Escolar Documentos
Profissional Documentos
Cultura Documentos
* 1 Applicability
* 2 Technical overview
o 2.1 Other methods
* 3 DHCP and firewalls
o 3.1 Example in ipfw firewall
o 3.2 Example in Cisco IOS Extended ACL
* 4 Technical details
o 4.1 DHCP discovery
o 4.2 DHCP offers
o 4.3 DHCP requests
o 4.4 DHCP acknowledgement
o 4.5 DHCP information
o 4.6 DHCP releasing
o 4.7 Client configuration parameters
o 4.8 Options
* 5 Security
* 6 See also
* 7 References
* 8 External links
[edit] Applicability
DHCP is also recommended for servers whose addresses rarely change, so that if a
server needs to be readdressed (RFC 2071), changes need be made in as few
places as possible. For devices such as routers and firewalls that should not use
DHCP, it can be useful to put Trivial File Transfer Protocol (TFTP) or SSH servers
on the same host that runs DHCP, which serves to centralize administration.
Many DHCP servers can manage hosts by more than one of the above methods.
For example, the known hosts on the network can be assigned an IP address based
on their MAC address (static allocation) whereas "guest" computers (such as laptops
via WiFi) are allocated a temporary IP address out of a pool compatible with the
network to which they're attached (dynamic allocation).
Firewalls usually have to permit DHCP traffic explicitly. Specification of the DHCP
client-server protocol describes several cases when packets must have the source
address of 0x00000000 or the destination address of 0xffffffff. Anti-spoofing policy
rules and tight inclusive firewalls often stop such packets. Multi-homed DHCP
servers require special consideration and further complicated configuration.
where dhcp-ip represents any address configured on a DHCP server host and
dhcp-pool stands for the pool from which a DHCP server assigns addresses to
clients
To give an idea of how a configuration would look in production, the following rules
for a server-side ipfirewall to allow DHCP traffic through. Dhcpd operates on
interface rl0 and assigns addresses from 192.168.0.0/24 :
The following entries are valid on a Cisco 3560 switch with enabled DHCP service.
The ACL is applied to a routed interface, 10.32.73.129, on input. The subnet is
10.32.73.128/26.
DHCP uses the same two IANA assigned ports as BOOTP: 67/udp for the server
side, and 68/udp for the client side.
DHCP operations fall into four basic phases. These phases are IP discovery, IP
lease offer, IP request, and IP lease acknowledgement.
After the client obtained an IP address, the client may start an address resolution
(ARP) query to prevent IP conflicts caused by address pool overlapping of DHCP
servers.
The client broadcasts on the physical subnet to find available servers. Network
administrators can configure a local router to forward DHCP packets to a DHCP
server on a different subnet. This client-implementation creates a UDP packet with
the broadcast destination of 255.255.255.255 or subnet broadcast address.
A client can also request its last-known IP address (in the example below,
192.168.1.100). If the client is still in a network where this IP is valid, the server
might grant the request. Otherwise, it depends whether the server is set up as
authoritative or not. An authoritative server will deny the request, making the client
ask for a new IP immediately. A non-authoritative server simply ignores the request,
leading to an implementation-dependent timeout for the client to give up on the
request and ask for a new IP address.
The server determines the configuration, based on the client's hardware address as
specified in the CHADDR (Client Hardware Address) field. Here the server,
192.168.1.1, specifies the IP address in the YIADDR (Your IP Address) field.
A client can receive DHCP offers from multiple servers, but it will accept only one
DHCP offer and broadcast a DHCP request message. Based on Transaction ID field
in the request, servers are informed whose offer the client has accepted. When
other DHCP servers receive this message, they withdraw any offers that they might
have made to the client and return the offered address to the pool of available
addresses.
When the DHCP server receives the DHCPREQUEST message from the client, the
configuration processes enters its final phase. The acknowledgement phase
involves sending a DHCPACK packet to the client. This packet includes the lease
duration and any other configuration information that the client might have
requested. At this point, the IP configuration process is complete.
The client is expected to configure its network interface with the negotiated
parameters.
DHCPDISCOVER UDP Src=0.0.0.0 sPort=68
Dest=255.255.255.255 dPort=67
OP HTYPE HLEN HOPS
0x01 0x01 0x06 0x00
XID
0x3903F326
SECS FLAGS
0x0000 0x0000
CIADDR
0x00000000
YIADDR
0x00000000
SIADDR
0x00000000
GIADDR
0x00000000
CHADDR
0x00053C04
0x8D590000
0x00000000
0x00000000
192 octets of 0's. BOOTP legacy
Magic Cookie
0x63825363
DHCP Options
DHCP option 53: DHCP Discover
DHCP option 50: 192.168.1.100 requested
DHCP option 55: Parameter Request List:
The client to the DHCP server: either to request more information than the server
sent with the original DHCPOFFER; or to repeat data for a particular application - for
example, browsers use DHCP Inform to obtain web proxy settings via WPAD. Such
queries do not cause DHCP server to refresh the IP expiry time in its database.
The client sends a request to the DHCP server to release the DHCP information and
the client deactivates its IP address. As clients usually do not know when users may
unplug them from the network, the protocol does not mandate the sending of DHCP
Release.
A DHCP server can provide optional configuration parameters to the client. RFC
2132 describes the available DHCP options defined by Internet Assigned Numbers
Authority (IANA) - DHCP and BOOTP PARAMETERS.
[edit] Options
id=0x00 has no meaning. It is just byte alignment and has NO LENGTH followed by.
[edit] Security
This section contains close paraphrasing of one or more non-free
copyrighted sources. Ideas in this article should be expressed in an original manner.
See the talk page for details. (March 2009)
Having been standardized before network security became a significant issue, the
basic DHCP protocol includes no security features, and is potentially vulnerable to
two types of attacks:[1]
* Unauthorized DHCP Servers: as you cannot specify the server you want, an
unauthorized server can respond to client requests, sending client network
configuration values that are beneficial to the attacker. As an example, a hacker can
hijack the DHCP process to configure clients to use a malicious DNS server or
router (see also DNS cache poisoning).
* Unauthorized DHCP Clients: By masquerading as a legitimate client, an
unauthorized client can gain access to network configuration and an IP address on a
network it should otherwise not be allowed to use. Also, by flooding the DHCP server
with requests for IP addresses, it is possible for an attacker to exhaust the pool of
available IP addresses, disrupting normal network activity (a denial of service
attack).