This document mainly introduces the DHCP Security Features of DHCP snooping. It also compares the Security Features of relay agent and DHCP to help you understand and select products.
Original Description:
Original Title
DHCP Security Features Technology White Paper(V1.00)
This document mainly introduces the DHCP Security Features of DHCP snooping. It also compares the Security Features of relay agent and DHCP to help you understand and select products.
This document mainly introduces the DHCP Security Features of DHCP snooping. It also compares the Security Features of relay agent and DHCP to help you understand and select products.
DHCP Security Features Technology White Paper Keywords: DHCP, DHCP server, DHCP relay agent, DHCP client, DHCP snooping. Abstract: This document mainly introduces the DHCP security features of DHCP snooping, including the background, application, and implementation of the features on the low-end Ethernet switches developed by H3C Technologies Co., Ltd (hereinafter referred to as H3C). This document also compares the security features of DHCP relay agent and DHCP snooping to help you understand and select products. Acronyms: Acronym Full spelling DHCP Dynamic Host Configuration Protocol BOOTP Bootstrap Protocol ARP Address Resolution Protocol
1 Overview The Dynamic Host Configuration Protocol (DHCP) was developed based on the Bootstrap Protocol (BOOTP). It is an enhancement and extension of BOOTP.
Figure 1 Network diagram for DHCP For detailed information about client/server communication model, DHCP message format, operation of the DHCP client, DHCP server and DHCP relay agent, refer to DHCP Technology White Paper. 2 Background Because no authentication mechanism is provided by DHCP clients and DHCP servers, network security problems may arise if multiple DHCP servers exist on a network. For example, an unauthorized DHCP server may assign invalid IP addresses, DNS server information or gateway addresses to clients to intercept traffic. To solve such problems, H3C provides the DHCP relay agent and DHCP snooping features on switches. With the DHCP relay agent at the network layer or DHCP snooping at the data link layer enabled, a switch can record clients IP-to-MAC bindings from DHCP messages and cooperate with other modules to enhance network security. 2.1 Benefits DHCP snooping runs on Layer 2 access devices. A DHCP snooping enabled device
DHCP Security Features Technology White Paper
Hangzhou H3C Technologies Co., Ltd. 4/13
can create and maintain DHCP snooping entries, which contain clients IP-to-MAC bindings obtained from valid DHCP messages. DHCP snooping can cooperate with other modules to improve network security. A DHCP relay agent works at the network layer, and has similar functions as a DHCP snooping enabled device. It can record clients IP-to-MAC bindings and usually cooperate with ARP to implement security features. 2.2 Application Scenarios The DHCP relay agent and DHCP snooping security features are mainly used on access layer switches to prevent Layer 2 attacks. Table 1 Security features vs. attacks Attacks Security features Unauthorized DHCP server attack DHCP snooping, DHCP snooping trusted port features ARP man-in-the-middle attack DHCP snooping, ARP detection features IP/MAC spoofing attack DHCP snooping, IP filtering features DHCP packet flooding attack DHCP packet rate limit features
2.2.1 Unauthorized DHCP Server Attack Unauthorized DHCP servers, which may be created in the following ways, will bring security problems on networks. A user configures a DHCP server by mistake. A hacker exhausts the IP addresses of an authorized DHCP server, and then assigns IP addresses and other configuration parameters to clients. It may assign a modified DNS server address to a client, causing the client to access a false financial or E-commerce website, so as to obtain the clients account and password.
DHCP Security Features Technology White Paper
Hangzhou H3C Technologies Co., Ltd. 5/13
Figure 2 Network diagram for unauthorized DHCP server attack To prevent such attacks, H3C low-end Ethernet switches provide the DHCP snooping trusted port feature. DHCP responses received from trusted ports will be processed, while those received from untrusted ports will be discarded, thus to prevent DHCP clients from obtaining IP addresses from unauthorized DHCP servers. 2.2.2 ARP Man-in-the-Middle Attack According to the ARP design, after receiving an ARP response, a host adds the IP-to- MAC mapping of the sender into its ARP mapping table even if the MAC address is not the real one. This can reduce ARP traffic in the network, but it also makes ARP spoofing possible. In Figure 3 , Host A communicates with Host C through a switch. To intercept the traffic between Host A and Host C, the hacker (Host B) sends forged ARP reply messages to Host A and Host C respectively, causing the two hosts to update the MAC address corresponding to the peer IP address in their ARP tables with the MAC address of Host B. In this way, traffic between Host A and C will pass through Host B, which acts like a man in the middle to modify the information. Such an attack is called a man-in-the-middle attack.
