Your SlideShare is downloading. ×
Netmanias Technical Document: Understanding DHCP Proxy Agents and Security 가

www.nmcgroups.com

Understanding DHCP Proxy ...
Understanding DHCP Proxy Agents and Security

Abbreviations
ACK
DHCP
DSCP
IHL
IP
UDP
TCP
TOS
TTL

Acknowledgement
Dynamic ...
Understanding DHCP Proxy Agents and Security

I. Overview
This document provides a technical summary of how a DHCP proxy a...
Understanding DHCP Proxy Agents and Security

clients can only see the IP address of the DHCP proxy agent).
2) Because the...
Understanding DHCP Proxy Agents and Security

in the DHCP Offer/Ack message. Through this process, the DHCP proxy agent is...
Understanding DHCP Proxy Agents and Security

2.

DHCP Offer
Based on the relay agent IP address (giaddr) of the DHCP Disc...
Understanding DHCP Proxy Agents and Security

PC

Proxy

DHCP

DHCP Discover

DHCP Discover

DHCP Offer

DHCP Offer

DHCP ...
Understanding DHCP Proxy Agents and Security

As described in the reference “Understanding DHCP Relay Agents” [3], a DHCP ...
Understanding DHCP Proxy Agents and Security

1.

DHCP Release
The DHCP client (PC) unicasts a DHCP Release message with t...
Understanding DHCP Proxy Agents and Security

PC MAC=m1

L2 Network
PC

Proxy

DHCP

DHCP Discover
DHCP Offer

DHCP Offer
...
Understanding DHCP Proxy Agents and Security

every second until it reaches to “0”, deleting the related entry in the IP-t...
Understanding DHCP Proxy Agents and Security

Having these security functions enabled means that users’ attempts to access...
Understanding DHCP Proxy Agents and Security

Appendix A - Format of DHCP Messages in IP Address Allocation/Lease Procedur...
Understanding DHCP Proxy Agents and Security

DHCP Offer Message
Uplink IP=100.1.1.254
Downlink IP=1.1.1.254
Downlink MAC=...
Understanding DHCP Proxy Agents and Security

DHCP Request Message
Uplink IP=100.1.1.254
Downlink IP=1.1.1.254
Downlink MA...
Understanding DHCP Proxy Agents and Security

DHCP Ack Message
Uplink IP=100.1.1.254
Downlink IP=1.1.1.254
Downlink MAC=m2...
Understanding DHCP Proxy Agents and Security

Appendix B – Format of DHCP Messages in IP Address Renewal Procedure
Appendi...
Understanding DHCP Proxy Agents and Security

DHCP Ack Message
Uplink IP=100.1.1.254
Downlink IP=1.1.1.254
Downlink MAC=m2...
Understanding DHCP Proxy Agents and Security

Appendix C – Format of DHCP Messages in IP Address Release Procedure
Appendi...
Understanding DHCP Proxy Agents and Security

Netmanias Research and Consulting Scope
99

00

01

02

03

04

05

06

07

...
Upcoming SlideShare
Loading in...5
×

Understanding DHCP Proxy Agents and Security

909

Published on

Download a PDF file: http://www.netmanias.com/en/?m=view&id=techdocs&no=6001
You can also find and download more materials from http://www.netmanias.com

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
909
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Understanding DHCP Proxy Agents and Security"

