCP Short Cycle Protection
Conditions That Can Cause Failed or Short-Lived DHCP Client Sessions
Conditions that can cause a failed or short-lived client session include:
Authentication denials from external AAA servers, such as RADIUS or Diameter, due to the absence of a corresponding entry in the RADIUS database or due to improper login attempts.
Router or external authentication server unreachability due to network failure or misconfiguration.
Insufficient memory resources to create a dynamic subscriber interface.
Protocol negotiation failures with the CPE.
Client logout shortly after a successful login; this action creates a fully negotiated and configured client session before the session is torn down.
How DHCP Short-Cycle Protection Works
DHCP short-cycle protection is disabled on the router by default.
When you enable it by including the short-cycle-protection statement at a global, group, or interface level, the router does
the following for DHCP sessions on static and dynamic logical interfaces:
Detects short-lived client sessions, also referred to as short-cycle events, and locks out the client based on the following events:
E0: Time when jdhcpd declares the client session to be active.
E1: Time when jdhcpd declares the client session should be torn down.
E2: Time when jdhcpd deletes the client session entry from the database.
A short-cycle event occurs when the interval between E0 and E1 is less than or equal to 60 seconds. When the interval is greater than 60 seconds, the logout is considered normal. If the router declares the session to be short-lived, it adds the client to the lockout database at time E2.
Temporarily locks out the specified DHCP client by preventing connection to the router.
During lockout, the router drops negotiation packets (DHCP discover and solicit messages) from the client until the lockout period expires. When the lockout period expires, the client can resume normal negotiation of the connection.
You can set a range for the lockout period by specifying a minimum and maximum length with the
short-cycle-protectionstatement. You must specify both a minimum and a maximum value.Tracks the time between a client’s repeated short-cycle events to determine whether to increase the lockout time for a subsequent short-cycle event. The interval between events is compared to the grace time threshold. By default, the grace time threshold is 900 seconds, but it is automatically set to the maximum lockout time if that value is greater than 900 seconds.
If no subsequent negotiation is attempted within the grace time, the client entry is removed from the lockout database.
If a subsequent negotiation is attempted before the grace threshold is reached, it is treated as another short-cycle event and the lockout penalty is increased. The penalty is increased exponentially each time the negotiation is attempted within the grace time.
The initial lockout period is based on the configured minimum value. Additional penalties are calculated as follows, where n is the number of consecutive short-cycle events that occur within the grace time:
Lockout time = (Lockout minimum time) x [2(n-1)]
For example, with a minimum duration of 1 second and a maximum duration of 300 seconds, the initial lockout period is 1 second; subsequent penalties increase to 2 seconds, then 4 seconds, 8 seconds, 16 seconds, 32 seconds, 64 seconds, 128 seconds, 256 seconds and finally 300 seconds. The final lockout period is 300 seconds instead of 512 seconds because no penalty can exceed the maximum value of the lockout range.
If the lockout time reaches the maximum, then it stays at that value for each subsequent lockout period until the time between short-cycle events is greater than the grace threshold.
Termination of the Lockout Condition
When a DHCP client is locked out, the lockout condition persists until all lockout timers have expired, except when any of the following occurs:
You administratively clear the lockout condition by issuing one of the following operational commands:
clear dhcp relay lockout-entriesclear dhcp server lockout-entriesclear dhcpv6 relay lockout-entriesclear dhcpv6 server lockout-entries
You reset the FPC on which the client session undergoing lockout is configured.
You reset the Routing Engine.
When any of these events occurs, jdhcpd terminates lockout and clears the lockout history for all affected client sessions. The released clients are allowed to negotiate again. Because there is no retained history, the lockout period starts with the minimum value if a subsequent short-cycle event occurs for one of these clients.
When a dynamic VLAN or demux VLAN logical interface is removed
from an underlying physical interface that is configured with remove-when-no-subscribers, the lockout of affected clients
persists until all the timers have expired. If the logical interface
is recreated before all timers expire, then the lockout state is applied
to the re-created logical interfaces.
Benefits of Using DHCP Short Cycle Protection
Reduces excessive control plane loading on the router and authentication, authorization, and provisioning loading on the external authority server.
Reduces the resources required to process DHCP control packets and to negotiate and terminate short-lived connections.
Temporarily defers subsequent attempts for clients with failed or short-lived client sessions in favor of sessions can complete successfully and last for more than a short duration.
Reduces the resources required to authenticate and terminate these connections on external authentication servers, such as RADIUS and Diameter.
Enables lockout of a single failed or short-lived DHCP session without disrupting other DHCP sessions on the same interface.
Because DHCP short-cycle protection identifies each client session by its unique client ID, the router can lock out only the offending DHCP client while enabling other DHCP clients on the same interface to successfully negotiate the connection.
Configuring DHCP Short-Cycle Protection
In highly scaled networks, a significant number of DHCP client negotiations fail before the session is established, resulting in high loading on the router and external authentication servers. You can enable DHCP short cycle protection on the router to identify DHCP clients that either login frequently and briefly or continually fail to connect, then lock the clients out from access and drop subsequent requests from these clients until a lockout timer expires. For clients that repeatedly log in frequently and briefly, the initial lockout time is short enough to have no noticeable impact. As these brief logins continue, the lockout period is exponentially increased. By targeting clients that continually fail negotiation or log in and out frequently at short intervals, short-cycle protection reduces the connection processing load on the router and the authentication, authorization, and provisioning load on external authentication servers.
You can configure the range for the lockout period for DHCPv4 relay, DHCPv6 relay, DHCPv4 local server, and DHCPv6 local server. You can configure the period globally for all relay agent or local server interfaces, for a group of interfaces, or for specific interfaces within a group. For DHCPv4 relay and local server, you can also configure the lockout for a dual-stack group.