DHCP Security Features Technology White Paper
Hangzhou H3C Technologies Co., Ltd. 6/13
Figure 3 Network diagram for ARP man-in-the-middle attack To guard against man-in-the-middle attacks, H3C low-end Ethernet switches provide the ARP detection feature, which uses dynamic and static DHCP snooping entries to detect invalid ARP packets and discard them. 2.2.3 IP/MAC Spoofing Attack MAC spoofing, IP spoofing, and IP/MAC spoofing attacks are common spoofing attacks. In such an attack, a hacker sends a packet with a forged source address to access networks or to obtain some privilege related to IP/MAC. This method is also used in deny of service (DoS) attacks. To guard against IP/MAC spoofing attacks, H3C low-end Ethernet switches provide the IP filtering feature. With this feature enabled on a port, a switch can filter packets on the port by matching the source addresses of the packets against the dynamic and static DHCP snooping entries, and unqualified packets are thus discarded. The feature can also help avoid address conflicts. 2.2.4 DHCP Packet Flooding Attack If an attacker sends a large number of DHCP requests to a DHCP server, all IP addresses on the server will be assigned, and therefore many DHCP clients cannot obtain IP addresses. In addition, if a DHCP snooping switch exists between the attacker and the server, both the DHCP snooping switch and the DHCP server may be over-loaded when processing the DHCP packets.
DHCP Security Features Technology White Paper
Hangzhou H3C Technologies Co., Ltd. 7/13
To guard against DHCP packet flooding attacks, H3C low-end Ethernet switches provide the DHCP packet rate limit feature, which can shut down any port under such attacks. 2.3 Restrictions The DHCP relay agent and DHCP snooping functions are mutually exclusive. For example, to enable DHCP snooping on a switch, you need to disable the DHCP relay agent function first, if enabled. A DHCP snooping devices port that is connected to an authorized DHCP server should be specified as a trusted port to ensure that associated DHCP clients can obtain valid IP addresses. The trusted port and ports connected to the DHCP clients must be in the same VLAN. You are not recommended to configure both DHCP snooping and selective QinQ on a switch because doing so may cause DHCP snooping to malfunction. Before configuring IP filtering, you need to enable DHCP snooping and specify trusted ports on the switch. You are not recommended to configure IP filtering on the ports of an aggregation group. If a switch has IRF configured, you are not recommended to configure IP filtering on the ports of the fabric. 3 Security Features 3.1 Terminology DHCP server: A DHCP server assigns IP addresses and other configuration information to DHCP clients. DHCP client: A DHCP client dynamically obtains an IP address through DHCP. DHCP relay agent: A DHCP relay agent forwards DHCP messages between a DHCP server and a DHCP client on different subnets. DHCP snooping: A DHCP snooping enabled device records clients IP-to-MAC bindings from DHCP messages at Layer 2. DHCP security: DHCP security features manage IP addresses of valid users.
DHCP Security Features Technology White Paper
Hangzhou H3C Technologies Co., Ltd. 8/13
3.2 Protocols and Standards RFC 951: Bootstrap Protocol (BOOTP) RFC 1497: BOOTP Vendor Information Extensions RFC 1542: Clarifications and Extensions for the Bootstrap Protocol RFC 2131: Dynamic Host Configuration Protocol RFC 2132: DHCP Options and BOOTP Vendor Extensions RFC 3046: DHCP Relay Agent Information Option 3.3 DHCP Snooping Security Features 3.3.1 Creating and Aging DHCP Snooping Entries With DHCP snooping enabled, an H3C low-end Ethernet switch listens to either the DHCP-REQUEST broadcasts or the DHCP-ACK unicasts according to the network environment to record the configuration information of clients in a DHCP snooping table, including IP addresses, MAC addresses, VLAN IDs, ports, and lease time, as shown in Figure 4 .
Figure 4 DHCP-snooping table H3C low-end switches support aging and removing DHCP snooping entries based on their leases to save system resources and ensure network security. When a DHCP snooping entry is recorded, a 20-second timer is started. That is, the DHCP snooping entry is checked every 20 seconds. The system determines whether the entry expires by comparing the entrys lease time with the difference value between the current system time and the entry adding time. If the lease time of the entry is smaller than the difference value, the entry is aged out. The disadvantage is that if an IP address has an unlimited or very long lease time, the corresponding DHCP snooping entry cannot not be aged out timely.
DHCP Security Features Technology White Paper
Hangzhou H3C Technologies Co., Ltd. 9/13
3.3.2 DHCP Snooping Trusted Ports You can specify a port to be a trusted port or an untrusted port on a DHCP snooping device. Trusted: A trusted port is connected to an authorized DHCP server directly or indirectly. It forwards DHCP messages to guarantee that DHCP clients can obtain valid IP addresses. Untrusted: An untrusted port is connected to an unauthorized DHCP server. The DHCP-ACK or DHCP-OFFER packets received from the port are discarded, preventing DHCP clients from receiving invalid IP addresses.
Figure 5 Network diagram for DHCP snooping trusted port function After DHCP snooping is enabled on a switch, all the ports on the switch are configured as untrusted ports by default. The DHCP-ACK, DHCP-NAK, and DHCP- OFFER messages will neither be forwarded nor delivered to the CPU. If a port is configured as a trusted port, the DHCP-ACK, DHCP-NAK, and DHCP-OFFER messages received on this port will be delivered to CPU for processing. Currently, the DHCP snooping function must work with the DHCP snooping trusted port function. If you have enabled DHCP snooping on a device, you need to specify any port connected to an authorized DHCP server as a trusted port, and configure the trusted port and ports connected to DHCP clients to be in the same VLAN. 3.3.3 ARP Attack Detection 1. Mechanism of ARP attack detection To guard against ARP man-in-the-middle attacks, H3C low-end Ethernet switches can deliver ARP (request or reply) packets to the CPU to check the validity of the
DHCP Security Features Technology White Paper
Hangzhou H3C Technologies Co., Ltd. 10/13
packets based on DHCP snooping entries. Upon receiving an ARP packet: If the source IP and MAC addresses of the ARP packet, and the receiving port and its VLAN ID match a DHCP snooping entry or a manually configured binding entry, the switch will forward the ARP packet. If not, the switch will discard the ARP packet and display the corresponding debugging information.
