Problem DHCP Circuit-ID / Remote-ID in Docsis Environment

emsi · April 20, 2010, 7:44am

Hallo,

I try to replace our linux-based Servers with Mikrotik-Routers in an Docsis-Cable Environment. The provisioning with DHCP/TFTP/TOD is not really a problem and works great.

But we use intensively DHCP-Remote-ID (Option-82), to pass the Bundle “CPE-IP and correspondend Cablemodem-MAC” to an external authentication system. The Cisco CMTS works as a DHCP-Relay and passes this information via Option-82 to the Mikrotik-Router, which act as a dhcp-server. My goal is to write a script which parse the entries in “/ip dhcp-server lease print detail” and submit the information in “address and agent-remote-id” via syslog to this authentication system. Here you can see the problem:

/ip dhcp-server lease print detail
address=x.x.x.30 mac-address=00:23:8B:34:66:20 server=cpe-dhcp status=bound expires-after=8m57s last-seen=1m3s active-address=x.x.x.30 active-mac-address=00:23:8B:34:66:20 active-server=cpe-dhcp host-name=“emsinb” src-mac-address=00:15:C6:4F:54:00 agent-circuit-id=“\00\01\00\03” agent-remote-id=“\00\15/\95\B”

As you can see is the agent-remote-id field binary and not the mac-address of the cable-modem. This means I cannot take this information in this format for scripting.

If I debug the DHCP-Communication I can see this:

21:20:30 dhcp,debug,packet dhcp-cmts: cpe-dhcp sending ack with id 2961227336 to x.x.x.1
21:20:30 dhcp,debug,packet dhcp-cmts: ciaddr = 0.0.0.0
21:20:30 dhcp,debug,packet dhcp-cmts: yiaddr = x.x.x.30
21:20:30 dhcp,debug,packet dhcp-cmts: siaddr = x.x.x.x
21:20:30 dhcp,debug,packet dhcp-cmts: giaddr = x.x.x.x
21:20:30 dhcp,debug,packet dhcp-cmts: chaddr = 00:23:8B:34:66:20
21:20:30 dhcp,debug,packet dhcp-cmts: Msg-Type = ack
21:20:30 dhcp,debug,packet dhcp-cmts: Server-Id = x.x.x.x
21:20:30 dhcp,debug,packet dhcp-cmts: Address-Time = 600
21:20:30 dhcp,debug,packet dhcp-cmts: Subnet-Mask = 255.255.255.0
21:20:30 dhcp,debug,packet dhcp-cmts: Router = x.x.x.x
21:20:30 dhcp,debug,packet dhcp-cmts: Domain-Server = x.x.x.x
21:20:30 dhcp,debug,packet dhcp-cmts: Relay-Agent-Info = 01-04-00-01-00-03-02-06-00-15-2F-95-5C-42

Here you can see the Relay-Agent-Info. This contains the correct Cablemodem-MAC (last six hex values = 00:15:2F:95:5C:42).

It would be great If i could access this Information in “/ip dhcp-server lease print detail” either as a new raw field “Relay-Agent-Info” or correctly separated in circuit-id and remote-id. There it would be easy accessible by the scripting engine.

Other solution would be to parse the debug log via scripting and send the correspondend bundle “yiaddr and Relay-Agent-Info” via syslog to our external authentication system. How could this be done? We handle several hundreds simultaneous leases on each Mikrotik. If I run the DHCP on debug this would create large Log-Files on Mikrotik, probably the entries get mixed together? I would pay for a proper script handle this problem.

thanks
Oliver

Chupaka · April 22, 2010, 3:58pm

actually,

id="\00\15/\95\B"

is ‘correct’ MAC address

00:15:2F:95:5C:42

\00\15 are non-printable characters. then \2F, but it’s ASCII “/”. then \95, and \42 is “B” letter

and now - “\5C”! it’s ASCII “", but it should be at least double escaped! it’s definitely a BUG! full export should be at least id=”\00\15/\95**\**B"

who will write to support? =)

martini · April 22, 2010, 7:02pm

last week write 3 messages to support, but still get no answers ))

Chupaka · April 22, 2010, 7:48pm

about that problem? =)

emsi · April 23, 2010, 11:24am

I did already contact support about this problem. Janis will try to release the changes in v4.8:

Janis:
We will make it so that our software will detect if the value is in binary or
text format and show them accordingly, atm it is shown as text all the time
and as soon as there are non-printable symbols it is a mess.
This is a change we intend to make - is it ok with you?
Regards,
Janis Megis

oliver

Chupaka · April 23, 2010, 12:57pm

well, for now it does not mess (maybe a bit), for now the only real problem is with \5c symbol - if you have it, you cannot decode the value correctly. the rest values are parseable

emsi · April 23, 2010, 5:41pm

Chupaka:

actually,
id="\00\15/\95\B"
is ‘correct’ MAC address

00:15:2F:95:5C:42

\00\15 are non-printable characters. then \2F, but it’s ASCII “/”. then \95, and \42 is “B” letter

and now - “\5C”! it’s ASCII “", but it should be at least double escaped! it’s definitely a BUG! full export should be at least id=”\00\15/\95**\**B"

who will write to support? =)

But why does get “\95” not replaced with “_” which is a printable character, if I follow the ASCII-Table? From my understanding it takes the binary delivered Sub-Option Remote-ID from Relay-Agent-Info, but treats it as Text-ASCII-Code. If it gets displayed it just converts the valid ASCII-Codes to the correspondend Character. But the valid characters are apparently not all of the printable Characters defined in the ASCII-Table. It would be better if this mix does not even occur. All of this makes it tricky to convert, even without “5c”. What do you think?

thanks
Oliver

Chupaka · April 26, 2010, 11:30am

\95 is hexadecimal value, decimal is 149, and it’s non-printable

yes, it would be nice to select between bin and text form for the whole value, not per character. but if there’s no ‘5C’, there’s nothing tricky even in current output

emsi · April 27, 2010, 12:43pm

A quick and dirty script does the job even with ‘5c’:

#!/usr/bin/php
<?php

 if (!isset($argv[1])) {
  echo "Usage: argv1 = Option-82 in /ip dhcp-server lease print from mikrotik, pass argv1 in ''\n";
  exit (1);
 }

 $remoteid = addslashes($argv[1]);

 for($i=0; $i <= 31; $i++) {
   $hex = strtoupper(dechex($i));
   if (strlen($hex) < 2) $hex = "0" . $hex;
   $np[] =  "\\" . $hex;
   $npr[] = chr($i);
 }

 for($i=127; $i <= 255; $i++) {
   $hex = strtoupper(dechex($i));
   $np[] =  "\\" . $hex;
   $npr[] = chr($i);
 }

 $mac = stripslashes(str_replace($np,$npr,$remoteid));

 for ($i = 0; $i < strlen($mac); $i++) {
  $sstring = substr ($mac, $i, 1);
  $hexstring[] = dechex(ord($sstring));
  if (strlen($hexstring[$i]) < 2) $hexstring[$i] = "0" . $hexstring[$i];
 }

 echo implode(":",$hexstring);

?>

Please no comments about bad coding style this was just for testing. I also cannot say that this works with all CM-Macs, but all we tested got correctly converted.

Now we discovered a further problem, here is my mail to janis about this:

Dear Janis,

ok, we tried scripting the Option-82 within Mikrotik. We discovered following additional issue. If I do a “/ip dhcp-server lease print detail” I get following (as already described):

address=192.168.51.9 mac-address=00:1D:09:5B:8D:2F server=cpe-dhcp status=bound expires-after=1m3s last-seen=8m57s active-address=192.168.51.9 active-mac-address=00:1D:09:5B:8D:2F active-server=cpe-dhcp host-name=“test” src-mac-address=00:15:C6:4F:54:00 agent-circuit-id=“\00\01\00\03” agent-remote-id=“\00\15/\95\B”

If I want to use this value in scripting (to save it in a variable for further processing) I have to get it with following command:

:local cmMac
:set cmMac [/ip dhcp-server lease get [find where address=192.168.51.9] agent-remote-id]

it produces following result:

[admin@gw-es-01] /system script> :put $cmMac
/\B
[admin@gw-es-01] /system script>

As you see this is not the value from the print output, it just shows the printable characters. No chance to get the mac from this. Is this gonna be fixed as well?

thanks
Oliver

Is there any way getting the result from “print” into a variable?

thanks
Oliver

emsi · April 28, 2010, 3:48pm

issue is solved in v4.8. works perfectly for us.

thanks to mikrotik for this great support …

oliver

kozmai · April 30, 2010, 10:30am

Would you tale more about your system with mikrotik?
Does the RouterOS handle dhcp requests both clients and modems? Is the leases static for modems or dynamic via radius?

ThX

emsi · April 30, 2010, 1:29pm

RouterOS handles dhcp for cm and cpe in our case. We do run several types of CMTS (Cisco, Arris, Motorola). In Cisco IOS you should make sure that you activate "cable dhcp-giaddr policy" on the cable interface. With this RouterOS is able to choose the right network for cm and cpe, for instance:

[admin@xx-xx-xx] > /ip dhcp-server print
Flags: X - disabled, I - invalid

NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP

0 cpe-dhcp ether4 192.168.x.x cpe 10m yes
1 cm-dhcp ether4 10.0.x.x cm 1h yes

We authenticate cpes on a different layer. We use a static lease for cm, but it's easy to adopt it to radius. Additionally you can push everything via Mikrotik-API.

It's a bit of work, but you can substitute your linux provisioning machines with mikrotik. that was our goal.

oliver

kozmai · April 30, 2010, 7:49pm

emsi:

RouterOS handles dhcp for cm and cpe in our case. We do run several types of CMTS (Cisco, Arris, Motorola). In Cisco IOS you should make sure that you activate “cable dhcp-giaddr policy” on the cable interface. With this RouterOS is able to choose the right network for cm and cpe, for instance:

[admin@xx-xx-xx] > /ip dhcp-server print
Flags: X - disabled, I - invalid

NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP

0 cpe-dhcp ether4 192.168.x.x cpe 10m yes
1 cm-dhcp ether4 10.0.x.x cm 1h yes

We authenticate cpes on a different layer. We use a static lease for cm, but it’s easy to adopt it to radius. Additionally you can push everything via Mikrotik-API.

It’s a bit of work, but you can substitute your linux provisioning machines with mikrotik. that was our goal.

oliver

Sorry for off-topic.. How can you create two dhcp-server on same interface in RouterOS? If I try, OS says “Couldn’t add New DHCP Server - server with such interface and relay is already enabled”

emsi · April 30, 2010, 8:16pm

kozmai:

emsi:

RouterOS handles dhcp for cm and cpe in our case. We do run several types of CMTS (Cisco, Arris, Motorola). In Cisco IOS you should make sure that you activate “cable dhcp-giaddr policy” on the cable interface. With this RouterOS is able to choose the right network for cm and cpe, for instance:

[admin@xx-xx-xx] > /ip dhcp-server print
Flags: X - disabled, I - invalid

NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP

0 cpe-dhcp ether4 192.168.x.x cpe 10m yes
1 cm-dhcp ether4 10.0.x.x cm 1h yes

We authenticate cpes on a different layer. We use a static lease for cm, but it’s easy to adopt it to radius. Additionally you can push everything via Mikrotik-API.

It’s a bit of work, but you can substitute your linux provisioning machines with mikrotik. that was our goal.

oliver

Sorry for off-topic.. How can you create two dhcp-server on same interface in RouterOS? If I try, OS says “Couldn’t add New DHCP Server - server with such interface and relay is already enabled”

update to newest version and use a different relay as I used in my example. Otherwise RouterOS cannot select from which pool it has to serve the request …

works at least for me without any complain of routeros …

oliver

kozmai · May 3, 2010, 7:22am

Thanks for info. Would you send me your email or other contact for further questions?

kozmai

emsi · May 3, 2010, 8:27am

unfortunately I’m not permitted to write private messages in the forum. Please write an E-Mail to following address: mikrotik.3.emsi@neverbox.com. I’ll reply with my correct mail then.

thanks
oliver

Chupaka · May 3, 2010, 12:21pm

by the way, if you add karma, that man receives PM with your comment

chuflo · January 5, 2025, 12:40am

Hi emsi, how do you capture that mac in option 82 on the mikrotik side? I’ve been trying to do it for a while using option matcher but I can’t do it.
Thanks