RFC compliance matrix
Every DHCP-related RFC clause we implement, the status, and how to verify it.
DHCP Shield Pro is built against the RFC documents that govern DHCP. It implements sixteen DHCP RFCs in full — covering DHCPv4 and DHCPv6, the relay-agent sub-options used in telco and ISP networks, and the option extensions that carry subscriber identity. The matrix below lists each RFC, the clauses we implement, and one-line evidence — maintained against the implementation, clause by clause.
The two protocol foundations — RFC 2131 (DHCPv4) and RFC 8415 (DHCPv6) — are the headline. The remaining rows are the relay-agent and option sub-features layered on top: Option 82 sub-options for subscriber traceability, FQDN and classless-route options, and the access-network identifiers used in carrier deployments.
Last reviewed: 2026-05-28 · Review method: manual cross-reference against the published RFC adherence matrix; re-validated before each pre-certification audit.
Reference
Status legend
Implemented — parsed, recorded, and queryable in the product. We list a clause here only when it ships.
Out of Scope — a DHCP RFC we do not implement, listed with the reason rather than omitted.
Coverage
Matrix
| RFC | Clause | Status | Evidence |
|---|---|---|---|
RFC 2131 — Dynamic Host Configuration Protocol (DHCPv4) | Packet format and all eight message types (DISCOVER, OFFER, REQUEST, DECLINE, ACK, NAK, RELEASE, INFORM) | Implemented | Every mandatory header field is parsed and recorded; all eight message types are detected and classified, with REQUEST sub-states (selecting, renewing, rebinding) inferred and surfaced per transaction. |
RFC 2132 — DHCP Options and BOOTP Vendor Extensions | Full option space — every option code captured; named parsing for the operationally critical options | Implemented | All option codes are captured and queryable. Named parsing covers lease time (51), message type (53), parameter request list (55, used for fingerprinting), vendor class (60), and client identifier with MAC extraction (61), among others. |
RFC 3046 — DHCP Relay Agent Information Option | Option 82 — Circuit ID (suboption 1) and Remote ID (suboption 2) | Implemented | Circuit ID and Remote ID parsed as hex and ASCII with VLAN and MAC extraction — the subscriber-level traceability telco and ISP networks rely on. |
RFC 4702 — Client FQDN Option | Option 81 — S/O/E/N flags and DNS wire format | Implemented | Flags decoded; DNS wire format decoded to a human-readable fully-qualified domain name. |
RFC 3442 — Classless Static Route Option | Option 121 — variable-length subnet encoding | Implemented | Variable-length subnet bytes parsed per mask width and presented as 'subnet/mask via router'. |
RFC 3925 — Vendor-Identifying Vendor Options | Option 125 — Enterprise Number TLV blocks | Implemented | Multiple enterprise blocks supported; common enterprise numbers resolved to vendor names. |
RFC 3527 — Link Selection Sub-option | Option 82 suboption 4 | Implemented | Parsed as an IPv4 address for subnet selection. |
RFC 3993 — Subscriber-ID Sub-option | Option 82 suboption 5 | Implemented | Parsed as a variable-length identifier (hex and ASCII). |
RFC 4014 — RADIUS Attributes Sub-option | Option 82 suboption 6 | Implemented | Captured for RADIUS integration workflows. |
RFC 4243 — Vendor-Specific Relay Sub-option | Option 82 suboption 9 | Implemented | Enterprise number and vendor data parsed. |
RFC 5107 — Server Identifier Override Sub-option | Option 82 suboption 11 | Implemented | Parsed as an IPv4 address for relay-agent server selection. |
RFC 5765 — DHCPv4 Relay Agent Flags | Option 82 suboption 10 | Implemented | Unicast flag decoded. |
RFC 6925 — Relay Agent Identifier Sub-option | Option 82 suboption 12 | Implemented | Parsed as hex and ASCII. |
RFC 7839 — Access-Network-Identifier Options | Option 82 suboptions 13–18 (access technology, network name, AP name, BSSID, operator ID, realm) | Implemented | Per-suboption parsers for enumerated access-technology names, network and AP names, and BSSID MAC addresses. |
RFC 6939 — Client Link-Layer Address Option | Option 79 — client link-layer address carried by the relay agent | Implemented | Client link-layer address surfaced so the originating MAC is visible even on relayed, no-broadcast networks. |
RFC 8415 — Dynamic Host Configuration Protocol for IPv6 (DHCPv6) | Solicit / Advertise / Request / Reply, DUID variants, IA-NA and IA-PD | Implemented | DHCPv6 exchanges parsed end to end: message types, DUID variants, and identity-association options for both address (IA-NA) and prefix delegation (IA-PD). |
RFC 3118 — Authentication for DHCP Messages | Option 90 — cryptographic authentication of DHCP messages | Out of Scope | Not implemented as an authentication mechanism. DHCP authentication is rarely deployed in practice — clients need credentials before they have network access, there is no standard key-distribution mechanism, and operators typically authenticate at Layer 2 with 802.1X instead. If Option 90 is present on the wire it is captured as binary alongside other options, but the signature is not verified. |
Verify
How to verify
Every implemented clause is observable on your own appliance: each parsed field and option is recorded against the DHCP transaction and visible in the live event stream, the device detail views, and the report builder. You can confirm any row against your own traffic, no trust required.
For setup, see the installation guide; for what the appliance sends anywhere, see What leaves the appliance.
Need this for an RFP?
We'll walk your reviewers through the matrix and answer their compliance questions.