Figure 6 Network diagram for ARP attack detection 2. Configuring static bindings A DHCP snooping table can only record information for clients that have obtained IP addresses through DHCP. If you manually configure a fixed IP address for a host, the IP and MAC addresses of the host will not be recorded in the DHCP snooping table. Consequently, the host cannot pass ARP attack detection. To solve this problem, you can configure static binding entries on the DHCP snooping device. Such an entry should contain the IP and MAC address of a host and the port connected to the host. 3. Configuring ARP trusted ports The upstream ports of a DHCP snooping switch can receive ARP request or reply packets from other devices, in which the source IP and MAC addresses may not be recorded in the DHCP snooping table or static binding table. In order for these ARP packets to pass ARP attack detection, you can configure these ports as ARP trusted
DHCP Security Features Technology White Paper
Hangzhou H3C Technologies Co., Ltd. 11/13
ports. ARP packets received from ARP trusted ports are not checked, while ARP packets received from other ports are checked. 3.3.4 IP Filtering IP filtering allows a DHCP snooping switch to filter IP packets based on the DHCP- snooping table and IP static binding table. After IP filtering is enabled on a port, the switch applies an ACL to discard all IP packets except DHCP packets on the port. (If the port is not a DHCP snooping trusted port, DHCP reply packets received on it will be discarded; otherwise, DHCP reply packets can pass). Then, the switch applies another ACL to permit packets with source IP addresses matching specific DHCP snooping entries or static binding entries. The switch can filter IP packets in the following two ways: Filtering the source IP address in a packet. If the source IP address and the receiving port match an entry in the DHCP-snooping table or static binding table, the switch regards the packet as a valid packet and forwards it; otherwise, the switch drops it directly. Filtering the source IP address and the source MAC address in a packet. If the source IP address and source MAC address, and the receiving port match an entry in the DHCP-snooping table or static binding table, the switch regards the packet as a valid packet and forwards it; otherwise, the switch drops it directly. 3.3.5 DHCP Packet Rate Limit To prevent DHCP packet flooding attacks, H3C low-end Ethernet switches provide the DHCP packet rate limit function. After the function is enabled on an Ethernet port, the switch counts the number of DHCP packets received on this port per second. If the number of DHCP packets received per second exceeds the specified value, the switch will shut down this port. In addition, the switch supports port state auto-recovery. After a port is shut down, it will be brought up automatically after a configurable period of time.
DHCP Security Features Technology White Paper
Hangzhou H3C Technologies Co., Ltd. 12/13
3.4 Comparison Between DHCP Snooping and DHCP Relay Agent Security Features Table 2 Comparison between DHCP snooping and DHCP relay agent security features Features DHCP relay agent DHCP snooping Unauthorized DHCP server attack prevention Uses unauthorized DHCP server detection to help the administrator locate unauthorized DHCP servers Discards DHCP reply messages received from DHCP snooping untrusted ports, preventing attacks from unauthorized DHCP servers Disabling invalid users (or users who randomly change IP addresses) from network access Uses DHCP relay agent security entry checking and the ARP module to prevent invalid users from accessing external networks Uses ARP attack detection and IP filtering to prevent invalid users from accessing external networks Entry aging mechanism Uses a handshake mechanism to age out DHCP relay agent client address entries periodically Implements DHCP snooping entry aging based on leases of clients IP addresses
For detailed information about DHCP relay agent, refer to DHCP Technology White Paper. 4 Application Scenarios As shown in Figure 7 , DHCP clients are located in different areas, and request IP address from a DHCP server through a DHCP snooping device and a DHCP relay agent. To prevent Layer 2 attacks, configure trusted ports, ARP attack detection, and IP filtering on the DHCP snooping devices. To ensure Host A and Host B that own fixed IP addresses to access external networks, configure IP static binding entries on the DHCP snooping device.
DHCP Security Features Technology White Paper
Hangzhou H3C Technologies Co., Ltd. 13/13
Figure 7 Network diagram for DHCP snooping 5 Summary and Prospects With the fast expansion and growing complexity of networks, DHCP will be used in various network environments. H3C has a series of products supporting DHCP features, providing complete, flexible and convenient networking schemes for customers. Especially, the DHCP relay agent and DHCP snooping security features enable access layer devices to guard against Layer 2 attacks. As new network threats appear, H3C will continue to research and develop new security solutions. 6 References Refer to DHCP Technology White Paper. 7 Appendix Refer to DHCP Technology White Paper.