Your SlideShare is downloading. ×
DHCP Security Using a DHCP Proxy Agent
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

DHCP Security Using a DHCP Proxy Agent

111
views

Published on

Click the link to download a PDF file http://www.netmanias.com/en/?m=view&id=blog&no=6006 …

Click the link to download a PDF file http://www.netmanias.com/en/?m=view&id=blog&no=6006

Last time when we introduced a DHCP proxy agent through our previous blog post dated in September 1. 2013, we mentioned that this DHCP proxy agent can offer the benefits of enhanced security. So, we will look into these security-related functions in more detail today.

You can also find and download more materials from http://www.netmanias.com

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
111
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. NETMANIAS TECH-BLOG Please visit www.netmanias.com to view more posts DHCP Security Using a DHCP Proxy Agent October 1, 2013 | By Chris (tech@netmanias.com) | Netmanias Tech-Blog | www.netmanias.com Last time when we introduced a DHCP proxy agent through our previous blog post dated in September 1. 2013, we mentioned that this DHCP proxy agent can offer the benefits of enhanced security. So, we will look into these security-related functions in more detail today. As shown in the figure below, if there is a DHCP proxy agent in a network, all DHCP messages (used in IP address allocation, IP address renewal and IP address release procedures) pass through (i.e. are forwarded to) the DHCP proxy agent. Due to such scheme, the DHCP proxy agent is able to block any traffic coming from users who do not have an IP address allocated through DHCP, but have a static IP address. The proxy agent can do so by using one of the following two methods: First, this DHCP proxy agent function is generally enabled in the default gateway router of a DHCP client (i.e. the first one the client connects). Then, when the client needs to send any Internet traffic via the DHCP proxy agent (which is the default gateway router), it sends an ARP Request packet, to the default gateway router (DHCP proxy agent) to get the MAC address of the default gateway router. At this time, the DHCP proxy agent responds only to the ARP Request packets with an IP address allocated through DHCP procedure, and not to the ones with a non-DHCP IP address (i.e. static IP address), as illustrated in the following figure. This function comes standard in most routers. Second, despite the foregoing function, it only takes the MAC address of a default gateway router for a static IP user (malicious user) to threaten the network security. So, for more enhanced security, the DHCP proxy agent needs to examine the IP address of all user data traffic as well as ARP packets. Then it can either permit the packets with a DHCP IP address or deny ones with a non-DHCP IP address (i.e. static IP address). However, such implementation is practically impossible with most of regular network equipment, and only Broadband Remote Access Server (BRAS), capable of managing users, can support such implementation. DHCP Server Authorized User User Traffic DHCP Client DHCP Proxy Agent Unauthorized User Internet User Traffic Static IP illegally A DHCP proxy agent: · Refers to the IP-to-MAC binding table · Discards all ARP Request packets sent by a user who has not acquired its IP address through DHCP · Prevents such users from accessing the Internet Some of such routers introduced by KT (Korea Telecom) include Juniper E320 and Redback (acquired by Ericsson) SE800. Just so you know, BRAS can process user traffic on data plane (the layers over which user data flows), and thus it is possible to support different “QoS policies per user (e.g. bandwidth control)". That explains why it is so expensive compared to other routers. 1
  • 2. Netmanias Tech-Blog: DHCP Security Using a DHCP Proxy Agent Please note we only cover the DHCP proxy agent function today, and will revisit BRAS next time. The figure below illustrates the security functions mentioned above in more detail. In the figure, when PC1 obtains an IP address (1.1.1.0) through a normal DHCP procedure, the DHCP proxy agent creates an “IP-to-MAC binding table” on the control plane (where no user traffic is delivered, and routers are controlled through functions, such as routing protocol, ARP, DHCP proxy agent, etc.). This table contains a MAC address of a user who received an IP address through a DHCP process, IP address, the interface number of the DHCP proxy agent that the user PC connects to, DHCP lease time and expired time. The expired time is initially set same as the IP lease time, and thereafter decreases by one (1) every second. Then, when it eventually reaches 0, its relevant entry is deleted from the IP-to-MAC binding table. When PC1 with an allocated IP address sends an ARP Request packet to the default gateway router (DHCP proxy agent) which receives the packet checks whether or not both the Sender MAC address (m1) and IP address (1.1.1.10) in the packet are registered in the IP-to-MAC binding table. If they are, the proxy agent returns its MAC address to the user PC through an ARP Reply message. However, if PC2 with a static IP address (1.1.1.20) sends an ARP Request packet to the default gateway router (DHCP proxy agent), the DHCP proxy agent does not send any ARP Reply packet since no information (MAC address (m2) and IP address (1.1.1.20)) about the client is found in the IP-to-MAC binding table. So, PC2 cannot have access to the Internet. PC MAC=m1 L2 Network PC1 MAC=m10 IP=1.1.1.254 Proxy DHCP DHCP Discover/Reqeust DHCP Discover/Reqeust DHCP Offer/Ack DHCP Offer/Ack DHCP Payload {Your IP=1.1.1.10, Client MAC=m1} “1.1.1.254” ! ARP Request Please let us know your MAC address ! Who has 1.1.1.254? Tell 1.1.1.10/m1 Ge1/1 IP-to-MAC Binding Table MAC IP Address Interface Lease Time Expired Time m1 1.1.1.10 Ge1/1 3600 sec 3000 sec ARP Reply My MAC address is m10 1.1.1.254 is at m10 Ge1/1 1 Matched Internet Access SIP=1.1.1.10 Ge1/1 Internet PC MAC=m2 PC2 Configure IP address=1.1.1.20 at PC illegally “1.1.1.254” ! ARP Request Please let us know your MAC address ! IP-to-MAC Binding Table Who has 1.1.1.254? Tell 1.1.1.20/m2 I need the MAC address of default gateway (1.1.1.254) to access the Internet… What’s taking so long? MAC IP Address Interface Lease Time Expired Time m1 1.1.1.10 Ge1/1 3600 sec 3000 sec Ge1/1 2 Not Matched So, Ignore(Discard) ARP Request packet 2
  • 3. Netmanias Research and Consulting Scope 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 eMBMS/Mobile IPTV CDN/Mobile CDN Transparent Caching BSS/OSS Services Cable TPS Voice/Video Quality IMS Policy Control/PCRF IPTV/TPS LTE Mobile Network Mobile WiMAX Carrier WiFi LTE Backaul Data Center Migration Carrier Ethernet FTTH Wireline Network Data Center Metro Ethernet MPLS IP Routing CDN Transparent Caching Analysis Networks eMBMS LTE IMS Infrastructure Services Analyze trends, technologies and market Report Technical documents Blog One-Shot gallery Concept Design DRM POC Training Wi-Fi We design the future protocols IP/MPLS We design the future Carrier Ethernet We design the future Consulting Visit http://www.netmanias.com to view and download more technical documents. Future About NMC Consulting Group (www.netmanias.com) NMC Consulting Group is an advanced and professional network consulting company, specializing in IP network areas (e.g., FTTH, Metro Ethernet and IP/MPLS), service areas (e.g., IPTV, IMS and CDN), and wireless network areas (e.g., Mobile WiMAX, LTE and Wi-Fi) since 2002. Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 3