dhcp security features technology white paper(v1.00)

DHCP Security Features Technology White Paper

Hangzhou H3C Technologies Co., Ltd. 1/13


Keywords: DHCP, DHCP server, DHCP relay agent, DHCP client, DHCP snooping.

Abstract: This document mainly introduces the DHCP security features of DHCP snooping,

including the background, application, and implementation of the features on the low-end

Ethernet switches developed by H3C Technologies Co., Ltd (hereinafter referred to as

H3C). This document also compares the security features of DHCP relay agent and

DHCP snooping to help you understand and select products.

Acronyms:

Acronym Full spelling

DHCP Dynamic Host Configuration Protocol

BOOTP Bootstrap Protocol

ARP Address Resolution Protocol



Table of Contents

1 Overview......................................................................................................................................... 3

2 Background .................................................................................................................................... 3

2.1 Benefits ................................................................................................................................ 3

2.2 Application Scenarios .......................................................................................................... 4

2.2.1 Unauthorized DHCP Server Attack........................................................................... 4

2.2.2 ARP Man-in-the-Middle Attack.................................................................................. 5

2.2.3 IP/MAC Spoofing Attack............................................................................................ 6

2.2.4 DHCP Packet Flooding Attack .................................................................................. 6

2.3 Restrictions .......................................................................................................................... 7

3 Security Features ........................................................................................................................... 7

3.1 Terminology ......................................................................................................................... 7

3.2 Protocols and Standards ..................................................................................................... 8

3.3 DHCP Snooping Security Features ..................................................................................... 8

3.3.1 Creating and Aging DHCP Snooping Entries............................................................ 8

3.3.2 DHCP Snooping Trusted Ports ................................................................................. 9

3.3.3 ARP Attack Detection................................................................................................ 9

3.3.4 IP Filtering ............................................................................................................... 11

3.3.5 DHCP Packet Rate Limit......................................................................................... 11

3.4 Comparison Between DHCP Snooping and DHCP Relay Agent Security Features ........ 12

4 Application Scenarios................................................................................................................... 12

5 Summary and Prospects .............................................................................................................. 13

6 References ................................................................................................................................... 13

7 Appendix....................................................................................................................................... 13



1 Overview The Dynamic Host Configuration Protocol (DHCP) was developed based on the

Bootstrap Protocol (BOOTP). It is an enhancement and extension of BOOTP.

Figure 1 Network diagram for DHCP

For detailed information about client/server communication model, DHCP message

format, operation of the DHCP client, DHCP server and DHCP relay agent, refer to

DHCP Technology White Paper.

2 Background Because no authentication mechanism is provided by DHCP clients and DHCP

servers, network security problems may arise if multiple DHCP servers exist on a

network. For example, an unauthorized DHCP server may assign invalid IP

addresses, DNS server information or gateway addresses to clients to intercept traffic.

To solve such problems, H3C provides the DHCP relay agent and DHCP snooping

features on switches. With the DHCP relay agent at the network layer or DHCP

snooping at the data link layer enabled, a switch can record clients IP-to-MAC

bindings from DHCP messages and cooperate with other modules to enhance

network security.

2.1 Benefits

DHCP snooping runs on Layer 2 access devices. A DHCP snooping enabled device



can create and maintain DHCP snooping entries, which contain clients IP-to-MAC

bindings obtained from valid DHCP messages. DHCP snooping can cooperate with

other modules to improve network security.

A DHCP relay agent works at the network layer, and has similar functions as a DHCP

snooping enabled device. It can record clients IP-to-MAC bindings and usually

cooperate with ARP to implement security features.

2.2 Application Scenarios

The DHCP relay agent and DHCP snooping security features are mainly used on

access layer switches to prevent Layer 2 attacks.

Table 1 Security features vs. attacks

Attacks Security features

Unauthorized DHCP server attack DHCP snooping, DHCP snooping trusted port features

ARP man-in-the-middle attack DHCP snooping, ARP detection features

IP/MAC spoofing attack DHCP snooping, IP filtering features

DHCP packet flooding attack DHCP packet rate limit features

2.2.1 Unauthorized DHCP Server Attack

Unauthorized DHCP servers, which may be created in the following ways, will bring

security problems on networks.

z A user configures a DHCP server by mistake.

z A hacker exhausts the IP addresses of an authorized DHCP server, and then

assigns IP addresses and other configuration parameters to clients. It may

assign a modified DNS server address to a client, causing the client to access a

false financial or E-commerce website, so as to obtain the clients account and

password.



