securing failover

David Zych dmrz at
Fri Oct 30 16:30:49 UTC 2009


I'm putting together a DHCP deployment with two servers using the 
failover protocol.  My test setup seems to be functioning properly 
(leases can still be issued and renewed when one or the other server is 
taken down), but I am concerned about security... as far as I can tell, 
the usual configuration pattern laid out in tutorials like this one 
( means that anyone capable of 
spoofing an ip address can impersonate one failover peer to the other 
one and confuse it with bogus BNDUPD messages.  While I realize that 
DHCP itself is inherently insecure and vulnerable to other kinds of DoS 
attacks, it seems to me that this particular additional attack vector 
could potentially cause bigger headaches than the traditional ones (by 
being trickier to detect and recover from). discusses two 
possible approaches for authenticating failover peers to each other: 
message digests using a simple shared secret, and TLS, either of which 
would most likely serve my purposes admirably.  However, I cannot find 
any information on how to configure ISC DHCP to use either of these -- I 
don't see any promising-looking directives listed in the dhcpd.conf 
manpage, and thus far Google has not availed me either.  Have I missed 
something, or is this not supported by ISC DHCP?  (and if the latter, 
how do people using the failover protocol mitigate the risk?)


More information about the dhcp-users mailing list