Jeffrey Hutzelman
2014-Mar-06 22:55 UTC
[syslinux] Cannot chain to another PXE server on the same subnet
On Thu, 2014-03-06 at 16:52 -0500, Gene Cumm wrote:> > RFC2131, section 4.1, and particularly the second paragraph on page 24. > > Conditionally. "Options may appear only once, unless otherwise > specified in the options document." I don't see any indication of any > options that DO allow it unless "The information is an opaque object > of n octets" implies arbitrary length.What that text is trying to say is that a logical _option_ can appear only once, but that multiple TLV's can appear with the same tag, in which case they are concatenated together to obtain the length of the option. The only exception is if the specification for the option in question specifically says that the option can appear multiple times, which the spec for option 43 does not (in fact, I'm not aware of any option that does, though there are plenty of obscure options outside the base spec that I haven't heard of).> > Unfortunately, a lot of implementations get this wrong. For example, > > some client implementations cannot handle encapsulated vendor options > > that span more than once instance of the enclosing option 43. > > If we assume 43 is allowed to be repeated, then the contents are an > arbitrary blob subject to vendor-specific interpretation but _SHOULD_ > be in encapsulated format.Right. But that's the concatenated contents, not the contents of each TLV with tag 43. Unfortunately, some clients interpret each one separately. In any case, that's not directly the cause of the present issue, because doing that would actually work with the data the Altiris server is sending.> Reading over those portions of the RFCs, it comes off as the > pack/unpack functions should be able to handle a nearly arbitrary > number of instances of an option and shouldn't be repacking the option > instances together.For an option you know about, repacking is fine. The implication of the text from RFC2131 is that some option might specify that multiple TLVs are treated as separate instances of the option, in which case repacking that one would not be OK. FWIW, I think DHCP6 solves this problem by explicitly prohibiting an option from appearing more than once, period, without any possibility of individual options behaving differently.> > In this case, it appears that the Altiris server is expecting the client > > to process each instance of option 43 separately, rather than > > concatenating their payloads and processing the result as if it were a > > single option value. In particular, the server is ending each instance > > It appears they assumed you put an option 255 at the end of each > option 43 instance and the client will then strip those 255s.Yup.> If a vendor potentially encodes more than one item of information in > this option, then the vendor SHOULD encode the option using > "Encapsulated vendor-specific options" as described below: > > SHOULD makes me think a vendor can choose how much of the suggestion to follow.Yes, that's true(*). But that's not the same as the DHCP server getting to choose how much to follow. "Vendor" here means the vendor whose definition of option 43 applies to this packet, which is the vendor whose identifier appears in the DHCP vendor class identifier option. In this case, that's "PXEClient", which means the format of option 43 is defined in the PXE specification. The PXE specification is unfortunately rather vague, but does specify the use of encapsulated vendor options, refers once to RFC2132, and does not define any different encapsulation format. In any case, I think I was barking up the wrong tree. What the trace shows is a normal DHCP handshake with the server at 10.215.144.7, along with the Altiris server responding in so-called "Proxy DHCP" mode, in which it provides PXE configuration but does not assign the client an address. That's a standard feature, and it's why the whole thing works if the primary DHCP server doesn't send any PXE response at all. If PXE options are present in the response from the real DHCP server, the PXE spec requires that they take precedence over options provided by a "Proxy DHCP" server. The key thing here is that the Altiris server provides a PXE menu, which the PXE client is expected to interpret, display for the user, and then send an appropriate followup PXE request once the user selects an item. This happens at the PXE/DHCP protocol layer, normally before any bootstrap program is loaded. The "bstrap.0" file is a small NBP that handles the menu when booting from old PXE clients that don't implement the menu-related parts of the protocol. But even with bstrap.0, the menu stuff doesn't work if the menu-related options weren't in whichever DHCP response gets used for PXE. Unfortunately, what this means is that selecting things from the Altiris menu isn't going to work unless the client is getting PXE bits from that server and _not_ from the main DHCP server. Getting that to happen may be rather difficult, as it more or less requires triggering another DHCP exchange, and doing so in such a way that the main server doesn't provide any options (for example, by sending something in the request that the main DHCP server config conditions the PXE response bits on). -- Jeff (*) To an extent. SHOULD or RECOMMENDED in most RFCs, including this one (even though it is slightly too old to incorporate RFC2119 by reference), has a rather stronger meaning than in normal English prose. It approximately means "you have to do this unless you carefully weigh the implications and conclude you have good reason to do otherwise".