Figure 2 Network diagram for unauthorized DHCP server attack

To prevent such attacks, H3C low-end Ethernet switches provide the DHCP snooping

trusted port feature. DHCP responses received from trusted ports will be processed,

while those received from untrusted ports will be discarded, thus to prevent DHCP

clients from obtaining IP addresses from unauthorized DHCP servers.

2.2.2 ARP Man-in-the-Middle Attack

According to the ARP design, after receiving an ARP response, a host adds the IP-to-

MAC mapping of the sender into its ARP mapping table even if the MAC address is

not the real one. This can reduce ARP traffic in the network, but it also makes ARP

spoofing possible.

In Figure 3 , Host A communicates with Host C through a switch. To intercept the

traffic between Host A and Host C, the hacker (Host B) sends forged ARP reply

messages to Host A and Host C respectively, causing the two hosts to update the

MAC address corresponding to the peer IP address in their ARP tables with the MAC

address of Host B. In this way, traffic between Host A and C will pass through Host B,

which acts like a man in the middle to modify the information. Such an attack is called

a man-in-the-middle attack.



Figure 3 Network diagram for ARP man-in-the-middle attack

To guard against man-in-the-middle attacks, H3C low-end Ethernet switches provide

the ARP detection feature, which uses dynamic and static DHCP snooping entries to

detect invalid ARP packets and discard them.

2.2.3 IP/MAC Spoofing Attack

MAC spoofing, IP spoofing, and IP/MAC spoofing attacks are common spoofing

attacks. In such an attack, a hacker sends a packet with a forged source address to

access networks or to obtain some privilege related to IP/MAC. This method is also

used in deny of service (DoS) attacks.

To guard against IP/MAC spoofing attacks, H3C low-end Ethernet switches provide

the IP filtering feature. With this feature enabled on a port, a switch can filter packets

on the port by matching the source addresses of the packets against the dynamic and

static DHCP snooping entries, and unqualified packets are thus discarded. The

feature can also help avoid address conflicts.

2.2.4 DHCP Packet Flooding Attack

If an attacker sends a large number of DHCP requests to a DHCP server, all IP

addresses on the server will be assigned, and therefore many DHCP clients cannot

obtain IP addresses. In addition, if a DHCP snooping switch exists between the

attacker and the server, both the DHCP snooping switch and the DHCP server may

be over-loaded when processing the DHCP packets.



To guard against DHCP packet flooding attacks, H3C low-end Ethernet switches

provide the DHCP packet rate limit feature, which can shut down any port under such

attacks.

2.3 Restrictions

z The DHCP relay agent and DHCP snooping functions are mutually exclusive.

For example, to enable DHCP snooping on a switch, you need to disable the

DHCP relay agent function first, if enabled.

z A DHCP snooping devices port that is connected to an authorized DHCP

server should be specified as a trusted port to ensure that associated DHCP

clients can obtain valid IP addresses. The trusted port and ports connected to

the DHCP clients must be in the same VLAN.

z You are not recommended to configure both DHCP snooping and selective

QinQ on a switch because doing so may cause DHCP snooping to malfunction.

z Before configuring IP filtering, you need to enable DHCP snooping and specify

trusted ports on the switch.

z You are not recommended to configure IP filtering on the ports of an

aggregation group.

z If a switch has IRF configured, you are not recommended to configure IP

filtering on the ports of the fabric.

3 Security Features

3.1 Terminology

z DHCP server: A DHCP server assigns IP addresses and other configuration

information to DHCP clients.

z DHCP client: A DHCP client dynamically obtains an IP address through DHCP.

z DHCP relay agent: A DHCP relay agent forwards DHCP messages between a

DHCP server and a DHCP client on different subnets.

z DHCP snooping: A DHCP snooping enabled device records clients IP-to-MAC

bindings from DHCP messages at Layer 2.

z DHCP security: DHCP security features manage IP addresses of valid users.