  1. 1. Netmanias Technical Document: Understanding DHCP Proxy Agents and Security 가 www.nmcgroups.com Understanding DHCP Proxy Agents and Security Table of Contents I. Overview II. Introduction to DHCP Proxy Agents III. Basic Operations of DHCP Proxy Agents IV. Security Functions of DHCP Proxy Agents V. Summary and Closing Appendices Appendix A – Format of DHCP Messages in IP Address Allocation/Lease Procedure Appendix B – Format of DHCP Messages in IP Address Renewal Procedure Appendix C – Format of DHCP Messages in IP Address Release Procedure This document is the fourth in our DHCP technical documents series and explains the basic operations of a DHCP proxy agent. It covers the procedures of IP address allocation/lease, IP address renewal and IP address release through a DHCP proxy agent. It also describes how DHCP message parameters are replaced by a DHCP proxy agent during the DHCP procedures. It also introduces the DHCP security functions of a DHCP proxy agent. November 7, 2013 www.netmanias.com NMC Consulting Group (tech@netmanias.com) About NMC Consulting Group NMC Consulting Group is an advanced and professional network consulting company, specializing in IP network areas (e.g., FTTH, Metro Ethernet and IP/MPLS), service areas (e.g., IPTV, IMS and CDN), and wireless network areas (e.g., Mobile WiMAX, LTE and Wi-Fi) since 2002. Copyright © 2002-2013 NMC Consulting Group. All rights reserved.
  2. 2. Understanding DHCP Proxy Agents and Security Abbreviations ACK DHCP DSCP IHL IP UDP TCP TOS TTL Acknowledgement Dynamic Host Configuration Protocol Differentiated Services Code Point Internet Header Length Internet Protocol User Datagram Protocol Transmission Control Protocol Type of Service Time To Live 1
  3. 3. Understanding DHCP Proxy Agents and Security I. Overview This document provides a technical summary of how a DHCP proxy agent that can simultaneously act as a DHCP server or as a DHCP client. Chapter II explains functions and advantages of DHCP proxy agents, and Chapter III describes the basic principles of proxy agent’s DHCP operations. Chapter IV explains the security functions of the DHCP proxy agent. Finally, Appendices present specific message parameters used by DHCP proxy agents in the DHCP procedures. Before you read this document it is recommended that you refer to the following three companion documents “Understanding the Basic Operations of DHCP” [1], “Understanding the Detailed Operations of DHCP”, and “Understanding DHCP Relay Agents” [3]. II. Introduction to DHCP Proxy Agents A DHCP relay agent simply relays broadcast DHCP packets (DHCP Discover/Request) to DHCP server(s) located in other subnets whenever it receives packets from a DHCP client residing in that same subnet. On the other hand, a DHCP proxy agent not only relays the DHCP packets between subnets, but also acts on behalf of a DHCP server, while also acting as a DHCP client. That is, it acts as a DHCP server to the DHCP client, but as a DHCP client to the DHCP server. Figure 1 shows a comparison between the DHCP relay agent and the DHCP proxy agent. As you can see, the DHCP relay agent simply relays only the broadcast packets used in IP address allocation/lease procedures while the DHCP proxy agent, performing the functions of both a DHCP server and client, relays from one to the other all the DHCP packets (Broadcast or Unicast) used in IP address allocation/lease, IP address renewal and IP address release procedures. PC Relay DHCP IP Allocation Procedure DHCP Offer DHCP Request DHCP Ack Proxy DHCP IP Allocation Procedure DHCP Relay DHCP Discover PC DHCP Discover DHCP Discover DHCP Discover DHCP Offer DHCP Offer DHCP Offer DHCP Request DHCP Request DHCP Request DHCP Ack DHCP Ack DHCP Ack IP Renewal Procedure DHCP Request DHCP Request DHCP Ack DHCP Ack IP Release Procedure IP Release Procedure DHCP Release DHCP Client DHCP Server IP Renewal Procedure DHCP Release (a) DHCP Relay Agent DHCP Request DHCP Ack DHCP Release (b) DHCP Proxy Agent Figure 1. Comparison between a DHCP relay agent and a DHCP proxy agent Using a DHCP proxy agent instead of a DHCP relay agent has the following benefits: 1) Because the IP address of a DHCP server is not viewable to users (DHCP clients), the DHCP server is protected from external attacks, such as Denial of Service (DoS), which targets the server (DHCP 2
  4. 4. Understanding DHCP Proxy Agents and Security clients can only see the IP address of the DHCP proxy agent). 2) Because the DHCP proxy agent keeps a list of all user IP addresses allocated through DHCP messages, it can create an IP-to-MAC binding table based on the information. This allows the agent to block any traffic from unauthorized users whose IP addresses have not been allocated through DHCP procedures (i.e. static IP users) (Refer to Chapter IV: DHCP security function). Actually, we, “Netmanias”, have once applied such security function to a network operated by one of our customers (a Dutch telecom operator) when we provided the System Integration (SI) services. III. Basic operations of DHCP Proxy Agents This chapter describes how a PC (e.g. PC1 in Figure 2) on the 1.1.1.0/24 subnet communicates with a DHCP server using a DHCP proxy agent for all DHCP operations, such as IP address allocation/lease, IP address renewal and IP address release. PC1 Broadcast Domain (1.1.1.0/24) L2 SW 1.1.1.254/24 Broadcast Domain (2.1.1.0/254) L2 SW DHCP Discover/Request (Broadcast) 100.1.1.1 DHCP Server 100.1.1.254/24 Internet Router 2.1.1.254/24 DHCP Proxy Agent DHCP Discover/Request (Unicast) Figure 2. Network diagram 3.1 IP Address Allocation/Lease Procedure The DHCP proxy agent is located between a PC and the DHCP server as shown in Figure 2. The DHCP proxy agent receives DHCP Discover and Request messages broadcasted by the PC and then unicasts the DHCP messages directly to the DHCP server. At this point, the DHCP proxy agent enters its own IP address (the interface address at which DHCP Discover/Request messages are received) into the “Relay Agent IP 1 (=Gateway IP=giaddr)” field in the DHCP message. When the DHCP server unicasts a DHCP Offer/Ack message, it includes the relay agent’s IP address in the “destination IP address field” of the message, and then it sends the message on to the DHCP proxy agent. After checking the “Broadcast Flag” value of the received message, the DHCP proxy agent replaces the destination IP address with the PC IP address (Broadcast Flag=0) or the broadcast IP address (Broadcast Flag=1) depending on the value of the Broadcast Flag field [2], and the source IP with the DHCP proxy agent IP address. Finally, it forwards the modified message on to the PC. Up to this point, the procedure is similar to that of the DHCP relay agent described in [3]. The important difference between a DHCP proxy agent and a DHCP relay agent is that the former replaces a DHCP server IP with the IP address of the concerned DHCP proxy agent in the DHCP Server Identifier (Option 54) field included 1 Both agents perform one common function of relaying messages between a DHCP client and a DHCP server and the IETF standards requires the IP address of an agent be stored in the Gateway IP Address (giaddr) field. In this document, a relay agent IP refers to the address in the Gateway IP Address field. 3
