[unisog] Mac OS X 10.4.x "DHCP client sometimes remains BOUND aftersending DHCPDISCOVER" bug

Keith Neufeld keith.neufeld at wichita.edu
Wed Jan 31 13:05:24 UTC 2007 

> Since September 2005 (yes, 2005) I've been seeing a DHCP client  
> issue from
> Mac OS 10.4.x systems at Princeton University, where I maintain DHCP
> service.
>
> I reported it to Apple (Apple Bug Reporter Problem ID 4904550);
> Apple's examined it and confirmed that Mac OS X does indeed behave
> this way, and that they believe this behavior is correct (is  
> consistent
> with RFC 2131).   I believe the behavior violates RFC 2131.

I don't buy it.  I mean, I don't buy it as a violation.

> Some time after obtaining a DHCP lease (entering the DHCP BOUND  
> state), the
> client sends one or more DHCPDISCOVER packet. This implies the  
> client has
> returned to the DHCP INIT state, relinquishing the old DHCP lease.

I don't see how that's implied.  If the client still has a valid  
lease, why would that lease not be valid for its duration, barring an  
explicit DHCPRELEASE from the client?  Where in the RFC does it state  
that the server is privy to the current state of the client's state  
machine, or permitted to behave based on educated guesses as to that  
state?

> 3) Before the lease is due to expire, the client broadcasts a  
> DHCPDISCOVER
>    packet.
>
>    Since the client is still attached to the same network, and is  
> still
>    using the same DHCP Client Identifier, this implies the client has
> entered the
>    DHCP INIT state, implicitly relinquishing the old lease.

If a DHCPDISCOVER packet from a MAC address automatically means that  
the MAC address relinquishes its claims on any lease(s) it has, then  
there's a trivial new way to DoS an entire subnet--just watch  
broadcast traffic long enough to collect MAC addresses, then  
broadcast DHCPDISCOVER messages with spoofed MACs.  Poof!  All the  
leases are invalidated--and best of all, the real clients don't even  
know it!

I know that DHCP doesn't provide strong integrity against MAC  
spoofing; but the consequences of this claim make DoSing just a  
little too easy.

-- 
Keith Neufeld
Lead Network Engineer
Wichita State University

More information about the dhcp-users mailing list