[unisog] Mac OS X 10.4.x "DHCP client sometimes remains BOUND aftersending DHCPDISCOVER" bug
Keith Neufeld
keith.neufeld at wichita.edu
Wed Jan 31 13:05:24 UTC 2007
> Since September 2005 (yes, 2005) I've been seeing a DHCP client
> issue from
> Mac OS 10.4.x systems at Princeton University, where I maintain DHCP
> service.
>
> I reported it to Apple (Apple Bug Reporter Problem ID 4904550);
> Apple's examined it and confirmed that Mac OS X does indeed behave
> this way, and that they believe this behavior is correct (is
> consistent
> with RFC 2131). I believe the behavior violates RFC 2131.
I don't buy it. I mean, I don't buy it as a violation.
> Some time after obtaining a DHCP lease (entering the DHCP BOUND
> state), the
> client sends one or more DHCPDISCOVER packet. This implies the
> client has
> returned to the DHCP INIT state, relinquishing the old DHCP lease.
I don't see how that's implied. If the client still has a valid
lease, why would that lease not be valid for its duration, barring an
explicit DHCPRELEASE from the client? Where in the RFC does it state
that the server is privy to the current state of the client's state
machine, or permitted to behave based on educated guesses as to that
state?
> 3) Before the lease is due to expire, the client broadcasts a
> DHCPDISCOVER
> packet.
>
> Since the client is still attached to the same network, and is
> still
> using the same DHCP Client Identifier, this implies the client has
> entered the
> DHCP INIT state, implicitly relinquishing the old lease.
If a DHCPDISCOVER packet from a MAC address automatically means that
the MAC address relinquishes its claims on any lease(s) it has, then
there's a trivial new way to DoS an entire subnet--just watch
broadcast traffic long enough to collect MAC addresses, then
broadcast DHCPDISCOVER messages with spoofed MACs. Poof! All the
leases are invalidated--and best of all, the real clients don't even
know it!
I know that DHCP doesn't provide strong integrity against MAC
spoofing; but the consequences of this claim make DoSing just a
little too easy.
--
Keith Neufeld
Lead Network Engineer
Wichita State University
More information about the dhcp-users
mailing list