  5. 5. Understanding DHCP Proxy Agents and Security in the DHCP Offer/Ack message. Through this process, the DHCP proxy agent is recognized as a DHCP server by the PC (DHCP client). Configuration: DHCP Server IP=100.1.1.1 PC MAC=m1 L2 Network PC DHCP Server IP=100.1.1.1 DHCP Server MAC=m5 Downlink MAC=m2 Uplink MAC=m3 Downlink IP=1.1.1.254 Proxy Uplink IP=100.1.1.254 (Relay Agent IP) (Server IP) 1a DHCP Discover (Broadcast) 1b DHCP Discover (Unicast) Ethernet Header {DA=FF:FF:FF:FF:FF:FF, SA=m1}, IP Header {SIP=0.0.0.0, DIP=255.255.255.255}, DHCP Payload {Broadcast Flag=0 or 1, Relay Agent IP=0.0.0.0, Client MAC=m1} Ethernet Header {DA=m5, SA=m3}, IP Header {SIP=100.1.1.254, DIP=100.1.1.1}, DHCP Payload {Broadcast Flag=0 or 1, Relay Agent IP=1.1.1.254, Client MAC=m1} 2b DHCP Offer (Unicast or Broadcast) 2a DHCP Offer (Unicast) Ethernet Header {DA=m1 or FF:FF:FF:FF:FF:FF, SA=m2}, IP Header {SIP=1.1.1.254, DIP=1.1.1.10 or 255.255.255.255}, DHCP Payload {Broadcast Flag=0 or 1, Your IP=1.1.1.10, Relay Agent IP=1.1.1.254, Client MAC=m1, DHCP Server Identifier(54)=100.1.1.254, Options} Ethernet Header {DA=m3, SA=m5}, IP Header {SIP=100.1.1.1, DIP=1.1.1.254}, DHCP Payload {Broadcast Flag=0 or 1, Your IP=1.1.1.10, Relay Agent IP=1.1.1.254, Client MAC=m1, DHCP Server Identifier(54)=100.1.1.1, Options} 3a DHCP Request (Broadcast) 3b DHCP Request (Unicast) Ethernet Header {DA=FF:FF:FF:FF:FF:FF, SA=m1}, IP Header {SIP=0.0.0.0, DIP=255.255.255.255}, DHCP Payload {Broadcast Flag=0 or 1, Relay Agent IP=0.0.0.0, Client MAC=m1, DHCP Server Identifier(54)=100.1.1.254} Ethernet Header {DA=m5, SA=m3}, IP Header {SIP=100.1.1.254, DIP=100.1.1.1}, DHCP Payload {Broadcast Flag=0 or 1, Relay Agent IP=1.1.1.254, Client MAC=m1, DHCP Server Identifier(54)=100.1.1.1} 4b DHCP Ack (Unicast or Broadcast) 4a DHCP Ack (Unicast) Ethernet Header {DA=m1 or FF:FF:FF:FF:FF:FF, SA=m2}, IP Header {SIP=1.1.1.254, DIP=1.1.1.10 or 255.255.255.255}, DHCP Payload {Broadcast Flag=0 or 1, Your IP=1.1.1.10, Relay Agent IP=1.1.1.254, Client MAC=m1, DHCP Server Identifier(54)=100.1.1.254, Options} DHCP Ethernet Header {DA=m3, SA=m5}, IP Header {SIP=100.1.1.1, DIP=1.1.1.254}, DHCP Payload {Broadcast Flag=0 or 1, Your IP=1.1.1.10, Relay Agent IP=1.1.1.254, Client MAC=m1, DHCP Server Identifier(54)=100.1.1.1, Options} IP address=1.1.1.10 allocation completed Internet Access SIP=1.1.1.10 Figure 3. IP address allocation/lease procedure using a DHCP proxy agent 1. DHCP Discover The DHCP client (PC) broadcasts a DHCP Discover message on the physical Ethernet subnet [1]. The DHCP proxy agent receives all the packets of which UDP destination port are set to 67 (DHCP Discover/Request), replaces the values in the Destination/Source MAC Address, Destination/Source IP address and Gateway IP Address (i.e. relay agent IP address) fields of the message. Then, it unicasts the message to a DHCP server. One thing to note here is that, in the DHCP Discover message, the source IP address and the relay agent IP address are replaced with the uplink IP address of the DHCP proxy agent (100.1.1.254) and the downlink IP address of the DHCP proxy agent (1.1.1.254), respectively. This occurs before the message is forwarded to the DHCP server. The reason for these substitutions are made is as follows: First, the source IP address was replaced because a DHCP Discover message should have the IP address of an outgoing interface (the port from which the outgoing packets are sent) as its source IP address. Thus, the source IP of the DHCP Discover message was replaced with the uplink IP address of the DHCP proxy agent. Second, the address in the Relay Agent IP address field is replaced because the DHCP server refers to the IP address in the field when it selects an IP Pool to allocate. Therefore, the field now has the downlink IP address of the DHCP proxy agent, an IP address located on the same subnet as the DHCP client’s. 4
  6. 6. Understanding DHCP Proxy Agents and Security 2. DHCP Offer Based on the relay agent IP address (giaddr) of the DHCP Discover message, the DHCP server first selects an IP pool and then selects an IP address from the IP pool to allocate to the DHCP client. Next, it sends a DHCP Offer message with the relay agent’s IP address inserted into the Destination IP field of the message. Upon receiving the message, the DHCP proxy agent, replaces the values in the Destination/Source MAC Addresses, Destination/Source IP Address and DHCP Server Identifier (Option 54) fields in the DHCP Offer message, and then unicasts or broadcasts the message to the DHCP client (PC)[2]. A DHCP Server Identifier field distinguishes DHCP servers from each other. The DHCP proxy agent replaces the IP address of the DHCP server (100.1.1.1) with its uplink IP address (100.1.1.254). The DHCP proxy agent is thus recognized by the DHCP client as the DHCP server. 3. DHCP Request Upon receiving the DHCP Offer message sent by the proxy agent, the DHCP client (PC) broadcasts a DHCP Request message on the physical Ethernet subnet to query network information data including IP address [1]. The DHCP proxy agent, upon receiving this message, replaces the values in the Destination/Source MAC address, the Destination/Source IP address, the Gateway IP Address (i.e. the relay agent IP address) and the DHCP Server Identifier (Option 54) fields of the message. Then, it unicasts the modified message to the DHCP server. The values in the Source IP Address and Gateway IP Address (i.e. the relay agent IP address) fields of a DHCP Request message are replaced in the same way as in the DHCP Discover message. In case of the DHCP Server Identifier field, the DHCP server discards the DHCP message if the IP address of this field does NOT match its own IP address. So, the DHCP proxy agent replaces its uplink IP address (100.1.1.254) with the DHCP server IP address (100.1.1.1). 4. DHCP Ack The DHCP server finally determines an IP address to allocate/lease to the DHCP client. And the server sends a DHCP Ack message with the relay agent IP address (giaddr) in the DHCP Request message inserted into the destination IP address. Upon receiving this message, the DHCP proxy agent replaces the values in the Destination/Source MAC Address, Destination/Source IP Address and DHCP Server Identifier (Option 54) fields of the message. Next it unicasts or broadcasts the modified message to the DHCP client [2]. The message fields replaced here are the same as in the DHCP Offer message. Again, an important function the DHCP proxy agent performs in the IP address allocation/lease procedure is to replace the value in the DHCP Server Identifier field in the DHCP message that is exchanged between the DHCP client and server. Figure 4 summarizes and illustrates said function and procedure. 5
  7. 7. Understanding DHCP Proxy Agents and Security PC Proxy DHCP DHCP Discover DHCP Discover DHCP Offer DHCP Offer DHCP Server Identifier(54)=DHCP Proxy Agent IP DHCP Server Identifier(54)=DHCP Server IP DHCP Request DHCP Request DHCP Server Identifier(54)=DHCP Proxy Agent IP DHCP Server Identifier(54)=DHCP Server IP DHCP Ack DHCP Ack DHCP Server Identifier(54)=DHCP Proxy Agent IP DHCP Server Identifier(54)=DHCP Server IP Figure 4. Replacing the value in the DHCP Server Identifier field 3.2 IP Address Renewal Procedure According to the reference “Understanding the Basic Operations of DHCP” [1], a DHCP client (PC) keeps/stores a DHCP server IP address acquired through a DHCP Ack message (in the DHCP Server Identifier field) during the IP address allocation procedure. Then, when the DHCP client needs to extend an IP address lease time, it does NOT broadcast, but unicasts a DHCP Request message to the DHCP server. As shown in Figure 5, the DHCP server IP address known to the DHCP client is the uplink IP address of the DHCP proxy agent. So the message is unicasted to the DHCP proxy agent, which then re-processes and forwards the message to the DHCP server. In respond to the message, the DHCP server unicasts a DHCP Ack message to the DHCP client. The destination IP address used at this point is the relay gent IP address (giaddr) of the DHCP Request message. So this message is forwarded to the DHCP proxy agent, which then re-processes and forwards