crdhcpc 0.1.1

Standalone DHCP Client for Linux with DHCPv4, DHCPv6, PXE, and Dynamic DNS support
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335

# crdhcpc - Comprehensive DHCP Client

A comprehensive, secure DHCP client written in Rust, supporting DHCPv4, DHCPv6, PXE boot, Dynamic DNS, and more.

## Quick Start

```bash
# Build
cd crdhcpc
cargo build --release

# Start on an interface
crdhcpc -c /etc/dhcp-client.toml start eth0

# Run as daemon
crdhcpc -c /etc/dhcp-client.toml daemon

# Check status
crdhcpc status eth0
```

## Features

### Protocol Support
- **DHCPv4** (RFC 2131) - Full DORA cycle (Discover, Offer, Request, Acknowledge)
- **BOOTP** (RFC 951) - Bootstrap Protocol compatibility
- **DHCPv6** (RFC 8415) - Stateful and stateless address autoconfiguration
- **Prefix Delegation** (RFC 3633) - IPv6 prefix delegation for routers

### Advanced Features
- **PXE Boot** - Preboot Execution Environment support with TFTP integration
- **Dynamic DNS** - Automatic DNS record updates (RFC 4702/4704)
- **Load Balancing** - Distribute requests across multiple DHCP servers
- **Failover** - Automatic failover to backup servers
- **TFTP Client** - Download boot files for PXE

### Security Features
- **Message Validation** - Strict parsing and validation of all DHCP messages
- **Server Authentication** - Whitelist of allowed DHCP servers
- **Rate Limiting** - Prevent DHCP exhaustion attacks
- **Lease Time Validation** - Reject suspiciously short or long leases
- **DHCP Snooping** - Optional layer-2 security
- **Secure Random** - Cryptographically secure transaction IDs
- **No Unsafe Code** - 100% safe Rust (except in dhcproto library)

### Control Interface
- **Unix Socket API** - JSON-RPC 2.0 control interface
- **CLI Commands** - Start, stop, renew, release, status
- **Signal Handling** - SIGHUP (reload), SIGUSR1 (status), SIGTERM (shutdown)

## Architecture

```
┌─────────────────────────────────────────────────┐
│            REST API (Axum)                      │
│    GET  /api/dhcp-client/status                 │
│    POST /api/dhcp-client/start                  │
│    POST /api/dhcp-client/renew                  │
└─────────────────┬───────────────────────────────┘
┌─────────────────▼───────────────────────────────┐
│       JSON-RPC Plugin (crrouterd)               │
│    dhcpclient.status                            │
│    dhcpclient.start                             │
│    dhcpclient.renew                             │
└─────────────────┬───────────────────────────────┘
┌─────────────────▼───────────────────────────────┐
│         DHCP Client Manager                     │
│  ┌──────────────┬───────────────┐               │
│  │ DHCPv4       │ DHCPv6        │               │
│  │ - DORA       │ - SARR        │               │
│  │ - BOOTP      │ - Prefix Del. │               │
│  └──────────────┴───────────────┘               │
│  ┌──────────────┬───────────────┐               │
│  │ PXE          │ DDNS          │               │
│  │ TFTP         │ Failover      │               │
│  └──────────────┴───────────────┘               │
└─────────────────┬───────────────────────────────┘
┌─────────────────▼───────────────────────────────┐
│       Network Integration                       │
│  NetworkManager │ Unbound │ lnxnetctl           │
└─────────────────────────────────────────────────┘
```

## Installation

### From Source

```bash
cargo install --path .
```

### Build with Feature Flag

When building as part of crrouter-web:

```bash
cargo build --features dhcp-client
```

### Systemd Services

For systemd-based systems:

```bash
# Daemon mode (recommended) - manages all interfaces
sudo cp systemd/dhcp-client-standalone.service /etc/systemd/system/
sudo systemctl enable dhcp-client-standalone.service
sudo systemctl start dhcp-client-standalone.service

# Per-interface mode
sudo cp systemd/dhcp-client@.service /etc/systemd/system/
sudo systemctl enable dhcp-client@eth0.service
sudo systemctl start dhcp-client@eth0.service
```

See [systemd/README.md](systemd/README.md) for complete systemd integration details.

