DHCP Authentication
peiffer at umn.edu
peiffer at umn.edu
Mon Jun 30 13:47:24 UTC 2008
On Jun 30 2008, Randall C Grimshaw wrote:
> I suspect that you may be stuck with processes like 'dhcp snooping' to
> help prevent rogue servers and the use of 'known client' groupings a.k.a.
> 'deny unknown' to permit only registered machines to aquire addresses.
> Other similar techniques are 802.1x or other smart relay approach. DHCP
> itself is one of the vulnerable layer two protocols.
>
>Randy
>
I don't know of any client or server that supports RFC3118.
I personally do not believe it is the job of the DHCP server to do network
admission control, but at least having the MAC address on file goes a long
way toward identifying hosts. Therefore we use the 'known client' approach.
Until 802.1X becomes commonplace or in areas where walled gardens provide
edge credentials, the 'known client' is about all we have from the server
perspective.
In addition to the 'known client' approach, we make heavy use of edge
filters. If we assume that DHCP is vulnerable, controlling and securing
Layer1 from Johnny's $10.00 AP or mistakenly 'sharing' his ethernet
connection is the better bet. -No one can be a server unless we let them.
Shutting off servers at the edge seems to be the most effective method we
have come up with.. But use of edge filters causes some maintenance
problems when systems admins want to 'jumpstart' or similar on their own
hardware.
An example snippet..
interface GigabitEthernet1/0/1
description customer edge port
switchport access vlan XXX
switchport mode access
switchport nonegotiate
ip access-group Access_IN in
[...]
ip access-list extended Access_IN
remark * Standard Rogue DHCP Servers from customers filter *
deny udp any eq bootps any log
permit ip any any
Tim Peiffer
Network Support Engineer
Networking and Telecommunications Services
University of Minnesota/NorthernLights GigaPOP
-
>________________________________
>
>From: dhcp-users-bounce at isc.org on behalf of Marco Amadori
>Sent: Mon 6/30/2008 3:13 AM
>To: dhcp-users at isc.org
>Subject: DHCP Authentication
>
>
>
>Hi DHCP Hackers,
>I really enjoy this software and I would like to thanks you all for your
>contributions.
>
>I would like to ask about athentication since I have not found yet in the
>documentation or google how to let this software handle DHCP authentication
>of clients and servers.
>
> (My use case is that I have an untrusted network environment in which
> clients need to receive only the DHCP services from correct servers, nor
> possible rogue dhcp and in which servers must give addresses only to
> authorized clients).
>
> Something like RFC 3118 [0] or any pre exchanged key mechanism will be
> great.
>
>[0] http://tools.ietf.org/html/rfc3118
>--
>ESC:wq
>
>--
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
>
>
>
>
>
More information about the dhcp-users
mailing list