securing failover

Glenn Satchell Glenn.Satchell at uniq.com.au
Wed Nov 4 00:34:54 UTC 2009


Hi David

No suspicion required. There is no encryptrion/authentication support.

I think most just don't consider the risk high enough. Anyone who can
be on your network and spoof BNDUPD packets could do a whole lot worse
things more easily, eg spoof DNS server, default gateway, mail server,
and so on. They could spoof the whole DHCP server and return leases
with bogus routers, dns servers, etc.

The simplest way around this would be to employ a host-to-host VPN
between your servers, and direct all the dhcp inter-server traffic
across this. openvpn or stunnel are two possibilities.

regards,
-glenn
--
Glenn Satchell   mailto:glenn.satchell at uniq.com.au | Miss 9: What do you
Uniq Advances Pty Ltd       http://www.uniq.com.au | do at work Dad?
PO Box 70 Paddington NSW Australia 2021            | Miss 6: He just
tel:0409-458-580     fax:02-9380-6416              | types random stuff.

>Date: Tue, 3 Nov 2009 10:43:49 -0600
>From: David Zych <dmrz at illinois.edu>
>
>Can anyone at least confirm or deny my suspicion that ISC dhcpd does not 
>support using message digests or TLS to authenticate failover peers to 
>each other?
>
>David
>
>
>David Zych wrote:
>> Hi,
>> 
>> I'm putting together a DHCP deployment with two servers using the 
>> failover protocol.  My test setup seems to be functioning properly 
>> (leases can still be issued and renewed when one or the other server is 
>> taken down), but I am concerned about security... as far as I can tell, 
>> the usual configuration pattern laid out in tutorials like this one 
>> (http://www.madboa.com/geek/dhcp-failover/) means that anyone capable of 
>> spoofing an ip address can impersonate one failover peer to the other 
>> one and confuse it with bogus BNDUPD messages.  While I realize that 
>> DHCP itself is inherently insecure and vulnerable to other kinds of DoS 
>> attacks, it seems to me that this particular additional attack vector 
>> could potentially cause bigger headaches than the traditional ones (by 
>> being trickier to detect and recover from).
>> 
>> http://tools.ietf.org/html/draft-ietf-dhc-failover-07 discusses two 
>> possible approaches for authenticating failover peers to each other: 
>> message digests using a simple shared secret, and TLS, either of which 
>> would most likely serve my purposes admirably.  However, I cannot find 
>> any information on how to configure ISC DHCP to use either of these -- I 
>> don't see any promising-looking directives listed in the dhcpd.conf 
>> manpage, and thus far Google has not availed me either.  Have I missed 
>> something, or is this not supported by ISC DHCP?  (and if the latter, 
>> how do people using the failover protocol mitigate the risk?)
>> 
>> Thanks,
>> David
>> 
>_______________________________________________
>dhcp-users mailing list
>dhcp-users at lists.isc.org
>https://lists.isc.org/mailman/listinfo/dhcp-users




More information about the dhcp-users mailing list