the message to the DHCP client. Configuration: DHCP Server IP=100.1.1.1 PC MAC=m1 L2 Network PC DHCP Server IP=100.1.1.1 DHCP Server MAC=m5 Downlink MAC=m2 Uplink MAC=m3 Downlink IP=1.1.1.254 Proxy Uplink IP=100.1.1.254 (Relay Agent IP) (Server IP) DHCP T1 Timer Expired (IP Address Renewal Time) 1a DHCP Request (Unicast) 1b DHCP Request (Unicast) Ethernet Header {DA=m2, SA=m1}, IP Header {SIP=1.1.1.10, DIP=100.1.1.254}, DHCP Payload {Client IP=1.1.1.10, Relay Agent IP=0.0.0.0, Client MAC=m1} Ethernet Header {DA=m5, SA=m3}, IP Header {SIP=100.1.1.254, DIP=100.1.1.1}, DHCP Payload {Client IP=1.1.1.10, Relay Agent IP=1.1.1.254, Client MAC=m1} 2b DHCP Ack (Unicast) 2a DHCP Ack (Unicast) Ethernet Header {DA=m1, SA=m2}, IP Header {SIP=1.1.1.254, DIP=1.1.1.10}, DHCP Payload {Client IP=1.1.1.10, Your IP=1.1.1.10, Relay Agent IP=1.1.1.254, Client MAC=m1, DHCP Server Identifier(54)=100.1.1.254, Options} Ethernet Header {DA=m3, SA=m5}, IP Header {SIP=100.1.1.1, DIP=1.1.1.254}, DHCP Payload {Client IP=1.1.1.10, Your IP=1.1.1.10, Relay Agent IP=1.1.1.254, Client MAC=m1, DHCP Server Identifier(54)=100.1.1.1, Options} IP address=1.1.1.10 renewal completed Internet Access SIP=1.1.1.10 3 Figure 5. IP address renewal procedure in the network with a DHCP proxy agent 6
  8. 8. Understanding DHCP Proxy Agents and Security As described in the reference “Understanding DHCP Relay Agents” [3], a DHCP relay agent is NOT involved in this procedure, but a DHCP proxy agent receives and re-processes a DHCP Request/Ack message in communication between a client and a server. 1. DHCP Request The DHCP client (PC) unicasts a DHCP Request message with the proxy agent’s IP address inserted into the Destination IP field of the message. Upon receiving the message, the DHCP proxy agent replaces the values in the Destination/Source MAC Address, the Destination/Source IP Address and the Gateway IP Address (i.e. the relay agent IP address) fields of the message. Next, it unicasts the modified message to the DHCP server. 2. DHCP Ack The DHCP server sends a DHCP Ack message with the relay agent IP address (giaddr) of the DHCP Request message inserted into the Destination IP address field of the message. Upon receiving the message, the DHCP proxy agent replaces the values in the Destination/Source MAC Address, the Destination/Source IP Address and the DHCP Server Identifier (Option 54) fields of the message. Next, it unicasts the modified message to the DHCP client. 3.3 IP Address Release Procedure In case of IP address release, a DHCP client (PC) unicasts a DHCP Release message to a DHCP server. As shown in Figure 6, the DHCP server IP address known to the DHCP client is the uplink IP address of a DHCP proxy agent. So the message is forwarded to the DHCP proxy agent, which re-processes and forwards the message to the DHCP server. As described in the reference “Understanding DHCP Relay Agents” [3], a DHCP relay agent is NOT involved in this procedure, but a DHCP proxy agent receives and re-processes a DHCP Release message in communication between a client and a server. Configuration: DHCP Server IP=100.1.1.1 PC MAC=m1 L2 Network PC DHCP Server IP=100.1.1.1 DHCP Server MAC=m5 Downlink MAC=m2 Uplink MAC=m3 Downlink IP=1.1.1.254 Proxy Uplink IP=100.1.1.254 (Relay Agent IP) (Server IP) DHCP Internet Access SIP=1.1.1.10 DHCP client shut down (or “ipconfig /release”) 1a DHCP Release (Unicast) 1b DHCP Release (Unicast) Ethernet Header {DA=m2, SA=m1}, IP Header {SIP=1.1.1.10, DIP=100.1.1.254}, DHCP Payload {Client IP=1.1.1.10, Relay Agent IP=0.0.0.0, Client MAC=m1, DHCP Server Identifier(54)=100.1.1.254} Ethernet Header {DA=m5, SA=m3}, IP Header {SIP=100.1.1.254, DIP=100.1.1.1}, DHCP Payload {Client IP=1.1.1.10, Relay Agent IP=1.1.1.254, Client MAC=m1, DHCP Server Identifier(54)=100.1.1.1} IP address=1.1.1.10 release completed Figure 6. IP address release procedure in the network with a DHCP proxy agent 7
  9. 9. Understanding DHCP Proxy Agents and Security 1. DHCP Release The DHCP client (PC) unicasts a DHCP Release message with the DHCP proxy agent address inserted into the Destination IP address field. Upon receiving the message, the DHCP proxy agent replaces the values in the Destination/Source MAC Address, Destination/Source IP Address, Gateway IP Address (i.e. the relay agent IP address) and DHCP Server Identifier (Option 54) message fields. Next it unicasts the modified message to the DHCP server. IV. Security Functions of DHCP Proxy Agents2 As studied in the previous chapters, a DHCP proxy agent is involved in all the DHCP messages that is exchanged between a DHCP client and server. This chapter covers the security function of a DHCP proxy agent, specifically the procedure for blocking any data traffic from unauthorized users whose IP addresses have not been allocated through a normal DHCP procedure. Figure 7 shows an overview of the DHCP security functions. DHCP Server Authorized User User Traffic DHCP Client DHCP Proxy Agent Unauthorized User Internet User Traffic Static IP illegally A DHCP proxy agent: · Refers to the IP-to-MAC binding table · Discards all ARP Request packets sent by a user who has not acquired its IP address through DHCP · Prevents such users from accessing the Internet Figure 7. DHCP security functions of a DHCP proxy agent 4.1 Procedure for Creating an IP-to-MAC Binding Table Figure 8 describes how an IP-to-MAC binding table is created for a DHCP proxy agent through DHCP messages. 2 The security functions explained in this chapter are also supported by the DHCP Relay Agent. However, in such case, a DHCP relay agent should be able to snoop all of DHCP messages (unicast) used in the IP address allocation and release procedures. 8
  10. 10. Understanding DHCP Proxy Agents and Security PC MAC=m1 L2 Network PC Proxy DHCP DHCP Discover DHCP Offer DHCP Offer DHCP Request t=0 DHCP Discover DHCP Request DHCP Ack DHCP Ack DHCP Payload {Your IP=1.1.1.10, Client MAC=m1, IP Lease Time(51)=3,600s} IP address=1.1.1.10 allocation completed Ge1/1 DHCP Payload {Your IP=1.1.1.10, Client MAC=m1, IP Lease Time(51)=3,600s} IP-to-MAC Binding Table MAC IP Address Interface Lease Time Expired Time m1 1.1.1.10 Ge1/1 3600 sec 3600 sec 1 Created Internet Access SIP=1.1.1.10 ... IP-to-MAC Binding Table t=1,800s MAC IP Address Interface Lease Time Expired Time m1 1.1.1.10 Ge1/1 3600 sec 1800 sec Expired Time is decreased in every second T1 Timer Expired (IP Address Renewal Time) DHCP Request t=0 DHCP Request DHCP Ack DHCP Ack DHCP Payload {Your IP=1.1.1.10, Client MAC=m1, IP Lease Time(51)=3,600s} IP address=1.1.1.10 renewal completed Ge1/1 DHCP Payload {Your IP=1.1.1.10, Client MAC=m1, IP Lease Time(51)=3,600s} IP-to-MAC Binding Table MAC IP Address Interface Lease Time Expired Time m1 1.1.1.10 Ge1/1 3600 sec 3600 sec 2 Refresh the Timer Internet Access SIP=1.1.1.10 ... PC Power-Off IP-to-MAC Binding Table t=3,600s MAC IP Address Interface Lease Time Expired Time - 3 Deleted when Expired Time=0 Or when it receives DHCP Release message Figure 8. Procedure for creating an IP-to-MAC binding table ❶The DHCP proxy agent parses the parameters of a DHCP Ack message received in the last phase of the IP address allocation/lease procedure. Then in an IP-to-MAC binding table, it stores the collected information - a client (PC) MAC address (m1), a client (PC) IP address (1.1.1.10), IP address lease time (3,600 sec.) and the interface information (Ge1/1) of the DHCP proxy agent connected to a DHCP client. In addition, the DHCP proxy agent maintains the Expired Time field. Initially the value in this field is set to the same value as in the IP address Lease Time field and then it decreases by one (1) every second over time. ❷ Once the T1 timer of the DHCP client is expired (after 1,800 seconds of the IP address allocation), the DHCP client starts the IP address renewal procedure [2]. In the meantime, the DHCP proxy agent updates the Lease Time and Expired Time fields of the IP-to-MAC binding table with the IP address Lease Time (3,600 seconds) included in the DHCP Ack message. ❸ us assume that the DHCP client (PC) is turned off later. In this case, neither the DHCP proxy agent nor the Let DHCP server is aware of the situation. So, the value in the Expired Time field continues to decrease by one (1) 9