3.2 Protocols and Standards

z RFC 951: Bootstrap Protocol (BOOTP)

z RFC 1497: BOOTP Vendor Information Extensions

z RFC 1542: Clarifications and Extensions for the Bootstrap Protocol

z RFC 2131: Dynamic Host Configuration Protocol

z RFC 2132: DHCP Options and BOOTP Vendor Extensions

z RFC 3046: DHCP Relay Agent Information Option

3.3 DHCP Snooping Security Features

3.3.1 Creating and Aging DHCP Snooping Entries

With DHCP snooping enabled, an H3C low-end Ethernet switch listens to either the

DHCP-REQUEST broadcasts or the DHCP-ACK unicasts according to the network

environment to record the configuration information of clients in a DHCP snooping

table, including IP addresses, MAC addresses, VLAN IDs, ports, and lease time, as

shown in Figure 4 .

Figure 4 DHCP-snooping table

H3C low-end switches support aging and removing DHCP snooping entries based on

their leases to save system resources and ensure network security. When a DHCP

snooping entry is recorded, a 20-second timer is started. That is, the DHCP snooping

entry is checked every 20 seconds. The system determines whether the entry expires

by comparing the entrys lease time with the difference value between the current

system time and the entry adding time. If the lease time of the entry is smaller than

the difference value, the entry is aged out.

The disadvantage is that if an IP address has an unlimited or very long lease time,

the corresponding DHCP snooping entry cannot not be aged out timely.



3.3.2 DHCP Snooping Trusted Ports

You can specify a port to be a trusted port or an untrusted port on a DHCP snooping

device.

z Trusted: A trusted port is connected to an authorized DHCP server directly or

indirectly. It forwards DHCP messages to guarantee that DHCP clients can

obtain valid IP addresses.

z Untrusted: An untrusted port is connected to an unauthorized DHCP server.

The DHCP-ACK or DHCP-OFFER packets received from the port are discarded,

preventing DHCP clients from receiving invalid IP addresses.

Figure 5 Network diagram for DHCP snooping trusted port function

After DHCP snooping is enabled on a switch, all the ports on the switch are

configured as untrusted ports by default. The DHCP-ACK, DHCP-NAK, and DHCP-

OFFER messages will neither be forwarded nor delivered to the CPU. If a port is

configured as a trusted port, the DHCP-ACK, DHCP-NAK, and DHCP-OFFER

messages received on this port will be delivered to CPU for processing.

Currently, the DHCP snooping function must work with the DHCP snooping trusted

port function. If you have enabled DHCP snooping on a device, you need to specify

any port connected to an authorized DHCP server as a trusted port, and configure the

trusted port and ports connected to DHCP clients to be in the same VLAN.

3.3.3 ARP Attack Detection

1. Mechanism of ARP attack detection

To guard against ARP man-in-the-middle attacks, H3C low-end Ethernet switches

can deliver ARP (request or reply) packets to the CPU to check the validity of the



packets based on DHCP snooping entries. Upon receiving an ARP packet:

z If the source IP and MAC addresses of the ARP packet, and the receiving port

and its VLAN ID match a DHCP snooping entry or a manually configured

binding entry, the switch will forward the ARP packet.

z If not, the switch will discard the ARP packet and display the corresponding

debugging information.

Figure 6 Network diagram for ARP attack detection

2. Configuring static bindings

A DHCP snooping table can only record information for clients that have obtained IP

addresses through DHCP. If you manually configure a fixed IP address for a host, the

IP and MAC addresses of the host will not be recorded in the DHCP snooping table.

Consequently, the host cannot pass ARP attack detection.

To solve this problem, you can configure static binding entries on the DHCP snooping

device. Such an entry should contain the IP and MAC address of a host and the port

connected to the host.

3. Configuring ARP trusted ports

The upstream ports of a DHCP snooping switch can receive ARP request or reply

packets from other devices, in which the source IP and MAC addresses may not be

recorded in the DHCP snooping table or static binding table. In order for these ARP

packets to pass ARP attack detection, you can configure these ports as ARP trusted



ports. ARP packets received from ARP trusted ports are not checked, while ARP

packets received from other ports are checked.

3.3.4 IP Filtering

IP filtering allows a DHCP snooping switch to filter IP packets based on the DHCP-

snooping table and IP static binding table.

