Dynamic Host Configuration Protocol (DHCP)

With the success of TCP/IP in the corporate community during the past several years, there has been a need for automated configuration of networking for desktop PCs and laptop computers. Most users neither know how to configure the TCP/IP parameters on their desktop computer nor desire to know how to do this. The need for automated network configuration of desktop computers has been met by the Dynamic Host Configuration Protocol (DHCP).

KNow more @ how DHCP works?

With DHCP, the computer sends out a DHCP Request when it boots up, this is relayed to the DHCP server responsible for that LAN, and then the DHCP server sends a DHCP reply back to the requesting computer. This reply contains the IP address and other networking configuration needed by the requesting computer. The requesting computer then configures itself using the information contained in the DHCP reply message, sparing the user the effort of manual configuration.

Threats and Issues

While DHCP meets the need for automated configuration of computers, it also creates some risks. For example, a false DHCP reply could be forged by an adversary located somewhere along the path from the requesting computer to the DHCP server. This might cause the requesting computer to have an invalid non-functional configuration—creating a denial-of-service attack. Perhaps more dangerous, such a forged DHCP reply message might place the requesting computer into a configuration that appeared to work fine, but was inconsistent with the security policy of the network administrator. Gudmundsson and Droms have also documented specific security requirements for the DHCP protocol. The crux of their analysis is that mutual authentication of the client and server and authentication of DHCP protocol messages is essential to have a secure and trustworthy DHCP.

Technology Directions

At present, DHCP lacks cryptographic authentication mechanisms that would be needed to prevent a forged DHCP reply from being successful. Very recently, Ralph Droms has proposed a technique for DHCP authentication to address these issues [30]. His approach provides for the use of HMAC-MD5 [54] to provide authentication for DHCP message origin and to provide message integrity during transit. This technique is very similar to that used with SNMPv2 and for routing protocol authentication.

Comments

  • No Comment Yet
Please login first for post a comment