DHCP Security Features Technology White Paper (V1.00)

DHCP Security Features Technology White Paper
Hangzhou H3C Technologies Co., Ltd. 1/13

Keywords: DHCP, DHCP server, DHCP relay agent, DHCP client, DHCP snooping.
Abstract: This document mainly introduces the DHCP security features of DHCP snooping,
including the background, application, and implementation of the features on the low-end
Ethernet switches developed by H3C Technologies Co., Ltd (hereinafter referred to as
H3C). This document also compares the security features of DHCP relay agent and
DHCP snooping to help you understand and select products.
Acronyms:
Acronym Full spelling
DHCP Dynamic Host Configuration Protocol
BOOTP Bootstrap Protocol
ARP Address Resolution Protocol



Table of Contents
1 Overview......................................................................................................................................... 3
2 Background.................................................................................................................................... 3
2.1 Benefits................................................................................................................................ 3
2.2 Application Scenarios .......................................................................................................... 4
2.2.1 Unauthorized DHCP Server Attack........................................................................... 4
2.2.2 ARP Man-in-the-Middle Attack.................................................................................. 5
2.2.3 IP/MAC Spoofing Attack............................................................................................ 6
2.2.4 DHCP Packet Flooding Attack.................................................................................. 6
2.3 Restrictions .......................................................................................................................... 7
3 Security Features ........................................................................................................................... 7
3.1 Terminology......................................................................................................................... 7
3.2 Protocols and Standards ..................................................................................................... 8
3.3 DHCP Snooping Security Features..................................................................................... 8
3.3.1 Creating and Aging DHCP Snooping Entries............................................................ 8
3.3.2 DHCP Snooping Trusted Ports ................................................................................. 9
3.3.3 ARP Attack Detection................................................................................................ 9
3.3.4 IP Filtering............................................................................................................... 11
3.3.5 DHCP Packet Rate Limit......................................................................................... 11
3.4 Comparison Between DHCP Snooping and DHCP Relay Agent Security Features ........ 12
4 Application Scenarios................................................................................................................... 12
5 Summary and Prospects.............................................................................................................. 13
6 References ................................................................................................................................... 13
7 Appendix....................................................................................................................................... 13



1 Overview
The Dynamic Host Configuration Protocol (DHCP) was developed based on the
Bootstrap Protocol (BOOTP). It is an enhancement and extension of BOOTP.

Figure 1 Network diagram for DHCP
For detailed information about client/server communication model, DHCP message
format, operation of the DHCP client, DHCP server and DHCP relay agent, refer to
DHCP Technology White Paper.
2 Background
Because no authentication mechanism is provided by DHCP clients and DHCP
servers, network security problems may arise if multiple DHCP servers exist on a
network. For example, an unauthorized DHCP server may assign invalid IP
addresses, DNS server information or gateway addresses to clients to intercept traffic.
To solve such problems, H3C provides the DHCP relay agent and DHCP snooping
features on switches. With the DHCP relay agent at the network layer or DHCP
snooping at the data link layer enabled, a switch can record clients IP-to-MAC
bindings from DHCP messages and cooperate with other modules to enhance
network security.
2.1 Benefits
DHCP snooping runs on Layer 2 access devices. A DHCP snooping enabled device



can create and maintain DHCP snooping entries, which contain clients IP-to-MAC
bindings obtained from valid DHCP messages. DHCP snooping can cooperate with
other modules to improve network security.
A DHCP relay agent works at the network layer, and has similar functions as a DHCP
snooping enabled device. It can record clients IP-to-MAC bindings and usually
cooperate with ARP to implement security features.
2.2 Application Scenarios
The DHCP relay agent and DHCP snooping security features are mainly used on
access layer switches to prevent Layer 2 attacks.
Table 1 Security features vs. attacks
Attacks Security features
Unauthorized DHCP server
attack
DHCP snooping, DHCP snooping trusted port features
ARP man-in-the-middle attack DHCP snooping, ARP detection features
IP/MAC spoofing attack DHCP snooping, IP filtering features
DHCP packet flooding attack DHCP packet rate limit features

2.2.1 Unauthorized DHCP Server Attack
Unauthorized DHCP servers, which may be created in the following ways, will bring
security problems on networks.
A user configures a DHCP server by mistake.
A hacker exhausts the IP addresses of an authorized DHCP server, and then
assigns IP addresses and other configuration parameters to clients. It may
assign a modified DNS server address to a client, causing the client to access a
false financial or E-commerce website, so as to obtain the clients account and
password.