  11. 11. Understanding DHCP Proxy Agents and Security every second until it reaches to “0”, deleting the related entry in the IP-to-MAC binding table. Obviously, the entry related to the DHCP client is also deleted when a DHCP Release message is sent by the DHCP client (PC). 4.2 Procedure for Blocking Traffic from Users with an Abnormal IP Address The DHCP proxy agent function is generally enabled in the default gateway router of a DHCP client (i.e. the first router the client connects). Upon receiving ARP Request packets sent by a DHCP client, the DHCP proxy agent examines its own IP-to-MAC table, checking the validity of the DHCP client. Figure 9 shows the procedure in detail. PC MAC=m1 L2 Network PC1 MAC=m10 IP=1.1.1.254 Proxy DHCP DHCP Discover/Reqeust DHCP Discover/Reqeust DHCP Offer/Ack DHCP Offer/Ack DHCP Payload {Your IP=1.1.1.10, Client MAC=m1} "1.1.1.254"!, ARP Request Please let us know your MAC address! Ge1/1 IP-to-MAC Binding Table Who has 1.1.1.254? Tell 1.1.1.10/m1 ARP Reply MAC IP Address Interface Lease Time Expired Time m1 1.1.1.10 Ge1/1 3600 sec 3000 sec My MAC address is m10 1.1.1.254 is at m10 Ge1/1 1 Matched Internet Access SIP=1.1.1.10 Ge1/1 Internet PC MAC=m2 PC2 Configure IP address=1.1.1.20 at PC illegally "1.1.1.254"!, ARP Request Please let us know your MAC address! IP-to-MAC Binding Table Who has 1.1.1.254? Tell 1.1.1.20/m2 I need the MAC address of default gateway (1.1.1.254) to access the Internet... What's taking so long? MAC IP Address Interface Lease Time Expired Time m1 1.1.1.10 Ge1/1 3600 sec 3000 sec Ge1/1 2 Not Matched So, Ignore(Discard) ARP Request packet Figure 9. Blocking traffic using an IP-to-MAC binding table ❶As PC1 in the above figure has obtained its IP address through a normal DHCP procedure, a DHCP proxy agent has already collected the information about PC1 in its IP-to-MAC binding table. When the DHCP proxy agent receives an ARP Request packet sent by PC1, it checks whether both the sender MAC address (m1) and IP address (1.1.1.10) in the packet are registered in the IP-to-MAC binding table. If they are, the proxy agent sends an ARP Reply message to the PC1. ❷ PC2 represents a client with a static IP address, there is no information (MAC address or IP address) about As the client in the IP-to-MAC binding table. Thus, when the DHCP proxy agent receives an ARP Request packet sent by PC2, it does not send an ARP Reply packet since no information (MAC address (m2) and IP address (1.1.1.20)) about the client is found in the table. PC2 therefore cannot acquire the MAC address of the DHCP proxy agent (i.e. default gateway router), and will eventually fail to access the Internet. 10
  12. 12. Understanding DHCP Proxy Agents and Security Having these security functions enabled means that users’ attempts to access the network (e.g. Internet) are managed through the responses to an ARP Request packet. Note this doesn’t mean all of data traffic coming from users is examined. If a hacker knows the MAC address of a default gateway (DHCP proxy agent), which is not difficult for a hacker, the security features of a DHCP proxy agent can be disarmed. To make up for this vulnerability, some network operators have adopted a new robust security network system, called BRAS (Broadband Remote Access Server). The BRAS system can monitor and inspect all of uplink and downlink user traffic. Some of BRAS products introduced by Korean domestic network operators include Juniper E320 and Redback (acquired by Ericsson) SE800. V. Summary and Closing In this document, we have reviewed all the procedures of IP address allocation/lease, IP address renewal and IP address release performed by a DHCP proxy agent. We have also examined its security functions. Table 1 summarizes our finding, comparing a DHCP relay agent to a DHCP proxy agent. Table 1. Comparison between a DHCP relay agent and a DHCP proxy agent DHCP Relay Agent DHCP Proxy Agent Basic concept Relays DHCP messages between a DHCP client and server that reside on different subnets. Intercepts and re-processes all DHCP messages between a DHCP client and server, while acting as a DHCP server to the DHCP client, and vice versa. DHCP server address known by user DHCP server IP address DHCP proxy IP address IP address allocation/lease Re-processes all DHCP messages on the way to a client or server. Re-processes all DHCP messages on the way to a client or server. IP address renewal Does NOT re-process any DHCP messages on the way to a client or server. Re-processes all DHCP messages on the way to a client or server. IP address release Does NOT re-process any DHCP messages on the way to a client or server. Re-processes all DHCP messages on the way to a client or server. References [1] Netmanias Technical Document, “Understanding the Basic Operations of DHCP”, November 2013 [2] Netmanias Technical Document, “Understanding the Detailed Operations of DHCP”, October 2013 [3] Netmanias Technical Document, “Understanding DHCP Relay Agents”, October 2013 11
  13. 13. Understanding DHCP Proxy Agents and Security Appendix A - Format of DHCP Messages in IP Address Allocation/Lease Procedure Appendix A provides detailed examples of DHCP message parameters that are replaced by a DHCP proxy agent during the IP address allocation procedure. DHCP Discover Message Downlink IP=1.1.1.254 Uplink IP=100.1.1.254 Downlink MAC=m2 Proxy Downlink MAC=m3 L2 Network PC MAC=m1 PC DHCP Discover Message from PC to DHCP Proxy Agent 0B 2B DHCP Server IP=100.1.1.1 DHCP Server MAC=m5 DHCP DHCP Discover Message from DHCP Proxy Agent to DHCP Server 4B 0B 2B 4B Source MAC Address = PC MAC Address (m1) Source MAC Address = DHCP Proxy Agent Uplink MAC (m3) Ethernet Destination MAC Address = DHCP Server MAC (m5) EtherType = 0x0800 (IP) Ver = 4 IHL = 5 TOS Identification IP EtherType = 0x0800 (IP) Total Length Flags Ver = 4 IHL = 5 Fragment Offset Protocol=17(UDP) Header Checksum Source IP Address = 0.0.0.0 TOS Identification TTL Total Length Flags Fragment Offset Protocol=17(UDP) Header Checksum Source IP Address = DHCP Proxy Agent Uplink IP (100.1.1.254) Destination IP Address = 255.255.255.255 (Broadcast) Destination IP Address = DHCP Server IP (100.1.1.1) Source Port = 68 (bootpc) Destination Port = 67 (bootps) UDP Length UDP Destination Port = 67 (bootps) UDP Checksum UDP Length UDP Checksum HOPS OP code=1(Req.) HW Type=Ethernet HW Length = 6 Transaction ID (xid) Seconds Broadcast Flag (1b) = 1 Client IP address (ciaddr) = 0.0.0.0 HOPS Transaction ID (xid) Seconds Broadcast Flag (1b) = 1 Client IP address (ciaddr) = 0.0.0.0 Your IP Address (yiaddr) = 0.0.0.0 Server IP address (siaddr) = 0.0.0.0 Server IP address (siaddr) = 0.0.0.0 Gateway IP Address (giaddr) = 0.0.0.0 Gateway IP Address (giaddr) = DHCP Proxy Agent Downlink IP (1.1.1.254) Client Hardware Address (16B) (chaddr) = PC MAC Address (m1) Client Hardware Address (16B) (chaddr) = PC MAC Address (m1) Server Name (64B) (sname) Server Name (64B) (sname) Filename (128B) Filename (128B) DHCP Message Type (Option 53) = 1 (DHCP Discover) DHCP Message Type (Option 53) = 1 (DHCP Discover) Client Identifier (Option 51) = PC MAC Address (m1) Client Identifier (Option 51) = PC MAC Address (m1) Parameter Request List (Option 55) = Option 1, 3, 6, ... DHCP Message Payload Your IP Address (yiaddr) = 0.0.0.0 DHCP Message Payload UDP Source Port = 68 (bootpc) OP code=1(Req.) HW Type=Ethernet HW Length = 6 IP TTL Ethernet Destination MAC Address = FF:FF:FF:FF:FF:FF (Broadcast) Parameter Request List (Option 55) = Option 1, 3, 6, ... Figure 10. IP address allocation/lease procedure: DHCP Discover message Ethernet Header   Destination MAC Address: The Broadcast MAC address (0xFFFFFFFFFFFF) is replaced with the MAC address of the DHCP server (m5). Source MAC Address: The PC MAC address (m1) is replaced with the uplink MAC address of the DHCP proxy agent (m3). IP Header   Source IP Address: The IP address (0.0.0.0) is replaced with the uplink IP address of the DHCP proxy agent (100.1.1.254). Destination IP Address: The Broadcast IP address (255.255.255.255) is replaced with the IP address of the DHCP server (100.1.1.1). DHCP Message Payload  Gateway IP Address (giaddr): The IP address (0.0.0.0) is replaced with the downlink IP address of the DHCP proxy agent (1.1.1.254) at which the DHCP Discover message from PC is received. 12