Vieri
2014-Mar-07 07:33 UTC
[syslinux] Cannot chain to another PXE server on the same subnet
----- Original Message ----- From: Jeffrey Hutzelman <jhutz at cmu.edu>> The "bstrap.0" file is a small NBP that > handles the menu when booting from old PXE clients that don't implement > the menu-related parts of the protocol.? But even with bstrap.0, the > menu stuff doesn't work if the menu-related options weren't in whichever > DHCP response gets used for PXE. > > Unfortunately, what this means is that selecting things from the Altiris > menu isn't going to work unless the client is getting PXE bits from that > server and _not_ from the main DHCP server.? Getting that to happen may > be rather difficult, as it more or less requires triggering another DHCP > exchange, and doing so in such a way that the main server doesn't > provide any options (for example, by sending something in the request > that the main DHCP server config conditions the PXE response bits on).So I take it it's more of a DHCP hack in which: 1- client boots and gets DHCP response from 10.215.144.7 with PXE syslinux info 2- client loads pxelinux.0 menu and selects menu that chains to Altiris PXE menu except, instead of calling pxechain.com or pxechn.c32 with the Altiris server's IP address, the client should "re-netboot" but this time, the DHCP server at 10.215.144.7 should not include any PXE information at all for this particular client/MAC, so Altiris can kick in. I don't know how to do this but is this basically what you're suggesting? Thanks, Vieri
Vieri
2014-Mar-07 08:24 UTC
[syslinux] Cannot chain to another PXE server on the same subnet
----- Original Message ----- From: Vieri <rentorbuy at yahoo.com>> I don't know how to do this but is this basically what you're suggesting?Would it be something like "Option 1: DHCP as decision engine" as described in the following article? https://blogs.technet.com/b/dominikheinz/archive/2011/03/02/coexistence-of-altiris-and-sccm-pxe-servers-within-the-same-network.aspx Thanks, Vieri
Gene Cumm
2014-Mar-07 10:49 UTC
[syslinux] Cannot chain to another PXE server on the same subnet
On Fri, Mar 7, 2014 at 2:33 AM, Vieri <rentorbuy at yahoo.com> wrote:> So I take it it's more of a DHCP hack in which: > 1- client boots and gets DHCP response from 10.215.144.7 with PXE syslinux info > 2- client loads pxelinux.0 menu and selects menu that chains to Altiris PXE menu except, instead of calling pxechain.com or pxechn.c32 with the Altiris server's IP address, the client should "re-netboot" but this time, the DHCP server at 10.215.144.7 should not include any PXE information at all for this particular client/MAC, so Altiris can kick in. > > I don't know how to do this but is this basically what you're suggesting?1) Thinking about the responses again, I'm absolutely surprised that you can even boot PXELINUX. I would have expected the response from the Altiris server to override your attempts to block it. 2) There's at least one more thing we can try, a very long option 43. Either use the text-decimal tcpdump or a tool that can read the pcap (like Wireshark) and create a single large colon-separated string representation of the 3 option 43 values (should be over 1200 characters long, 3 times total length minus 1). Using wireshark and right-clicking on each option 43 instance, copy, bytes, as hexstream, and leaving the option 255s in I get: 01:04:e0:01:01:03:02:02:de:06:03:02:df:06:04:01:01:05:01:01:06:01:0b:08:70:aa:aa:01:0a:d7:90:3c:00:a0:01:0a:d7:90:3c:00:81:01:0a:d7:90:3c:00:a1:01:0a:d7:90:3c:00:a2:01:0a:d7:90:3c:00:a4:01:0a:d7:90:3c:00:a5:01:0a:d7:90:3c:00:a6:01:0a:d7:90:3c:00:a7:01:0a:d7:90:3c:00:a8:01:0a:d7:90:3c:00:a9:01:0a:d7:90:3c:00:aa:01:0a:d7:90:3c:00:ab:01:0a:d7:90:3c:00:ac:01:0a:d7:90:3c:00:83:01:0a:d7:90:3c:bb:bb:01:0a:d7:90:3c:ff:09:cb:00:00:16:4e:65:78:74:20:44:65:76:69:63:65:20:28:42:49:4f:53:2f:45:46:49:29:00:a0:0c:55:62:75:6e:74:75:4e:65:74:78:38:36:00:81:08:44:4f:53:20:55:4e:44:49:00:a1:0c:48:50:20:64:63:37:38:30:30:53:46:46:00:a2:0b:44:65:6c:6c:20:4f:70:74:33:36:30:00:a4:0b:47:58:35:32:30:26:47:58:36:32:30:00:a5:16:42:72:6f:61:64:4e:65:74:58:74:72:65:6d:65:20:49:49:20:47:69:67:61:00:a6:11:44:65:6c:6c:4f:70:74:47:58:36:30:20:45:31:30:30:62:00:a7:0e:44:72:61:67:65:72:20:52:54:4c:38:31:33:39:00:a8:05:6c:69:6e:75:78:00:aa:06:76:6d:77:61:72:65:00:ab:0a:48:50:38:30:30:30:45:53:46:46:00:ac:06:44:65:6c:6c:50:45:00:83:05:57:69:6e:50:45:0a:2e:05:50:72:65:73:73:20:5b:46:38:5d:20:74:6f:20:53:65:6c:65:63:74:20:61:20:62:6f:6f:74:20:6f:70:74:69:6f:6e:3a:20:49:4e:46:2d:56:4d:2d:44:53:ff:47:04:00:00:00:00:e0:02:00:00:ff So try "-o 43.x=<above-string>" on the append line. If that doesn't work, strip the two "ff"s in the middle. Otherwise, this is going to need rework for the pack/unpack and pxechn.c32 -- -Gene
Reasonably Related Threads
- Cannot chain to another PXE server on the same subnet
- Cannot chain to another PXE server on the same subnet
- Cannot chain to another PXE server on the same subnet
- Cannot chain to another PXE server on the same subnet
- Cannot chain to another PXE server on the same subnet