RE: [dhcwg] Security Issue about DHCP
Richard Barr Hibbs <rbhibbs@pacbell.net> Mon, 04 February 2002 06:42 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA06778 for <dhcwg-archive@odin.ietf.org>; Mon, 4 Feb 2002 01:42:33 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id BAA10011 for dhcwg-archive@odin.ietf.org; Mon, 4 Feb 2002 01:42:34 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id BAA09823; Mon, 4 Feb 2002 01:37:15 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id BAA09803 for <dhcwg@optimus.ietf.org>; Mon, 4 Feb 2002 01:37:13 -0500 (EST)
Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA06694 for <dhcwg@ietf.org>; Mon, 4 Feb 2002 01:37:11 -0500 (EST)
Received: from BarrH63p601 ([64.170.117.6]) by mta6.snfc21.pbi.net (iPlanet Messaging Server 5.1 (built May 7 2001)) with SMTP id <0GQZ005J0X20MO@mta6.snfc21.pbi.net> for dhcwg@ietf.org; Sun, 03 Feb 2002 22:37:13 -0800 (PST)
Date: Sun, 03 Feb 2002 22:36:15 -0800
From: Richard Barr Hibbs <rbhibbs@pacbell.net>
Subject: RE: [dhcwg] Security Issue about DHCP
In-reply-to: <35DE082769ACD311A9AE009027C3CBC902F76466@aints2.asiainfo.com>
To: dhcwg@ietf.org
Reply-to: rbhibbs@pacbell.net
Message-id: <JCELKJCFMDGAKJCIGGPNAEONDJAA.rbhibbs@pacbell.net>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Content-type: text/plain; charset="gb2312"
Content-transfer-encoding: 7bit
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-priority: Normal
Content-Transfer-Encoding: 7bit
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: <dhcwg.ietf.org>
X-BeenThere: dhcwg@ietf.org
Content-Transfer-Encoding: 7bit
-----Original Message----- From: Hai Xu Sent: Thursday, January 31, 2002 01:31 I'd like to know whether there are some mechanism to acchieve the following issues with DHCP: 1. If illegal person set up another DHCP server. Clients will only select the DHCP server who respond quickly. How to avoid the legal DHCP from being disturbed by illegal server? ...while it is most common for DHCP clients to select the first server that responds to a DHCPDISCOVER message, that behavior is not required by RFC 2132: the client may use any method at its disposal to determine which server to select. For example, a client could insist that a DHCP server not be on the same subnet as the client itself (useful if it is known that legitimate DHCP servers are on a separate subnet accessible through a router or relay agent). RFC3118 specifies the client-server authentication protocol for DHCP: one of the stated purposes of this protocol is to prevent illegal DHCP servers from interfering with the operation of clients. I'll leave it to vendors to identify products that implement RFC3118. 2. In an DHCP domain, clients can also configure themselves with static IP. Can switches refuse those clients to work? ...if I understand your question correctly, to mean can various pieces of network equipment be prevented from servicing clients who've statically configured themselves with an IP address, the answer is no: there is no means to generally distinguish whether a client has been configured by a DHCP server. 3. I've been told that DHCP could work with RADIUS to acchieve authentication before allocating IP address. Are there any mature products then? ...RADIUS could be used successfully to validate a user (its most common application) and probably validate a client as well, but I'll leave it to vendors to reply to this question. --Barr _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] Security Issue about DHCP Hai Xu
- RE: [dhcwg] Security Issue about DHCP Richard Barr Hibbs