Figure 2 Network diagram for unauthorized DHCP server attack
To prevent such attacks, H3C low-end Ethernet switches provide the DHCP snooping
trusted port feature. DHCP responses received from trusted ports will be processed,
while those received from untrusted ports will be discarded, thus to prevent DHCP
clients from obtaining IP addresses from unauthorized DHCP servers.
2.2.2 ARP Man-in-the-Middle Attack
According to the ARP design, after receiving an ARP response, a host adds the IP-to-
MAC mapping of the sender into its ARP mapping table even if the MAC address is
not the real one. This can reduce ARP traffic in the network, but it also makes ARP
spoofing possible.
In Figure 3 , Host A communicates with Host C through a switch. To intercept the
traffic between Host A and Host C, the hacker (Host B) sends forged ARP reply
messages to Host A and Host C respectively, causing the two hosts to update the
MAC address corresponding to the peer IP address in their ARP tables with the MAC
address of Host B. In this way, traffic between Host A and C will pass through Host B,
which acts like a man in the middle to modify the information. Such an attack is called
a man-in-the-middle attack.



Figure 3 Network diagram for ARP man-in-the-middle attack
To guard against man-in-the-middle attacks, H3C low-end Ethernet switches provide
the ARP detection feature, which uses dynamic and static DHCP snooping entries to
detect invalid ARP packets and discard them.
2.2.3 IP/MAC Spoofing Attack
MAC spoofing, IP spoofing, and IP/MAC spoofing attacks are common spoofing
attacks. In such an attack, a hacker sends a packet with a forged source address to
access networks or to obtain some privilege related to IP/MAC. This method is also
used in deny of service (DoS) attacks.
To guard against IP/MAC spoofing attacks, H3C low-end Ethernet switches provide
the IP filtering feature. With this feature enabled on a port, a switch can filter packets
on the port by matching the source addresses of the packets against the dynamic and
static DHCP snooping entries, and unqualified packets are thus discarded. The
feature can also help avoid address conflicts.
2.2.4 DHCP Packet Flooding Attack
If an attacker sends a large number of DHCP requests to a DHCP server, all IP
addresses on the server will be assigned, and therefore many DHCP clients cannot
obtain IP addresses. In addition, if a DHCP snooping switch exists between the
attacker and the server, both the DHCP snooping switch and the DHCP server may
be over-loaded when processing the DHCP packets.



To guard against DHCP packet flooding attacks, H3C low-end Ethernet switches
provide the DHCP packet rate limit feature, which can shut down any port under such
attacks.
2.3 Restrictions
The DHCP relay agent and DHCP snooping functions are mutually exclusive.
For example, to enable DHCP snooping on a switch, you need to disable the
DHCP relay agent function first, if enabled.
A DHCP snooping devices port that is connected to an authorized DHCP
server should be specified as a trusted port to ensure that associated DHCP
clients can obtain valid IP addresses. The trusted port and ports connected to
the DHCP clients must be in the same VLAN.
You are not recommended to configure both DHCP snooping and selective
QinQ on a switch because doing so may cause DHCP snooping to malfunction.
Before configuring IP filtering, you need to enable DHCP snooping and specify
trusted ports on the switch.
You are not recommended to configure IP filtering on the ports of an
aggregation group.
If a switch has IRF configured, you are not recommended to configure IP
filtering on the ports of the fabric.
3 Security Features
3.1 Terminology
DHCP server: A DHCP server assigns IP addresses and other configuration
information to DHCP clients.
DHCP client: A DHCP client dynamically obtains an IP address through DHCP.
DHCP relay agent: A DHCP relay agent forwards DHCP messages between a
DHCP server and a DHCP client on different subnets.
DHCP snooping: A DHCP snooping enabled device records clients IP-to-MAC
bindings from DHCP messages at Layer 2.
DHCP security: DHCP security features manage IP addresses of valid users.



3.2 Protocols and Standards
RFC 951: Bootstrap Protocol (BOOTP)
RFC 1497: BOOTP Vendor Information Extensions
RFC 1542: Clarifications and Extensions for the Bootstrap Protocol
RFC 2131: Dynamic Host Configuration Protocol
RFC 2132: DHCP Options and BOOTP Vendor Extensions
RFC 3046: DHCP Relay Agent Information Option
3.3 DHCP Snooping Security Features
3.3.1 Creating and Aging DHCP Snooping Entries
With DHCP snooping enabled, an H3C low-end Ethernet switch listens to either the
DHCP-REQUEST broadcasts or the DHCP-ACK unicasts according to the network
environment to record the configuration information of clients in a DHCP snooping
table, including IP addresses, MAC addresses, VLAN IDs, ports, and lease time, as
shown in Figure 4 .

Figure 4 DHCP-snooping table
H3C low-end switches support aging and removing DHCP snooping entries based on
their leases to save system resources and ensure network security. When a DHCP
snooping entry is recorded, a 20-second timer is started. That is, the DHCP snooping
entry is checked every 20 seconds. The system determines whether the entry expires
by comparing the entrys lease time with the difference value between the current
system time and the entry adding time. If the lease time of the entry is smaller than
the difference value, the entry is aged out.
The disadvantage is that if an IP address has an unlimited or very long lease time,
the corresponding DHCP snooping entry cannot not be aged out timely.



3.3.2 DHCP Snooping Trusted Ports
You can specify a port to be a trusted port or an untrusted port on a DHCP snooping
device.
Trusted: A trusted port is connected to an authorized DHCP server directly or
indirectly. It forwards DHCP messages to guarantee that DHCP clients can
obtain valid IP addresses.
Untrusted: An untrusted port is connected to an unauthorized DHCP server.
The DHCP-ACK or DHCP-OFFER packets received from the port are discarded,
preventing DHCP clients from receiving invalid IP addresses.

Figure 5 Network diagram for DHCP snooping trusted port function
After DHCP snooping is enabled on a switch, all the ports on the switch are
configured as untrusted ports by default. The DHCP-ACK, DHCP-NAK, and DHCP-
OFFER messages will neither be forwarded nor delivered to the CPU. If a port is
configured as a trusted port, the DHCP-ACK, DHCP-NAK, and DHCP-OFFER
messages received on this port will be delivered to CPU for processing.
Currently, the DHCP snooping function must work with the DHCP snooping trusted
port function. If you have enabled DHCP snooping on a device, you need to specify
any port connected to an authorized DHCP server as a trusted port, and configure the
trusted port and ports connected to DHCP clients to be in the same VLAN.
3.3.3 ARP Attack Detection
1. Mechanism of ARP attack detection
To guard against ARP man-in-the-middle attacks, H3C low-end Ethernet switches
can deliver ARP (request or reply) packets to the CPU to check the validity of the



packets based on DHCP snooping entries. Upon receiving an ARP packet:
If the source IP and MAC addresses of the ARP packet, and the receiving port
and its VLAN ID match a DHCP snooping entry or a manually configured
binding entry, the switch will forward the ARP packet.
If not, the switch will discard the ARP packet and display the corresponding
debugging information.

Figure 6 Network diagram for ARP attack detection
2. Configuring static bindings
A DHCP snooping table can only record information for clients that have obtained IP
addresses through DHCP. If you manually configure a fixed IP address for a host, the
IP and MAC addresses of the host will not be recorded in the DHCP snooping table.
Consequently, the host cannot pass ARP attack detection.
To solve this problem, you can configure static binding entries on the DHCP snooping
device. Such an entry should contain the IP and MAC address of a host and the port
connected to the host.
3. Configuring ARP trusted ports
The upstream ports of a DHCP snooping switch can receive ARP request or reply
packets from other devices, in which the source IP and MAC addresses may not be
recorded in the DHCP snooping table or static binding table. In order for these ARP
packets to pass ARP attack detection, you can configure these ports as ARP trusted



ports. ARP packets received from ARP trusted ports are not checked, while ARP
packets received from other ports are checked.
3.3.4 IP Filtering
IP filtering allows a DHCP snooping switch to filter IP packets based on the DHCP-
snooping table and IP static binding table.
After IP filtering is enabled on a port, the switch applies an ACL to discard all IP
packets except DHCP packets on the port. (If the port is not a DHCP snooping
trusted port, DHCP reply packets received on it will be discarded; otherwise, DHCP
reply packets can pass). Then, the switch applies another ACL to permit packets with
source IP addresses matching specific DHCP snooping entries or static binding
entries.
The switch can filter IP packets in the following two ways:
Filtering the source IP address in a packet. If the source IP address and the
receiving port match an entry in the DHCP-snooping table or static binding table,
the switch regards the packet as a valid packet and forwards it; otherwise, the
switch drops it directly.
Filtering the source IP address and the source MAC address in a packet. If the
source IP address and source MAC address, and the receiving port match an
entry in the DHCP-snooping table or static binding table, the switch regards the
packet as a valid packet and forwards it; otherwise, the switch drops it directly.
3.3.5 DHCP Packet Rate Limit
To prevent DHCP packet flooding attacks, H3C low-end Ethernet switches provide
the DHCP packet rate limit function. After the function is enabled on an Ethernet port,
the switch counts the number of DHCP packets received on this port per second. If
the number of DHCP packets received per second exceeds the specified value, the
switch will shut down this port.
In addition, the switch supports port state auto-recovery. After a port is shut down, it
will be brought up automatically after a configurable period of time.



3.4 Comparison Between DHCP Snooping and DHCP Relay
Agent Security Features
Table 2 Comparison between DHCP snooping and DHCP relay agent security features
Features DHCP relay agent DHCP snooping
Unauthorized
DHCP server
attack
prevention
Uses unauthorized DHCP server
detection to help the
administrator locate
unauthorized DHCP servers
Discards DHCP reply messages
received from DHCP snooping
untrusted ports, preventing attacks
from unauthorized DHCP servers
Disabling
invalid users (or
users who
randomly
change IP
addresses)
from network
access
Uses DHCP relay agent security
entry checking and the ARP
module to prevent invalid users
from accessing external
networks
Uses ARP attack detection and IP
filtering to prevent invalid users from
accessing external networks
Entry aging
mechanism
Uses a handshake mechanism
to age out DHCP relay agent
client address entries
periodically
Implements DHCP snooping entry
aging based on leases of clients IP
addresses

For detailed information about DHCP relay agent, refer to DHCP Technology White
Paper.
4 Application Scenarios
As shown in Figure 7 , DHCP clients are located in different areas, and request IP
address from a DHCP server through a DHCP snooping device and a DHCP relay
agent. To prevent Layer 2 attacks, configure trusted ports, ARP attack detection, and
IP filtering on the DHCP snooping devices. To ensure Host A and Host B that own
fixed IP addresses to access external networks, configure IP static binding entries on
the DHCP snooping device.



Figure 7 Network diagram for DHCP snooping
5 Summary and Prospects
With the fast expansion and growing complexity of networks, DHCP will be used in
various network environments. H3C has a series of products supporting DHCP
features, providing complete, flexible and convenient networking schemes for
customers. Especially, the DHCP relay agent and DHCP snooping security features
enable access layer devices to guard against Layer 2 attacks. As new network
threats appear, H3C will continue to research and develop new security solutions.
6 References
Refer to DHCP Technology White Paper.
7 Appendix
Refer to DHCP Technology White Paper.

DHCP Security Features Technology White Paper (V1.00)

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DHCP Security Features Technology White Paper (V1.00)

Uploaded by

Copyright:

Available Formats

DHCP Security Features Technology White Paper

Hangzhou H3C Technologies Co., Ltd. 1/13

You might also like