DHCP Authentication

peiffer at umn.edu peiffer at umn.edu
Mon Jun 30 13:47:24 UTC 2008


On Jun 30 2008, Randall C Grimshaw wrote:

> I suspect that you may be stuck with processes like 'dhcp snooping' to 
> help prevent rogue servers and the use of 'known client' groupings a.k.a. 
> 'deny unknown' to permit only registered machines to aquire addresses. 
> Other similar techniques are 802.1x or other smart relay approach. DHCP 
> itself is one of the vulnerable layer two protocols.
> 
>Randy
>

I don't know of any client or server that supports RFC3118. 

I personally do not believe it is the job of the DHCP server to do network 
admission control, but at least having the MAC address on file goes a long 
way toward identifying hosts. Therefore we use the 'known client' approach. 
Until 802.1X becomes commonplace or in areas where walled gardens provide 
edge credentials, the 'known client' is about all we have from the server 
perspective.

In addition to the 'known client' approach, we make heavy use of edge 
filters. If we assume that DHCP is vulnerable, controlling and securing 
Layer1 from Johnny's $10.00 AP or mistakenly 'sharing' his ethernet 
connection is the better bet. -No one can be a server unless we let them. 
Shutting off servers at the edge seems to be the most effective method we 
have come up with.. But use of edge filters causes some maintenance 
problems when systems admins want to 'jumpstart' or similar on their own 
hardware.

An example snippet..
interface GigabitEthernet1/0/1
 description customer edge port
 switchport access vlan XXX
 switchport mode access
 switchport nonegotiate
 ip access-group Access_IN in
[...]
ip access-list extended Access_IN
 remark * Standard Rogue DHCP Servers from customers filter *
 deny   udp any eq bootps any log
 permit ip any any

Tim Peiffer
Network Support Engineer
Networking and Telecommunications Services
University of Minnesota/NorthernLights GigaPOP
-
>________________________________
>
>From: dhcp-users-bounce at isc.org on behalf of Marco Amadori
>Sent: Mon 6/30/2008 3:13 AM
>To: dhcp-users at isc.org
>Subject: DHCP Authentication
>
>
>
>Hi DHCP Hackers,
>I really enjoy this software and I would like to thanks you all for your
>contributions.
>
>I would like to ask about athentication since I have not found yet in the
>documentation or google how to let this software handle DHCP authentication
>of clients and servers.
>
> (My use case is that I have an untrusted network environment in which 
> clients need to receive only the DHCP services from correct servers, nor 
> possible rogue dhcp and in which servers must give addresses only to 
> authorized clients).
>
> Something like RFC 3118 [0] or any pre exchanged key mechanism will be 
> great.
>
>[0] http://tools.ietf.org/html/rfc3118
>--
>ESC:wq
>
>--
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
>
>
>
>
>


More information about the dhcp-users mailing list