securing failover

David Zych dmrz at
Tue Nov 3 16:43:49 UTC 2009

Can anyone at least confirm or deny my suspicion that ISC dhcpd does not 
support using message digests or TLS to authenticate failover peers to 
each other?


David Zych wrote:
> Hi,
> I'm putting together a DHCP deployment with two servers using the 
> failover protocol.  My test setup seems to be functioning properly 
> (leases can still be issued and renewed when one or the other server is 
> taken down), but I am concerned about security... as far as I can tell, 
> the usual configuration pattern laid out in tutorials like this one 
> ( means that anyone capable of 
> spoofing an ip address can impersonate one failover peer to the other 
> one and confuse it with bogus BNDUPD messages.  While I realize that 
> DHCP itself is inherently insecure and vulnerable to other kinds of DoS 
> attacks, it seems to me that this particular additional attack vector 
> could potentially cause bigger headaches than the traditional ones (by 
> being trickier to detect and recover from).
> discusses two 
> possible approaches for authenticating failover peers to each other: 
> message digests using a simple shared secret, and TLS, either of which 
> would most likely serve my purposes admirably.  However, I cannot find 
> any information on how to configure ISC DHCP to use either of these -- I 
> don't see any promising-looking directives listed in the dhcpd.conf 
> manpage, and thus far Google has not availed me either.  Have I missed 
> something, or is this not supported by ISC DHCP?  (and if the latter, 
> how do people using the failover protocol mitigate the risk?)
> Thanks,
> David

More information about the dhcp-users mailing list