  14. 14. Understanding DHCP Proxy Agents and Security DHCP Offer Message Uplink IP=100.1.1.254 Downlink IP=1.1.1.254 Downlink MAC=m2 Proxy Downlink MAC=m3 L2 Network PC MAC=m1 PC DHCP Offer Message from DHCP Proxy Agent to PC 0B 2B DHCP Server IP=100.1.1.1 DHCP Server MAC=m5 DHCP DHCP Offer Message from DHCP Server to DHCP Proxy Agent 4B 0B 2B 4B Source MAC Address = DHCP Proxy Agent MAC Address (m2) Ethernet Destination MAC Address = DHCP Proxy Agent Uplink MAC (m3) Source MAC Address = DHCP Server MAC (m5) EtherType = 0x0800 (IP) Ver = 4 IHL = 5 TOS IP Flags Ver = 4 IHL = 5 Fragment Offset Protocol=17(UDP) Header Checksum TOS Identification TTL Total Length Flags Fragment Offset Protocol=17(UDP) Header Checksum Source IP Address = DHCP Proxy Agent Downlink IP (1.1.1.254) Source IP Address = DHCP Server IP Address (100.1.1.1) Destination IP Address = 255.255.255.255 (Broadcast) Destination IP Address = DHCP Proxy Agent Downlink IP (1.1.1.254) Destination Port = 68 (bootpc) Source Port = 67 (bootps) Destination Port = 68 (bootpc) UDP Length UDP Checksum UDP Length UDP Checksum OP code=2(Reply) HW Type=Ethernet HW Length = 6 HOPS OP code=2(Reply) HW Type=Ethernet HW Length = 6 Transaction ID (xid) Seconds Broadcast Flag (1b) = 1 Client IP address (ciaddr) = 0.0.0.0 UDP Source Port = 67 (bootps) UDP IP TTL EtherType = 0x0800 (IP) Total Length Identification Ethernet Destination MAC Address = FF:FF:FF:FF:FF:FF (Broadcast) HOPS Transaction ID (xid) Seconds Broadcast Flag (1b) = 1 Client IP address (ciaddr) = 0.0.0.0 Gateway IP Address (giaddr) = DHCP Proxy Agent Downlink IP (1.1.1.254) Gateway IP Address (giaddr) = DHCP Proxy Agent Downlink IP (1.1.1.254) Client Hardware Address (16B) (chaddr) = PC MAC Address (m1) Client Hardware Address (16B) (chaddr) = PC MAC Address (m1) Server Name (64B) (sname) Server Name (64B) (sname) Filename (128B) Filename (128B) DHCP Message Type (Option 53) = 2 (DHCP Offer) DHCP Message Type (Option 53) = 2 (DHCP Offer) Subnet Mask (Option 1) = 255.255.255.0 (/24) Subnet Mask (Option 1) = 255.255.255.0 (/24) Router IP (Option 3) = 1.1.1.254 Router IP (Option 3) = 1.1.1.254 Domain Name Server IP (Option 6) = 10.1.1.1, 10.1.1.2 Domain Name Server IP (Option 6) = 10.1.1.1, 10.1.1.2 IP Address Lease Time (Option 51) = 3,600 seconds (1 hour) IP Address Lease Time (Option 51) = 3,600 seconds (1 hour) DHCP Server Identifier (Option 54) = DHCP Proxy Agent Uplink IP (100.1.1.254) DHCP Server Identifier (Option 54) = DHCP Server IP (100.1.1.1) DHCP Message Payload Your IP Address (yiaddr) = 1.1.1.10 Server IP address (siaddr) = 0.0.0.0 DHCP Message Payload Your IP Address (yiaddr) = 1.1.1.10 Server IP address (siaddr) = 0.0.0.0 Figure 11. IP address allocation/lease procedure: DHCP Offer message Ethernet Header   Destination MAC Address: The uplink MAC address of the proxy agent (m3) is replaced with the broadcast MAC address (0xFFFFFFFFFFFF). Note: In this example, as we assumed that “Broadcast Flag” value is set to 1, the proxy agent broadcasts the message. Source MAC Address: The DHCP server MAC address (m5) is replaced with the downlink MAC address of the DHCP proxy agent (m2). IP Header   Source IP Address: The IP address of the DHCP server (100.1.1.1) is replaced with the downlink IP address of the DHCP proxy agent (1.1.1.254)’ Destination IP Address: The downlink IP address of the DHCP proxy agent (giaddr=1.1.1.254) is replaced with the broadcast IP address (255.255.255.255). Note: In this example, as we assumed that “Broadcast Flag” value is set to 1, the proxy agent broadcasts the message. DHCP Message Payload  DHCP Server Identifier (Option 54): The DHCP IP address (100.1.1.1) is replaced with the uplink IP address of the DHCP proxy agent (100.1.1.254). 13
  15. 15. Understanding DHCP Proxy Agents and Security DHCP Request Message Uplink IP=100.1.1.254 Downlink IP=1.1.1.254 Downlink MAC=m2 Proxy Downlink MAC=m3 L2 Network PC MAC=m1 PC DHCP Request Message from PC to DHCP Proxy Agent 0B 2B DHCP Server IP=100.1.1.1 DHCP Server MAC=m5 DHCP DHCP Request Message from DHCP Proxy Agent to DHCP Server 4B 0B 2B 4B Source MAC Address = PC MAC Address (m1) Source MAC Address = DHCP Proxy Agent Uplink MAC (m3) Ethernet Destination MAC Address = DHCP Server MAC (m5) EtherType = 0x0800 (IP) Ver = 4 IHL = 5 TOS Identification IP EtherType = 0x0800 (IP) Total Length Flags Ver = 4 IHL = 5 Fragment Offset Protocol=17(UDP) Header Checksum Source IP Address = 0.0.0.0 TOS Identification TTL Total Length Flags Fragment Offset Protocol=17(UDP) Header Checksum Source IP Address = DHCP Proxy Agent Uplink IP (100.1.1.254) Destination IP Address = 255.255.255.255 (Broadcast) Destination IP Address = DHCP Server IP (100.1.1.1) Source Port = 68 (bootpc) Destination Port = 67 (bootps) UDP Length UDP Destination Port = 67 (bootps) UDP Checksum UDP Length UDP Checksum HOPS OP code=1(Req.) HW Type=Ethernet HW Length = 6 Transaction ID (xid) Seconds Broadcast Flag (1b) = 1 Client IP address (ciaddr) = 0.0.0.0 UDP Source Port = 68 (bootpc) OP code=1(Req.) HW Type=Ethernet HW Length = 6 IP TTL Ethernet Destination MAC Address = FF:FF:FF:FF:FF:FF (Broadcast) HOPS Transaction ID (xid) Seconds Broadcast Flag (1b) = 1 Client IP address (ciaddr) = 0.0.0.0 Gateway IP Address (giaddr) = 0.0.0.0 Gateway IP Address (giaddr) = DHCP Proxy Agent Downlink IP (1.1.1.254) Client Hardware Address (16B) (chaddr) = PC MAC Address (m1) Client Hardware Address (16B) (chaddr) = PC MAC Address (m1) Server Name (64B) (sname) Server Name (64B) (sname) Filename (128B) Filename (128B) DHCP Message Type (Option 53) = 3 (DHCP Request) DHCP Message Type (Option 53) = 3 (DHCP Request) Client Identifier (Option 51) = PC MAC Address (m1) Client Identifier (Option 51) = PC MAC Address (m1) Requested IP Address (Option 50) = 1.1.1.10 Requested IP Address (Option 50) = 1.1.1.10 DHCP Server Identifier (Option 54) = DHCP Proxy Agent Uplink IP (100.1.1.254) DHCP Server Identifier (Option 54) = DHCP Server IP (100.1.1.1) Parameter Request List (Option 55) = Option 1, 3, 6, ... Parameter Request List (Option 55) = Option 1, 3, 6, ... DHCP Message Payload Your IP Address (yiaddr) = 0.0.0.0 Server IP address (siaddr) = 0.0.0.0 DHCP Message Payload Your IP Address (yiaddr) = 0.0.0.0 Server IP address (siaddr) = 0.0.0.0 Figure 12. IP address allocation/lease procedure: DHCP Request message Ethernet Header   Destination MAC Address: The Broadcast MAC address (0xFFFFFFFFFFFF) is replaced with the MAC address of the DHCP server (m5). Source MAC Address: The PC MAC address (m1) is replaced with the uplink MAC address of the DHCP proxy agent (m3). IP Header   Source IP Address: The IP address (0.0.0.0) is replaced with the uplink IP address of the DHCP proxy agent (100.1.1.254). Destination IP Address: The Broadcast IP address (255.255.255.255) is replaced with the IP address of the DHCP server (100.1.1.1). DHCP Message Payload  Gateway IP Address (giaddr): The IP address (0.0.0.0) is replaced with the downlink IP address of the DHCP proxy agent (1.1.1.254) at which the DHCP Request message from PC is received.  DHCP Server Identifier (Option 54): The uplink IP address of the DHCP proxy agent (100.1.1.254) is replaced with the IP address of the DHCP server (100.1.1.1). 14