When you enable short-cycle protection, you must specify both the minimum and the maximum duration of the lockout period.
To configure the lockout range for DHCPv4 relay agent:
Specify the minimum and maximum lockout times.
For all DHCPv4 relay agents:
content_copy zoom_out_map[edit forwarding-options dhcp-relay] user@host# set short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
For a specific group of DHCPv4 relay interfaces:
content_copy zoom_out_map[edit forwarding-options dhcp-relay] user@host# set group group-name short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
For a specific interface within a specified group of DHCPv4 relay interfaces:
content_copy zoom_out_map[edit forwarding-options dhcp-relay] user@host# set group group-name interface interface-name short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
For a DHCPv4 relay dual-stack group:
content_copy zoom_out_map[edit forwarding-options dhcp-relay] user@host# set dual-stack-group dual-stack-group-name short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds
To configure the lockout range for DHCPv6 relay agent:
Specify the minimum and maximum lockout times.
For all DHCPv6 relay agents:
content_copy zoom_out_map[edit forwarding-options dhcp-relay dhcpv6] user@host# set short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
For a specific group of DHCPv6 relay interfaces:
content_copy zoom_out_map[edit forwarding-options dhcp-relay dhcpv6] user@host# set group group-name short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
For a specific interface within a specified group of DHCPv6 relay interfaces:
content_copy zoom_out_map[edit forwarding-options dhcp-relay dhcpv6] user@host# set group group-name interface interface-name short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
To configure the lockout range for DHCPv4 local server:
Specify the minimum and maximum lockout times.
For all DHCPv4 local servers:
content_copy zoom_out_map[edit system services dhcp-local-server] user@host# set short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
For a specific group of DHCPv4 local server interfaces:
content_copy zoom_out_map[edit system services dhcp-local-server] user@host# set group group-name short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
For a specific interface within a specified group of DHCPv4 local server interfaces:
content_copy zoom_out_map[edit system services dhcp-local-server] user@host# set group group-name interface interface-name short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
For a DHCPv4 local server dual-stack group:
content_copy zoom_out_map[edit system services dhcp-local-server] user@host# set dual-stack-group dual-stack-group-name short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
To configure the lockout range for DHCPv6 local server:
Specify the minimum and maximum lockout times.
For all DHCPv6 local servers:
content_copy zoom_out_map[edit system services dhcp-local-server dhcpv6] user@host# set short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
For a specific group of DHCPv6 local server interfaces:
content_copy zoom_out_map[edit system services dhcp-local-server dhcpv6] user@host# set group group-name short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
For a specific interface within a specified group of DHCPv6 local server interfaces:
content_copy zoom_out_map[edit system services dhcp-local-server dhcpv6] user@host# set group group-name interface interface-name short-cycle-protection <lockout-max-time seconds> <lockout-min-time seconds>
Verifying and Managing DHCP Short-Cycle Protection
Purpose
View or clear information about DHCP short-cycle protection operations.
Use the supported show and clear commands to manage and display information about the short-cycle protection operations for the DHCP relay agent and the DHCP local server. You can display information about all locked-out entries or about only individual entries identified by their database index number.
Action
To display short-cycle protection information for DHCPv4 or DHCPv6 relay agent:
content_copy zoom_out_mapuser@host> show dhcp relay lockout-entries (all | index index) user@host> show dhcpv6 relay lockout-entries (all | index index)
To clear short-cycle protection information for DHCPv4 or DHCPv6 relay agent:
content_copy zoom_out_mapuser@host> clear dhcp relay lockout-entries (all | index index) user@host> clear dhcpv6 relay lockout-entries (all | index index)
To display short-cycle protection information for DHCPv4 or DHCPv6 local server:
content_copy zoom_out_mapuser@host> show dhcp server lockout-entries (all | index index) user@host> show dhcpv6 server lockout-entries (all | index index)
To clear short-cycle protection information for DHCPv4 or DHCPv6 local server:
content_copy zoom_out_mapuser@host> clear dhcp server lockout-entries (all | index index) user@host> clear dhcpv6 server lockout-entries (all | index index)
Meaning
When you include the all option with these show commands, information is provided for each client entry in the lockout database, such as the index number that corresponds to the entry in the database, the client identification key, the state of the lockout, how many seconds until the current state is over, how long the current state has been in effect, and how many consecutive times the client has been locked out.
When you want to remove information from the lockout database for a particular client, you must first issue the corresponding show command with the all option to determine the index for the client entry. Then you can specify that index with the clear command.
In the following example, you display all locked-out client entries for DHCPv4 relay agent to find the index number for a particular client, then you clear only that entry and verify that it is deleted:
user@host> show dhcp relay lockout-entries all Index Key State Expires(s) Elapsed(s) Count 1 00:00:5E:00:53:00 LT 30 5200 2 2 00:00:5E:00:53:11 GT 120 780 2 3 00:00:5E:00:53:22 LT 180 2300 1 user@host> clear dhcp relay lockout-entries index 2 user@host> show dhcp relay lockout-entries all Index Key State Expires(s) Elapsed(s) Count 1 00:00:5E:00:53:00 LT 30 5200 2 3 00:00:5E:00:53:22 LT 180 2300 1
In the following example, you display all locked-out client entries for DHCPv6 local server, then you clear all entries and verify that they are deleted:
user@host> show dhcp relay lockout-entries all Index Key State Expires(s) Elapsed(s) Count 1 00:00:5E:00:53:00 LT 30 5200 2 2 00:00:5E:00:53:11 GT 120 780 2 3 00:00:5E:00:53:22 LT 180 2300 1 user@host> clear dhcp relay lockout-entries all user@host> show dhcp relay lockout-entries all
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
