How DHCP Actually Assigns IP Addresses

2nd. gen black Amazon Echo speaker on white panel

7 min read

DHCP assigns IP addresses through a four-message DORA handshake — Discover, Offer, Request, Acknowledge — each solving a distinct coordination problem without requiring servers to communicate directly.

The lease model balances address efficiency against renewal overhead, with T1 and T2 timers providing a layered failover from quiet unicast renewal to broadcast rebinding before lease expiration.

Lease duration should be tuned to your network's device churn rate and pool size, not left at defaults that may cause pool exhaustion or excessive broadcast traffic.

DHCP's TLV-encoded options field delivers far more than addresses — routers, DNS servers, VLAN assignments, and vendor-specific provisioning data all ride the same protocol.

Vendor-specific options like Option 43 and relay agent information in Option 82 are powerful but are also the leading sources of interoperability issues and silent misconfigurations in complex networks.

Every device that connects to a network needs an IP address, and almost none of them configure one manually. DHCP — the Dynamic Host Configuration Protocol — handles this silently, millions of times per second across the global internet. It's so reliable that most engineers only think about it when something breaks.

But beneath that reliability is a carefully designed protocol exchange. DHCP uses a four-message handshake, a lease-based allocation model, and an extensible options framework that does far more than hand out addresses. Understanding how these pieces fit together is the difference between running a network and actually engineering one.

Let's walk through the full DHCP lifecycle — from a client's first broadcast into the void to the quiet renewal that keeps everything running — and examine the design decisions and misconfigurations that matter most in production environments.

The DORA Handshake: Four Messages, Each With a Purpose

When a client joins a network with no IP address, it has a fundamental problem: it can't talk to anyone directly. So it broadcasts. The Discover message is a UDP packet sent from 0.0.0.0 to 255.255.255.255, essentially the client shouting into the dark, asking if any DHCP server exists. The source port is 68, the destination is 67 — fixed by the protocol spec so servers know where to listen.

Any DHCP server on the broadcast domain that has available addresses responds with an Offer. This message proposes a specific IP address, a lease duration, and a set of configuration options. Critically, the server doesn't reserve this address yet — it's a proposal, not a commitment. If multiple servers exist on the segment, the client may receive multiple offers. This is by design. It provides redundancy without requiring server coordination.

The client picks one offer — typically the first to arrive — and broadcasts a Request message. This broadcast serves two purposes: it tells the chosen server "yes, I'll take that address," and it tells every other server "thanks, but no." The other servers can then release their tentative offers back into their pools. Broadcasting the Request rather than unicasting it is an elegant solution to a multi-server coordination problem without needing the servers to talk to each other.

Finally, the chosen server sends an Acknowledge, confirming the lease and delivering the full configuration payload. The client can now configure its interface and begin communicating. The entire exchange typically completes in milliseconds on a local network. But if relay agents are involved — forwarding DHCP broadcasts across subnets via the giaddr field — latency increases and the importance of each message's timing becomes more apparent. A missing or delayed ACK means the client starts over from Discover.

Takeaway
DORA isn't four messages for the sake of complexity — each step solves a distinct problem: discovery without an address, competing offers without server coordination, selection without a central arbiter, and confirmation before use.

Lease Lifecycle: Borrowing Addresses on a Timer

DHCP doesn't give you an address — it lends you one. The lease model exists because IP address space is finite and devices are transient. A coffee shop's WiFi can't permanently allocate an address to every phone that passes through. Lease durations are the engineering lever that balances address efficiency against renewal overhead. Short leases — say, five minutes — reclaim addresses quickly but generate constant renewal traffic. Long leases — eight days, for example — reduce chatter but risk exhausting the pool if devices leave without releasing.

Renewal follows a specific schedule. At T1, which defaults to 50% of the lease duration, the client unicasts a renewal request directly to the server that issued the lease. This is quiet and efficient — no broadcasts, no involving other servers. If the server responds, the lease resets and the client carries on. Most healthy networks never get past this point.

If T1 renewal fails — perhaps the original server is down — the client waits until T2, defaulting to 87.5% of the lease. Now it broadcasts a rebinding request, allowing any DHCP server on the segment to respond. This is the protocol's built-in failover mechanism. It doesn't require complex server clustering; it just exploits the broadcast domain. If rebinding also fails, the lease expires and the client drops its address entirely, returning to the Discover phase.

A common misconfiguration is setting lease times without considering the network's device churn rate. Mobile-heavy environments with long leases lead to pool exhaustion. Static office networks with short leases generate unnecessary broadcast storms during renewal windows. The right lease duration is a function of your address pool size, device count, and average connection duration — not a default you leave untouched.

Takeaway
The T1/T2 renewal and rebinding timers are a layered failover design: try the known server quietly first, then ask anyone loudly, then give up gracefully. Good protocol design degrades in stages, never all at once.

Options and Extensions: DHCP as a Configuration Bus

Assigning an IP address is only the beginning. A device also needs a default gateway, DNS servers, a subnet mask, and potentially dozens of other parameters. DHCP delivers all of this through its options field — a type-length-value (TLV) encoded section of the DHCP message that can carry over 250 standardized option codes. Option 3 is the router. Option 6 is the DNS server list. Option 51 is the lease time. This TLV structure makes the protocol extensible without breaking backward compatibility.

Options 43 and 60 are where things get interesting — and messy. Option 60 is the Vendor Class Identifier, sent by the client to announce what kind of device it is. IP phones from Cisco, for instance, identify themselves so the DHCP server can respond with phone-specific configuration in Option 43, the Vendor-Specific Information field. This mechanism turns DHCP into a lightweight provisioning system: phones get VLAN assignments and call server addresses, access points get controller IPs, thin clients get boot image locations.

But vendor-specific options are also the leading cause of DHCP interoperability headaches. Option 43's internal structure is defined by the vendor, not by the RFC. A Cisco phone and an Aruba access point both expect Option 43 but interpret its contents completely differently. If your DHCP server is handing out the wrong vendor payload to the wrong device class, the device either ignores the option silently or misconfigures itself in subtle ways. Debugging this requires packet captures and careful matching of option codes to vendor documentation.

Beyond vendor extensions, Option 82 — the Relay Agent Information option — deserves attention. When a relay agent forwards a DHCP request across subnets, it can insert Option 82 to identify which physical port and VLAN the request came from. This allows the server to make allocation decisions based on network topology, not just broadcast domain. It's essential in large campus or service provider networks where a single DHCP server manages hundreds of subnets. Misconfigured Option 82 policies — especially when the server drops requests with unexpected relay information — are a silent killer of connectivity in complex deployments.

Takeaway
DHCP's options framework turns a simple address assignment protocol into a general-purpose configuration delivery system — but every extension you add is a surface for misconfiguration. The power of extensibility and the risk of complexity are always the same thing.

DHCP works so well that it becomes invisible — until it doesn't. The four-message DORA exchange, the lease lifecycle with its layered failover timers, and the extensible options framework are each carefully engineered to handle real-world conditions: multiple servers, unreliable networks, and wildly diverse client devices.

Most DHCP problems in production aren't protocol failures. They're configuration mismatches — lease durations that don't fit device churn, vendor options aimed at the wrong client class, or relay agent policies that silently discard valid requests.

Understanding the protocol at this level doesn't just help you troubleshoot. It helps you design networks where DHCP stays invisible — which is exactly how a well-engineered infrastructure protocol should behave.