DHCP Authentication

Marco Amadori amadorim at vdavda.com
Mon Jun 30 14:17:47 UTC 2008 

On Monday 30 June 2008, 15:47:24, peiffer at umn.edu wrote:

> On Jun 30 2008, Randall C Grimshaw wrote:
> > I suspect that you may be stuck with processes like 'dhcp snooping' to
> > help prevent rogue servers and the use of 'known client' groupings a.k.a.
> > 'deny unknown' to permit only registered machines to aquire addresses.
> > Other similar techniques are 802.1x or other smart relay approach. DHCP
> > itself is one of the vulnerable layer two protocols.
> >
> >Randy
>
> I don't know of any client or server that supports RFC3118.

That is really good news :-)

> I personally do not believe it is the job of the DHCP server to do network
> admission control, but at least having the MAC address on file goes a long
> way toward identifying hosts.
> Therefore we use the 'known client' approach. 

This could easely spoofed but it is what I use here too, mainly for lazyness.

> Until 802.1X becomes commonplace or in areas where walled gardens provide
> edge credentials, the 'known client' is about all we have from the server
> perspective.

Even if it seemed I wasn't talking about wireless network but a wired network 
where we cannot touch switches. Imagine a medium sized network (2000 nodes) 
where a lot of clients needs some kind of dhcp services from only from our 
server; other nodes exists which are not in our control (which could be 
either DHCP clients or servers) but which we should not interfere with.

So our clients needs to accept only dhcp anwers from the "right" server and 
our DHCP server needs to serve only the "good" clients. 

The second part, server side, is already achieved via MAC + hostname + vendor 
ID, and although is not secured via a key is good enough right now.

The first requirement is the tricky one, a client would need to discard all 
DHCP answers and accept only those coming from an identified server.

> Shutting off servers at the edge seems to be the most effective method we
> have come up with.

Sure, we just can't to that in that environment.

Thanks for the answer.
-- 
ESC:wq

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the dhcp-users mailing list