  16. 16. Understanding DHCP Proxy Agents and Security DHCP Ack Message Uplink IP=100.1.1.254 Downlink IP=1.1.1.254 Downlink MAC=m2 Proxy Downlink MAC=m3 L2 Network PC MAC=m1 PC DHCP Ack Message from DHCP Proxy Agent to PC 0B 2B DHCP Server IP=100.1.1.1 DHCP Server MAC=m5 DHCP DHCP Ack Message from DHCP Server to DHCP Proxy Agent 4B 0B 2B 4B Source MAC Address = DHCP Proxy Agent MAC Address (m2) Ethernet Destination MAC Address = DHCP Proxy Agent Uplink MAC (m3) Source MAC Address = DHCP Server MAC (m5) EtherType = 0x0800 (IP) Ver = 4 IHL = 5 TOS IP Flags Ver = 4 IHL = 5 Fragment Offset Protocol=17(UDP) Header Checksum TOS Identification TTL Total Length Flags Fragment Offset Protocol=17(UDP) Header Checksum Source IP Address = DHCP Proxy Agent Downlink IP (1.1.1.254) Source IP Address = DHCP Server IP Address (100.1.1.1) Destination IP Address = 255.255.255.255 (Broadcast) Destination IP Address = DHCP Proxy Agent Downlink IP (1.1.1.254) Destination Port = 68 (bootpc) Source Port = 67 (bootps) Destination Port = 68 (bootpc) UDP Length UDP Checksum UDP Length UDP Checksum OP code=2(Reply) HW Type=Ethernet HW Length = 6 HOPS OP code=2(Reply) HW Type=Ethernet HW Length = 6 Transaction ID (xid) Seconds Broadcast Flag (1b) = 1 Client IP address (ciaddr) = 0.0.0.0 UDP Source Port = 67 (bootps) UDP IP TTL EtherType = 0x0800 (IP) Total Length Identification Ethernet Destination MAC Address = FF:FF:FF:FF:FF:FF (Broadcast) HOPS Transaction ID (xid) Seconds Broadcast Flag (1b) = 1 Client IP address (ciaddr) = 0.0.0.0 Gateway IP Address (giaddr) = DHCP Proxy Agent Downlink IP (1.1.1.254) Gateway IP Address (giaddr) = DHCP Proxy Agent Downlink IP (1.1.1.254) Client Hardware Address (16B) (chaddr) = PC MAC Address (m1) Client Hardware Address (16B) (chaddr) = PC MAC Address (m1) Server Name (64B) (sname) Server Name (64B) (sname) Filename (128B) Filename (128B) DHCP Message Type (Option 53) = 5 (DHCP Ack) DHCP Message Type (Option 53) = 5 (DHCP Ack) Subnet Mask (Option 1) = 255.255.255.0 (/24) Subnet Mask (Option 1) = 255.255.255.0 (/24) Router IP (Option 3) = 1.1.1.254 Router IP (Option 3) = 1.1.1.254 Domain Name Server IP (Option 6) = 10.1.1.1, 10.1.1.2 Domain Name Server IP (Option 6) = 10.1.1.1, 10.1.1.2 IP Address Lease Time (Option 51) = 3,600 seconds (1 hour) IP Address Lease Time (Option 51) = 3,600 seconds (1 hour) DHCP Server Identifier (Option 54) = DHCP Proxy Agent Uplink IP (100.1.1.254) DHCP Server Identifier (Option 54) = DHCP Server IP (100.1.1.1) DHCP Message Payload Your IP Address (yiaddr) = 1.1.1.10 Server IP address (siaddr) = 0.0.0.0 DHCP Message Payload Your IP Address (yiaddr) = 1.1.1.10 Server IP address (siaddr) = 0.0.0.0 Figure 13. IP address allocation/lease procedure: DHCP Ack message Ethernet Header   Destination MAC Address: The uplink MAC address of the proxy agent (m3) is replaced with the broadcast MAC address (0xFFFFFFFFFFFF). Note: In this example, as we assumed that “Broadcast Flag” value is set to 1, the proxy agent broadcasts the message. Source MAC Address: The DHCP server MAC address (m5) is replaced with the downlink MAC address of the DHCP proxy agent (m2). IP Header   Source IP Address: The IP address of the DHCP server (100.1.1.1) is replaced with the downlink IP address of the DHCP proxy agent (1.1.1.254). Destination IP Address: The downlink IP address of the DHCP proxy agent (giaddr=1.1.1.254) is replaced with the broadcast IP address (255.255.255.255). Note: In this example, as we assumed that “Broadcast Flag” is set to 1, the proxy agent broadcasts the message. DHCP Message Payload  DHCP Server Identifier (Option 54): The DHCP server IP address (100.1.1.1) is replaced with the uplink IP address of the DHCP proxy agent (100.1.1.254). 15
  17. 17. Understanding DHCP Proxy Agents and Security Appendix B – Format of DHCP Messages in IP Address Renewal Procedure Appendix B provides detailed examples of DHCP message parameters that are replaced by a DHCP proxy agent during the IP address renewal procedure. DHCP Request Message Downlink IP=1.1.1.254 Uplink IP=100.1.1.254 Downlink MAC=m2 Proxy Downlink MAC=m3 L2 Network PC MAC=m1 PC DHCP Request Message from PC to DHCP Proxy Agent 0B 2B DHCP Server IP=100.1.1.1 DHCP Server MAC=m5 DHCP DHCP Request Message from DHCP Proxy Agent to DHCP Server 4B 0B 2B 4B Source MAC Address = PC MAC Address (m1) Source MAC Address = DHCP Proxy Agent Uplink MAC (m3) Ethernet Destination MAC Address = DHCP Server MAC (m5) EtherType = 0x0800 (IP) Ver = 4 IHL = 5 TOS IP Flags Ver = 4 IHL = 5 Fragment Offset Protocol=17(UDP) Header Checksum Source IP Address = PC IP Address (1.1.1.10) TOS Identification TTL Total Length Flags Fragment Offset Protocol=17(UDP) Header Checksum Source IP Address = DHCP Proxy Agent Uplink IP (100.1.1.254) Destination IP Address = DHCP Proxy Agent Uplink IP (100.1.1.254) Destination IP Address = DHCP Server IP (100.1.1.1) Source Port = 68 (bootpc) Destination Port = 67 (bootps) UDP Length UDP Destination Port = 67 (bootps) UDP Checksum UDP Length UDP Checksum HOPS OP code=1(Req.) HW Type=Ethernet HW Length = 6 Transaction ID (xid) Seconds Broadcast Flag (1b) = 1 Client IP address (ciaddr) = 1.1.1.10 HOPS Transaction ID (xid) Seconds Broadcast Flag (1b) = 1 Client IP address (ciaddr) = 0.0.0.0 Your IP Address (yiaddr) = 0.0.0.0 Server IP address (siaddr) = 0.0.0.0 Server IP address (siaddr) = 0.0.0.0 Gateway IP Address (giaddr) = 0.0.0.0 Gateway IP Address (giaddr) = DHCP Proxy Agent Downlink IP (1.1.1.254) Client Hardware Address (16B) (chaddr) = PC MAC Address (m1) Client Hardware Address (16B) (chaddr) = PC MAC Address (m1) Server Name (64B) (sname) Server Name (64B) (sname) Filename (128B) Filename (128B) DHCP Message Type (Option 53) = 3 (DHCP Request) DHCP Message Type (Option 53) = 3 (DHCP Request) Client Identifier (Option 51) = PC MAC Address (m1) Client Identifier (Option 51) = PC MAC Address (m1) Parameter Request List (Option 55) = Option 1, 3, 6, ... DHCP Message Payload Your IP Address (yiaddr) = 0.0.0.0 DHCP Message Payload UDP Source Port = 68 (bootpc) OP code=1(Req.) HW Type=Ethernet HW Length = 6 IP TTL EtherType = 0x0800 (IP) Total Length Identification Ethernet Destination MAC Address = DHCP Proxy Agent Downlink MAC (m2) Parameter Request List (Option 55) = Option 1, 3, 6, ... Figure 14. IP address renewal procedure: DHCP Request message Ethernet Header   Destination MAC Address: The downlink MAC address of the DHCP proxy agent (m2) is replaced with the DHCP server MAC address (m5). Source MAC Address: The PC MAC address (m1) is replaced with the uplink MAC address of the DHCP proxy agent (m3). IP Header   Source IP Address: The PC IP address (m3) is replaced with the uplink IP address of the DHCP proxy agent (100.1.1.254). Destination IP Address: The uplink IP address of the DHCP proxy agent (100.1.1.254) is replaced with the DHCP server IP address (100.1.1.1). DHCP Message Payload  Gateway IP Address (giaddr): The IP address (0.0.0.0) is replaced with the downlink IP address of the DHCP proxy agent (1.1.1.254) at which the DHCP Request message from PC is received. 16
  18. 18. Understanding DHCP Proxy Agents and Security DHCP Ack Message Uplink IP=100.1.1.254 Downlink IP=1.1.1.254 Downlink MAC=m2 Proxy Downlink MAC=m3 L2 Network PC MAC=m1 PC DHCP Ack Message from DHCP Proxy Agent to PC 0B 2B DHCP Server IP=100.1.1.1 DHCP Server MAC=m5 DHCP DHCP Ack Message from DHCP Server to DHCP Proxy Agent 4B 0B 2B 4B Source MAC Address = DHCP Proxy Agent MAC Address (m2) Ethernet Destination MAC Address = DHCP Proxy Agent Uplink MAC (m3) Source MAC Address = DHCP Server MAC (m5) EtherType = 0x0800 (IP) Ver = 4 IHL = 5 TOS Identification IP EtherType = 0x0800 (IP) Total Length Flags Ver = 4 IHL = 5 Fragment Offset Protocol=17(UDP) Header Checksum TOS Identification TTL Total Length Flags Fragment Offset Protocol=17(UDP) Header Checksum Source IP Address = DHCP Proxy Agent Downlink IP (1.1.1.254) Source IP Address = DHCP Server IP Address (100.1.1.1) Destination IP Address = PC IP Address (1.1.1.10) Destination IP Address = DHCP Proxy Agent Downlink IP (1.1.1.254) Destination Port = 68 (bootpc) Source Port = 67 (bootps) Destination Port = 68 (bootpc) UDP Length UDP Checksum UDP Length UDP Checksum OP code=2(Reply) HW Type=Ethernet HW Length = 6 HOPS OP code=2(Reply) HW Type=Ethernet HW Length = 6 Transaction ID (xid) Seconds Broadcast Flag (1b) = 1 Client IP address (ciaddr) = 0.0.0.0 UDP Source Port = 67 (bootps) UDP IP TTL Ethernet Destination MAC Address = PC MAC Address (m1) HOPS Transaction ID (xid) Seconds Broadcast Flag (1b) = 1 Client IP address (ciaddr) = 0.0.0.0 Gateway IP Address (giaddr) = DHCP Proxy Agent Downlink IP (1.1.1.254) Gateway IP Address (giaddr) = DHCP Proxy Agent Downlink IP (1.1.1.254) Client Hardware Address (16B) (chaddr) = PC MAC Address (m1) Client Hardware Address (16B) (chaddr) = PC MAC Address (m1) Server Name (64B) (sname) Server Name (64B) (sname) Filename (128B) Filename (128B) DHCP Message Type (Option 53) = 5 (DHCP Ack) DHCP Message Type (Option 53) = 5 (DHCP Ack) Subnet Mask (Option 1) = 255.255.255.0 (/24) Subnet Mask (Option 1) = 255.255.255.0 (/24) Router IP (Option 3) = 1.1.1.254 Router IP (Option 3) = 1.1.1.254 Domain Name Server IP (Option 6) = 10.1.1.1, 10.1.1.2 Domain Name Server IP (Option 6) = 10.1.1.1, 10.1.1.2 IP Address Lease Time (Option 51) = 3,600 seconds (1 hour) IP Address Lease Time (Option 51) = 3,600 seconds (1 hour) DHCP Server Identifier (Option 54) = DHCP Proxy Agent Uplink IP (100.1.1.254) DHCP Server Identifier (Option 54) = DHCP Server IP (100.1.1.1) DHCP Message Payload Your IP Address (yiaddr) = 1.1.1.10 Server IP address (siaddr) = 0.0.0.0 DHCP Message Payload Your IP Address (yiaddr) = 1.1.1.10 Server IP address (siaddr) = 0.0.0.0 Figure 15. IP address renewal procedure: DHCP Ack message Ethernet Header   Destination MAC Address: The uplink MAC address (m3) of the proxy agent is replaced with the PC MAC address (m1). Source MAC Address: The DHCP server MAC address (m5) is replaced with the downlink MAC address of the DHCP proxy agent (m2). IP Header   Source IP Address: The IP address of the DHCP server (100.1.1.1) is replaced with the downlink IP address of the DHCP proxy agent (1.1.1.254). Destination IP Address: The downlink IP address of the DHCP proxy agent (giaddr=1.1.1.254) is replaced with the PC IP address (1.1.1.10). DHCP Message Payload  DHCP Server Identifier (Option 54): The DHCP server IP address (100.1.1.1) is replaced with the uplink IP address of the DHCP proxy agent (100.1.1.254). 17
  19. 19. Understanding DHCP Proxy Agents and Security Appendix C – Format of DHCP Messages in IP Address Release Procedure Appendix C provides detailed examples of DHCP message parameters that are replaced by a DHCP proxy agent during the IP address release procedure. DHCP Release Message Downlink IP=1.1.1.254 Uplink IP=100.1.1.254 Downlink MAC=m2 Proxy Downlink MAC=m3 L2 Network PC MAC=m1 PC DHCP Release Message from PC to DHCP Proxy Agent 0B 2B DHCP Server IP=100.1.1.1 DHCP Server MAC=m5 DHCP DHCP Release Message from DHCP Proxy Agent to DHCP Server 4B 0B 2B 4B Source MAC Address = PC MAC Address (m1) Source MAC Address = DHCP Proxy Agent Uplink MAC (m3) Ethernet Destination MAC Address = DHCP Server MAC (m5) EtherType = 0x0800 (IP) Ver = 4 IHL = 5 TOS IP Flags Ver = 4 IHL = 5 Fragment Offset Protocol=17(UDP) Header Checksum Source IP Address = PC IP Address (1.1.1.10) TOS Identification TTL Total Length Flags Fragment Offset Protocol=17(UDP) Header Checksum Source IP Address = DHCP Proxy Agent Uplink IP (100.1.1.254) Destination IP Address = DHCP Proxy Agent Uplink IP (100.1.1.254) Destination IP Address = DHCP Server IP (100.1.1.1) Source Port = 68 (bootpc) Destination Port = 67 (bootps) UDP Length UDP Destination Port = 67 (bootps) UDP Checksum UDP Length UDP Checksum HOPS OP code=1(Req.) HW Type=Ethernet HW Length = 6 Transaction ID (xid) Seconds Broadcast Flag (1b) = 1 Client IP address (ciaddr) = 1.1.1.10 HOPS Transaction ID (xid) Seconds Broadcast Flag (1b) = 1 Client IP address (ciaddr) = 0.0.0.0 Your IP Address (yiaddr) = 0.0.0.0 Server IP address (siaddr) = 0.0.0.0 Gateway IP Address (giaddr) = 0.0.0.0 Gateway IP Address (giaddr) = DHCP Proxy Agent Downlink IP (1.1.1.254) Client Hardware Address (16B) (chaddr) = PC MAC Address (m1) Client Hardware Address (16B) (chaddr) = PC MAC Address (m1) Server Name (64B) (sname) Server Name (64B) (sname) Filename (128B) Filename (128B) DHCP Message Type (Option 53) = 7 (DHCP Release) DHCP Message Type (Option 53) = 7 (DHCP Release) Client Identifier (Option 51) = PC MAC Address (m1) Client Identifier (Option 51) = PC MAC Address (m1) DHCP Server Identifier (Option 54) = DHCP Proxy Agent Uplink IP (100.1.1.254) DHCP Message Payload Your IP Address (yiaddr) = 0.0.0.0 Server IP address (siaddr) = 0.0.0.0 DHCP Message Payload UDP Source Port = 68 (bootpc) OP code=1(Req.) HW Type=Ethernet HW Length = 6 IP TTL EtherType = 0x0800 (IP) Total Length Identification Ethernet Destination MAC Address = DHCP Proxy Agent Downlink MAC (m2) DHCP Server Identifier (Option 54) = DHCP Server IP (100.1.1.1) Figure 16. IP address release procedure: DHCP Release message Ethernet Header   Destination MAC Address: The downlink MAC address of the DHCP proxy agent (m2) is replaced with the DHCP server MAC address (m5). Source MAC Address: The PC MAC address (m1) is replaced with the uplink MAC address of the DHCP proxy agent (m3). IP Header   Source IP Address: The PC IP address (m3) is replaced with the uplink IP address of the DHCP proxy agent (100.1.1.254). Destination IP Address: The uplink IP address of the DHCP proxy agent (100.1.1.254) is replaced with the DHCP server IP address (100.1.1.1). DHCP Message Payload   Gateway IP Address (giaddr): The IP address (0.0.0.0) is replaced with the downlink IP address of the DHCP proxy agent (1.1.1.254) at which the DHCP Release message from PC is received. DHCP Server Identifier (Option 54): The uplink IP address of the DHCP proxy agent (100.1.1.254) is replaced with the DHCP server IP address (100.1.1.1). 18
  20. 20. Understanding DHCP Proxy Agents and Security Netmanias Research and Consulting Scope 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 eMBMS/Mobile IPTV CDN/Mobile CDN Transparent Caching BSS/OSS Services Cable TPS Voice/Video Quality IMS Policy Control/PCRF IPTV/TPS LTE Mobile Network Mobile WiMAX Carrier WiFi LTE Backaul Data Center Migration Carrier Ethernet FTTH Wireline Network Data Center Metro Ethernet MPLS IP Routing Visit http://www.netmanias.com to view and download more technical documents. About NMC Consulting Group NMC Consulting Group is an advanced and professional network consulting company, specializing in IP network areas (e.g., FTTH, Metro Ethernet and IP/MPLS), service areas (e.g., IPTV, IMS and CDN), and wireless network areas (e.g., Mobile WiMAX, LTE and Wi-Fi) since 2002. Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 0

×