RE: [dhcwg] Security Issue about DHCP

Richard Barr Hibbs <> Mon, 04 February 2002 06:42 UTC

Received: from ( [] (may be forged)) by (8.9.1a/8.9.1a) with ESMTP id BAA06778 for <>; Mon, 4 Feb 2002 01:42:33 -0500 (EST)
Received: (from daemon@localhost) by (8.9.1a/8.9.1) id BAA10011 for; Mon, 4 Feb 2002 01:42:34 -0500 (EST)
Received: from (localhost []) by (8.9.1a/8.9.1) with ESMTP id BAA09823; Mon, 4 Feb 2002 01:37:15 -0500 (EST)
Received: from (odin []) by (8.9.1a/8.9.1) with ESMTP id BAA09803 for <>; Mon, 4 Feb 2002 01:37:13 -0500 (EST)
Received: from ( []) by (8.9.1a/8.9.1a) with ESMTP id BAA06694 for <>; Mon, 4 Feb 2002 01:37:11 -0500 (EST)
Received: from BarrH63p601 ([]) by (iPlanet Messaging Server 5.1 (built May 7 2001)) with SMTP id <> for; Sun, 03 Feb 2002 22:37:13 -0800 (PST)
Date: Sun, 03 Feb 2002 22:36:15 -0800
From: Richard Barr Hibbs <>
Subject: RE: [dhcwg] Security Issue about DHCP
In-reply-to: <>
Message-id: <>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Content-type: text/plain; charset="gb2312"
Content-transfer-encoding: 7bit
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-priority: Normal
Content-Transfer-Encoding: 7bit
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: <>
Content-Transfer-Encoding: 7bit

-----Original Message-----
From: Hai Xu
Sent: Thursday, January 31, 2002 01:31

I'd like to know whether there are some mechanism to acchieve the following
issues with DHCP:

1. If illegal person set up another DHCP server. Clients will only select
the DHCP server who respond quickly. How to avoid the legal DHCP from being
disturbed by illegal server?

...while it is most common for DHCP clients to select the first server that
responds to a DHCPDISCOVER message, that behavior is not required by RFC
2132:  the client may use any method at its disposal to determine which
server to select.  For example, a client could insist that a DHCP server not
be on the same subnet as the client itself (useful if it is known that
legitimate DHCP servers are on a separate subnet accessible through a router
or relay agent).

RFC3118 specifies the client-server authentication protocol for DHCP:  one
of the stated purposes of this protocol is to prevent illegal DHCP servers
from interfering with the operation of clients.  I'll leave it to vendors to
identify products that implement RFC3118.

2. In an DHCP domain, clients can also configure themselves with static IP.
Can switches refuse those clients to work?

...if I understand your question correctly, to mean can various pieces of
network equipment be prevented from servicing clients who've statically
configured themselves with an IP address, the answer is no:  there is no
means to generally distinguish whether a client has been configured by a
DHCP server.

3. I've been told that DHCP could work with RADIUS to acchieve
authentication before allocating IP address. Are there any mature products

...RADIUS could be used successfully to validate a user (its most common
application) and probably validate a client as well, but I'll leave it to
vendors to reply to this question.


dhcwg mailing list