DUID interface?



  • I was just looking at the DUID that's sent from my pfSense firewall to my ISP.  One of the fields is the client identifier, which includes the DUID type and MAC address.  The MAC address listed is for my LAN interface, rather than the WAN.  Is this normal?  Would multiple DUIDs be created & sent, if there were multiple LAN interfaces?

    BTW, it's a type 1 DUID, which includes the client MAC and creation time.

    Incidentally, according to RFC3315, the MAC is supposed to be for an interface that connects to the DHCP server.

    9.2. DUID Based on Link-layer Address Plus Time [DUID-LLT]

    This type of DUID consists of a two octet type field containing the
      value 1, a two octet hardware type code, four octets containing a
      time value, followed by link-layer address of any one network
      interface that is connected to the DHCP device at the time that the
      DUID is generated
    .  The time value is the time that the DUID is
      generated represented in seconds since midnight (UTC), January 1,
      2000, modulo 2^32.  The hardware type MUST be a valid hardware type
      assigned by the IANA as described in RFC 826 [14].  Both the time and
      the hardware type are stored in network byte order.  The link-layer
      address is stored in canonical form, as described in RFC 2464 [2].

    Perhaps a problem with pfSense?



  • The key words, which you even bolded, are "at the time that the DUID is generated." The DUID should be generated once per interface. The DUID shouldn't be changing even if the interface it is based on is removed from the system.

    Also from RFC 3315, a couple of paragraphs before 9.1…

    The DUID is
      designed to be unique across all DHCP clients and servers, and stable
      for any specific client or server - that is, the DUID used by a
      client or server SHOULD NOT change over time if at all possible; for
      example, a device's DUID should not change as a result of a change in
      the device's network hardware.



  • Yes, I know it's supposed to be generated once.  Mine was created back in May, when I started using pfSense.  My question was about why it contained the MAC of the LAN interface, rather than the WAN, as the RFC says should be done.  My LAN interface does not get it's address via DHCP, but the WAN does.

    Does not "followed by link-layer address of any one network interface that is connected to the DHCP device at the time that the DUID is generated" imply the WAN interface?  DHCPv6 is not used on my LAN.


  • Banned

    @JKnott:

    Yes, I know it's supposed to be generated once.  Mine was created back in May, when I started using pfSense.  My question was about why it contained the MAC of the LAN interface, rather than the WAN, as the RFC says should be done.  My LAN interface does not get it's address via DHCP, but the WAN does.

    Probably because you plugged the cables the other way round… Total non-issue. This DUID thing does not ever change after that and noone gives a shite about which MAC address is listed in there.



  • Nope.  That computer used to run openSUSE 13.1 for my firewall, prior to pfSense, so no cables were moved.  I realize it won't make any difference.  Just curious.