RE: [dhcwg] Security Issue about DHCP

Richard Barr Hibbs <rbhibbs@pacbell.net> Mon, 04 February 2002 06:42 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA06778 for <dhcwg-archive@odin.ietf.org>; Mon, 4 Feb 2002 01:42:33 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id BAA10011 for dhcwg-archive@odin.ietf.org; Mon, 4 Feb 2002 01:42:34 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id BAA09823; Mon, 4 Feb 2002 01:37:15 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id BAA09803 for <dhcwg@optimus.ietf.org>; Mon, 4 Feb 2002 01:37:13 -0500 (EST)
Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA06694 for <dhcwg@ietf.org>; Mon, 4 Feb 2002 01:37:11 -0500 (EST)
Received: from BarrH63p601 ([64.170.117.6]) by mta6.snfc21.pbi.net (iPlanet Messaging Server 5.1 (built May 7 2001)) with SMTP id <0GQZ005J0X20MO@mta6.snfc21.pbi.net> for dhcwg@ietf.org; Sun, 03 Feb 2002 22:37:13 -0800 (PST)
Date: Sun, 03 Feb 2002 22:36:15 -0800
From: Richard Barr Hibbs <rbhibbs@pacbell.net>
Subject: RE: [dhcwg] Security Issue about DHCP
In-reply-to: <35DE082769ACD311A9AE009027C3CBC902F76466@aints2.asiainfo.com>
To: dhcwg@ietf.org
Reply-to: rbhibbs@pacbell.net
Message-id: <JCELKJCFMDGAKJCIGGPNAEONDJAA.rbhibbs@pacbell.net>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Content-type: text/plain; charset=gb2312
Content-transfer-encoding: 7BIT
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-priority: Normal
Content-Transfer-Encoding: 7BIT
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: <dhcwg.ietf.org>
X-BeenThere: dhcwg@ietf.org
Content-Transfer-Encoding: 7BIT

-----Original Message-----
From: Hai Xu
Sent: Thursday, January 31, 2002 01:31

I'd like to know whether there are some mechanism to acchieve the following
issues with DHCP:

1. If illegal person set up another DHCP server. Clients will only select
the DHCP server who respond quickly. How to avoid the legal DHCP from being
disturbed by illegal server?

...while it is most common for DHCP clients to select the first server that
responds to a DHCPDISCOVER message, that behavior is not required by RFC
2132:  the client may use any method at its disposal to determine which
server to select.  For example, a client could insist that a DHCP server not
be on the same subnet as the client itself (useful if it is known that
legitimate DHCP servers are on a separate subnet accessible through a router
or relay agent).

RFC3118 specifies the client-server authentication protocol for DHCP:  one
of the stated purposes of this protocol is to prevent illegal DHCP servers
from interfering with the operation of clients.  I'll leave it to vendors to
identify products that implement RFC3118.


2. In an DHCP domain, clients can also configure themselves with static IP.
Can switches refuse those clients to work?

...if I understand your question correctly, to mean can various pieces of
network equipment be prevented from servicing clients who've statically
configured themselves with an IP address, the answer is no:  there is no
means to generally distinguish whether a client has been configured by a
DHCP server.


3. I've been told that DHCP could work with RADIUS to acchieve
authentication before allocating IP address. Are there any mature products
then?

...RADIUS could be used successfully to validate a user (its most common
application) and probably validate a client as well, but I'll leave it to
vendors to reply to this question.

--Barr


_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg