Professional Documents
Culture Documents
DHCP Security Features Technology White Paper (V1.00)
DHCP Security Features Technology White Paper (V1.00)
Full spelling
DHCP
BOOTP
Bootstrap Protocol
ARP
1/13
Table of Contents
1 Overview......................................................................................................................................... 3
2 Background .................................................................................................................................... 3
2.1 Benefits ................................................................................................................................ 3
2.2 Application Scenarios .......................................................................................................... 4
2.2.1 Unauthorized DHCP Server Attack ........................................................................... 4
2.2.2 ARP Man-in-the-Middle Attack.................................................................................. 5
2.2.3 IP/MAC Spoofing Attack............................................................................................ 6
2.2.4 DHCP Packet Flooding Attack .................................................................................. 6
2.3 Restrictions .......................................................................................................................... 7
3 Security Features ........................................................................................................................... 7
3.1 Terminology ......................................................................................................................... 7
3.2 Protocols and Standards ..................................................................................................... 8
3.3 DHCP Snooping Security Features ..................................................................................... 8
3.3.1 Creating and Aging DHCP Snooping Entries............................................................ 8
3.3.2 DHCP Snooping Trusted Ports ................................................................................. 9
3.3.3 ARP Attack Detection................................................................................................ 9
3.3.4 IP Filtering ............................................................................................................... 11
3.3.5 DHCP Packet Rate Limit......................................................................................... 11
3.4 Comparison Between DHCP Snooping and DHCP Relay Agent Security Features ........ 12
4 Application Scenarios ................................................................................................................... 12
5 Summary and Prospects .............................................................................................................. 13
6 References ................................................................................................................................... 13
7 Appendix....................................................................................................................................... 13
2/13
1 Overview
The Dynamic Host Configuration Protocol (DHCP) was developed based on the
Bootstrap Protocol (BOOTP). It is an enhancement and extension of BOOTP.
2 Background
Because no authentication mechanism is provided by DHCP clients and DHCP
servers, network security problems may arise if multiple DHCP servers exist on a
network. For example, an unauthorized DHCP server may assign invalid IP
addresses, DNS server information or gateway addresses to clients to intercept traffic.
To solve such problems, H3C provides the DHCP relay agent and DHCP snooping
features on switches. With the DHCP relay agent at the network layer or DHCP
snooping at the data link layer enabled, a switch can record clients IP-to-MAC
bindings from DHCP messages and cooperate with other modules to enhance
network security.
2.1 Benefits
DHCP snooping runs on Layer 2 access devices. A DHCP snooping enabled device
Hangzhou H3C Technologies Co., Ltd.
3/13
can create and maintain DHCP snooping entries, which contain clients IP-to-MAC
bindings obtained from valid DHCP messages. DHCP snooping can cooperate with
other modules to improve network security.
A DHCP relay agent works at the network layer, and has similar functions as a DHCP
snooping enabled device. It can record clients IP-to-MAC bindings and usually
cooperate with ARP to implement security features.
Security features
4/13
To prevent such attacks, H3C low-end Ethernet switches provide the DHCP snooping
trusted port feature. DHCP responses received from trusted ports will be processed,
while those received from untrusted ports will be discarded, thus to prevent DHCP
clients from obtaining IP addresses from unauthorized DHCP servers.
5/13
6/13
To guard against DHCP packet flooding attacks, H3C low-end Ethernet switches
provide the DHCP packet rate limit feature, which can shut down any port under such
attacks.
2.3 Restrictions
z
The DHCP relay agent and DHCP snooping functions are mutually exclusive.
For example, to enable DHCP snooping on a switch, you need to disable the
DHCP relay agent function first, if enabled.
You are not recommended to configure both DHCP snooping and selective
QinQ on a switch because doing so may cause DHCP snooping to malfunction.
Before configuring IP filtering, you need to enable DHCP snooping and specify
trusted ports on the switch.
3 Security Features
3.1 Terminology
z
DHCP relay agent: A DHCP relay agent forwards DHCP messages between a
DHCP server and a DHCP client on different subnets.
7/13
H3C low-end switches support aging and removing DHCP snooping entries based on
their leases to save system resources and ensure network security. When a DHCP
snooping entry is recorded, a 20-second timer is started. That is, the DHCP snooping
entry is checked every 20 seconds. The system determines whether the entry expires
by comparing the entrys lease time with the difference value between the current
system time and the entry adding time. If the lease time of the entry is smaller than
the difference value, the entry is aged out.
The disadvantage is that if an IP address has an unlimited or very long lease time,
the corresponding DHCP snooping entry cannot not be aged out timely.
Hangzhou H3C Technologies Co., Ltd.
8/13
After DHCP snooping is enabled on a switch, all the ports on the switch are
configured as untrusted ports by default. The DHCP-ACK, DHCP-NAK, and DHCPOFFER messages will neither be forwarded nor delivered to the CPU. If a port is
configured as a trusted port, the DHCP-ACK, DHCP-NAK, and DHCP-OFFER
messages received on this port will be delivered to CPU for processing.
Currently, the DHCP snooping function must work with the DHCP snooping trusted
port function. If you have enabled DHCP snooping on a device, you need to specify
any port connected to an authorized DHCP server as a trusted port, and configure the
trusted port and ports connected to DHCP clients to be in the same VLAN.
9/13
If the source IP and MAC addresses of the ARP packet, and the receiving port
and its VLAN ID match a DHCP snooping entry or a manually configured
binding entry, the switch will forward the ARP packet.
If not, the switch will discard the ARP packet and display the corresponding
debugging information.
10/13
ports. ARP packets received from ARP trusted ports are not checked, while ARP
packets received from other ports are checked.
3.3.4 IP Filtering
IP filtering allows a DHCP snooping switch to filter IP packets based on the DHCPsnooping table and IP static binding table.
After IP filtering is enabled on a port, the switch applies an ACL to discard all IP
packets except DHCP packets on the port. (If the port is not a DHCP snooping
trusted port, DHCP reply packets received on it will be discarded; otherwise, DHCP
reply packets can pass). Then, the switch applies another ACL to permit packets with
source IP addresses matching specific DHCP snooping entries or static binding
entries.
The switch can filter IP packets in the following two ways:
z
Filtering the source IP address in a packet. If the source IP address and the
receiving port match an entry in the DHCP-snooping table or static binding table,
the switch regards the packet as a valid packet and forwards it; otherwise, the
switch drops it directly.
Filtering the source IP address and the source MAC address in a packet. If the
source IP address and source MAC address, and the receiving port match an
entry in the DHCP-snooping table or static binding table, the switch regards the
packet as a valid packet and forwards it; otherwise, the switch drops it directly.
11/13
DHCP snooping
Unauthorized
DHCP server
attack
prevention
Disabling
invalid users (or
users who
randomly
change IP
addresses)
from network
access
Entry aging
mechanism
For detailed information about DHCP relay agent, refer to DHCP Technology White
Paper.
4 Application Scenarios
As shown in Figure 7 , DHCP clients are located in different areas, and request IP
address from a DHCP server through a DHCP snooping device and a DHCP relay
agent. To prevent Layer 2 attacks, configure trusted ports, ARP attack detection, and
IP filtering on the DHCP snooping devices. To ensure Host A and Host B that own
fixed IP addresses to access external networks, configure IP static binding entries on
the DHCP snooping device.
12/13
6 References
Refer to DHCP Technology White Paper.
7 Appendix
Refer to DHCP Technology White Paper.
13/13