After IP filtering is enabled on a port, the switch applies an ACL to discard all IP

packets except DHCP packets on the port. (If the port is not a DHCP snooping

trusted port, DHCP reply packets received on it will be discarded; otherwise, DHCP

reply packets can pass). Then, the switch applies another ACL to permit packets with

source IP addresses matching specific DHCP snooping entries or static binding

entries.

The switch can filter IP packets in the following two ways:

z Filtering the source IP address in a packet. If the source IP address and the

receiving port match an entry in the DHCP-snooping table or static binding table,

the switch regards the packet as a valid packet and forwards it; otherwise, the

switch drops it directly.

z Filtering the source IP address and the source MAC address in a packet. If the

source IP address and source MAC address, and the receiving port match an

entry in the DHCP-snooping table or static binding table, the switch regards the

packet as a valid packet and forwards it; otherwise, the switch drops it directly.

3.3.5 DHCP Packet Rate Limit

To prevent DHCP packet flooding attacks, H3C low-end Ethernet switches provide

the DHCP packet rate limit function. After the function is enabled on an Ethernet port,

the switch counts the number of DHCP packets received on this port per second. If

the number of DHCP packets received per second exceeds the specified value, the

switch will shut down this port.

In addition, the switch supports port state auto-recovery. After a port is shut down, it

will be brought up automatically after a configurable period of time.



3.4 Comparison Between DHCP Snooping and DHCP Relay

Agent Security Features

Table 2 Comparison between DHCP snooping and DHCP relay agent security features

Features DHCP relay agent DHCP snooping

Unauthorized DHCP server attack prevention

Uses unauthorized DHCP server detection to help the administrator locate unauthorized DHCP servers

Discards DHCP reply messages received from DHCP snooping untrusted ports, preventing attacks from unauthorized DHCP servers

Disabling invalid users (or users who randomly change IP addresses) from network access

Uses DHCP relay agent security entry checking and the ARP module to prevent invalid users from accessing external networks

Uses ARP attack detection and IP filtering to prevent invalid users from accessing external networks

Entry aging mechanism

Uses a handshake mechanism to age out DHCP relay agent client address entries periodically

Implements DHCP snooping entry aging based on leases of clients IP addresses

For detailed information about DHCP relay agent, refer to DHCP Technology White

Paper.

4 Application Scenarios As shown in Figure 7 , DHCP clients are located in different areas, and request IP

address from a DHCP server through a DHCP snooping device and a DHCP relay

agent. To prevent Layer 2 attacks, configure trusted ports, ARP attack detection, and

IP filtering on the DHCP snooping devices. To ensure Host A and Host B that own

fixed IP addresses to access external networks, configure IP static binding entries on

the DHCP snooping device.



Figure 7 Network diagram for DHCP snooping

5 Summary and Prospects With the fast expansion and growing complexity of networks, DHCP will be used in

various network environments. H3C has a series of products supporting DHCP

features, providing complete, flexible and convenient networking schemes for

customers. Especially, the DHCP relay agent and DHCP snooping security features

enable access layer devices to guard against Layer 2 attacks. As new network

threats appear, H3C will continue to research and develop new security solutions.

6 References Refer to DHCP Technology White Paper.

7 Appendix Refer to DHCP Technology White Paper.

1 Overview2 Background2.1 Benefits2.2 Application Scenarios2.2.1 Unauthorized DHCP Server Attack2.2.2 ARP Man-in-the-Middle Attack2.2.3 IP/MAC Spoofing Attack2.2.4 DHCP Packet Flooding Attack

2.3 Restrictions

3 Security Features3.1 Terminology3.2 Protocols and Standards3.3 DHCP Snooping Security Features3.3.1 Creating and Aging DHCP Snooping Entries3.3.2 DHCP Snooping Trusted Ports3.3.3 ARP Attack Detection1. Mechanism of ARP attack detection2. Configuring static bindings3. Configuring ARP trusted ports

3.3.4 IP Filtering3.3.5 DHCP Packet Rate Limit

3.4 Comparison Between DHCP Snooping and DHCP Relay Agent Security Features

4 Application Scenarios5 Summary and Prospects6 References7 Appendix

dhcp security features technology white paper(v1.00)

Documents