## Configuration

Example configuration file (`/etc/dhcp-client.toml`):

```toml
[general]
enabled = true
interfaces = ["eth0"]

[dhcpv4]
enabled = true
hostname = "router"
send_hostname = true
timeout = 30
retry_count = 3

[dhcpv6]
enabled = false
prefix_delegation = true
rapid_commit = true

[security]
validate_server = true
allowed_servers = ["192.168.1.1"]
min_lease_time = 300
max_lease_time = 604800

[ddns]
enabled = false
update_forward = true
update_reverse = true
```

See [docs/QUICK_REFERENCE.md](docs/QUICK_REFERENCE.md) for complete configuration reference.

## Usage

### Command Line Interface

```bash
# Start DHCP client on an interface
crdhcpc -c /etc/dhcp-client.toml start eth0

# Run as a daemon (manages all configured interfaces)
crdhcpc -c /etc/dhcp-client.toml daemon

# Check status
crdhcpc status              # All interfaces
crdhcpc status eth0         # Specific interface

# Renew lease
crdhcpc renew eth0

# Release lease
crdhcpc release eth0

# Stop client
crdhcpc stop eth0
```

### JSON-RPC API

The daemon provides a JSON-RPC 2.0 interface on `/var/run/crdhcpc.sock`:

```bash
# Get status
curl -X POST http://localhost:8080/rpc \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "method": "dhcpclient.status",
    "params": {},
    "id": 1
  }'

# Start client on interface
curl -X POST http://localhost:8080/rpc \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "method": "dhcpclient.start",
    "params": {"interface": "eth0"},
    "id": 1
  }'

# Renew lease
curl -X POST http://localhost:8080/rpc \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "method": "dhcpclient.renew",
    "params": {"interface": "eth0"},
    "id": 1
  }'
```

### Integration with crrouter-web

When running as part of crrouter-web:

```bash
# The plugin is automatically loaded when crrouterd starts
sudo systemctl start crrouterd

# Status is available via REST API
curl http://localhost:8080/api/dhcp-client/status

# Control via REST API
curl -X POST http://localhost:8080/api/dhcp-client/start \
  -H "Content-Type: application/json" \
  -d '{"interface": "eth0"}'
```

## Security Best Practices

### 1. Server Whitelisting

Always configure allowed servers in production:

```toml
[security]
allowed_servers = ["192.168.1.1", "192.168.1.2"]
validate_server = true
```

### 2. Lease Time Validation

Set reasonable lease time bounds:

```toml
[security]
min_lease_time = 300     # 5 minutes
max_lease_time = 604800  # 7 days
```

### 3. Rate Limiting

Prevent DHCP exhaustion attacks:

```toml
[security]
max_request_rate = 10  # requests per second per interface
```

### 4. DDNS Security

Use TSIG for secure DNS updates:

```toml
[ddns]
tsig_key_name = "dhcp-update-key"
tsig_key = "base64-encoded-key"
```

## Integration

### Unbound DNS Integration
- DNS servers from DHCP are configured as forwarders in Unbound
- Hostname is registered via Dynamic DNS
- Search domains are updated

### NetworkManager Integration
- Interface configuration is applied via NetworkManager
- Connection profiles are updated
- Network state is synchronized

### SIEM Integration
All DHCP events are logged:
- Lease acquisitions, renewals, and releases
- Security violations
- Server failures

## Troubleshooting

### Enable Debug Logging

```bash
RUST_LOG=debug crdhcpc daemon
```

### Mock Mode for Testing

```bash
MOCK_DHCP_CLIENT=true crdhcpc daemon
```

### Common Issues

1. **No lease acquired**: Check network connectivity and server configuration
2. **Security violation**: Verify allowed_servers configuration
3. **Rate limit exceeded**: Reduce request rate or increase limit
4. **DDNS failed**: Check unbound configuration and TSIG keys

## Documentation

- **[IMPLEMENTATION.md](docs/IMPLEMENTATION.md)** - Implementation details, RFCs, state machines
- **[QUICK_REFERENCE.md](docs/QUICK_REFERENCE.md)** - Configuration and command reference
- **[Systemd Integration](systemd/README.md)** - Systemd service setup

## RFCs Implemented

- RFC 951: Bootstrap Protocol (BOOTP)
- RFC 2131: Dynamic Host Configuration Protocol (DHCPv4)
- RFC 2132: DHCP Options and BOOTP Vendor Extensions
- RFC 3396: Encoding Long Options in DHCPv4
- RFC 3633: IPv6 Prefix Options for DHCPv6
- RFC 4702: The DHCP Client FQDN Option
- RFC 4704: The DHCPv6 Client FQDN Option
- RFC 8415: Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
- RFC 1350: TFTP Protocol
- RFC 2347-2349: TFTP Option Extension

## License

MIT OR Apache-2.0