DHCP (Dynamic Host Configuration Protocol) - NetwaxLab

Breaking

Facebook Popup

BANNER 728X90

Tuesday, November 17, 2015

DHCP (Dynamic Host Configuration Protocol)

The Dynamic Host Configuration Protocol (DHCP) is a standardized network protocol used on Internet Protocol (IP) networks for dynamically distributing network configuration parameters, such as IP addresses for interfaces and services. With DHCP, computers request IP addresses and networking parameters automatically from a DHCP server, reducing the need for a network administrator or a user to configure these settings manually.

DHCP (Dynamic Host Configuration Protocol)


Depending on implementation, the DHCP server may have three methods of allocating IP-addresses:

  1. Dynamic Allocation: A network administrator reserves a range of IP addresses for DHCP, and each client computer on the LAN is configured to request an IP address from the DHCP server during network initialization. The request-and-grant process uses a lease concept with a controllable time period, allowing the DHCP server to reclaim (and then reallocate) IP addresses that are not renewed.
  2. Automatic Allocation: The DHCP server permanently assigns an IP address to a requesting client from the range defined by the administrator. This is like dynamic allocation, but the DHCP server keeps a table of past IP address assignments, so that it can preferentially assign to a client the same IP address that the client previously had.
  3. Static Allocation: The DHCP server allocates an IP address based on a preconfigured mapping to each client's MAC address. This feature is variously called static DHCP assignment by DD-WRT, fixed-address by the dhcpd documentation, address reservation by Netgear, DHCP reservation or static DHCP by Cisco and Linksys, and IP address reservation or MAC/IP address binding by various other router manufacturers.

DHCP is used for Internet Protocol version 4 (IPv4), as well as IPv6. While both versions serve the same purpose, the details of the protocol for IPv4 and IPv6 are sufficiently different that they may be considered separate protocols.[2] For IPv6 operation, devices may alternatively use stateless address auto configuration. IPv4 hosts may also use link-local addressing to achieve operation restricted to the local network link.

DHCP is a collection of software that implements all aspects of the DHCP (Dynamic Host Configuration Protocol) suite. It includes:

  1. DHCP Server, which receives clients’ requests and replies to them.
  2. DHCP Client, which can be bundled with the operating system of a client computer or other IP capable device and which sends configuration requests to the server. Most devices and operating systems already have DHCP clients included.
  3. DHCP Relay Agent, which passes DHCP requests from one LAN to another so that there need not be a DHCP server on every LAN.
The DHCP server, client and relay agent are provided both as reference implementations of the protocol and as working, fully-featured sample implementations.

History?

In 1984, the Reverse Address Resolution Protocol (RARP), defined in RFC 903, was introduced to allow simple devices such as diskless workstations to dynamically obtain a suitable IP address. However, because it acted at the data link layer it made implementation difficult on many server platforms, and also required that a server be present on each individual network link. Soon afterwards it was superseded by the "Bootstrap Protocol" (BOOTP) defined in RFC 951. This introduced the concept of a relay agent, which allowed the forwarding of BOOTP packets across networks, allowing one central BOOTP server to serve hosts on many IP subnets.

DHCP is based on BOOTP but can dynamically allocate IP addresses from a pool and reclaim them when they are no longer in use. It can also be used to deliver a wide range of extra configuration parameters to IP clients, including platform-specific parameters. It was first defined in RFC 1531 in October 1993; but due to errors in the editorial process was almost immediately reissued as RFC 1541.

Four years later the DHCPINFORM message type and other small changes were added by RFC 2131; which as of 2014 remains the standard for IPv4 networks.

DHCPv6 was initially described by RFC 3315 in 2003, but this has been updated by many subsequent RFCs. RFC 3633 added a DHCPv6 mechanism for prefix delegation, and stateless address auto configuration was added by RFC 3736.

Why use DHCP?

Every device on a TCP/IP-based network must have a unique unicast IP address to access the network and its resources. Without DHCP, IP addresses for new computers or computers that are moved from one subnet to another must be configured manually; IP addresses for computers that are removed from the network must be manually reclaimed.
With DHCP, this entire process is automated and managed centrally. The DHCP server maintains a pool of IP addresses and leases an address to any DHCP-enabled client when it starts up on the network. Because the IP addresses are dynamic (leased) rather than static (permanently assigned), addresses no longer in use are automatically returned to the pool for reallocation.

How DHCP works?

Before understanding the process of IP address assignment, it is important to know some key technical terms that are used in context of the DHCP server.

  • DHCP Address Pool

DHCP address pool is a virtual container that contains all the IP addresses that have been configured in the DHCP range to make available to the client computers. As soon as any IP address from the address pool is assigned to a client computer, the address is temporarily removed from the pool.

  • DHCP Lease

When the DHCP server assigns an IP address to a DHCP client computer, the address is assigned for specific time duration. The time duration for which an IP address is assigned to a DHCP client computer by the DHCP server is technically called the DHCP lease. When the DHCP lease expires, the IP address is revoked from the DHCP client computer and is sent back to the DHCP address pool.

  • IP Assign Operation (DORA)

The DHCP protocol employs a connectionless service model, using the User Datagram Protocol (UDP). It is implemented with two UDP port numbers for its operations which are the same as for the BOOTP protocol. UDP port number 67 is the destination port of a server, and UDP port number 68 is used by the client.
DHCP DORA Process

DHCP operations fall into four phases: server discovery, IP lease offer, IP request, and IP lease acknowledgment. These stages are often abbreviated as DORA for discovery, offer, request, and acknowledgment.
DHCP DORA Packet Interchange

1. DHCP Discovery

D in the term DORA stands for the DHCP Discover packet. The DHCP Discover packet  is broadcasted by the DHCP client computer in order to find the available DHCP server(s) in the network. Since the DHCP client computer sends the DHCP Discover packet as a broadcast, all the DHCP servers that are present in the network receive the packet and respond accordingly.
DHCPDISCOVER Message

2. DHCP Offer

O in the term DORA stands for the DHCP Offer packet. The DHCP Offer is a unicast packet that is sent by the DHCP server who receives the DHCP Discover packet from the DHCP client computer. The DHCP Offer packet contains the available IP address that the DHCP server offers to the client computer.

The server determines the configuration based on the client's hardware address as specified in the CHADDR (client hardware address) field. Here the server, 192.168.1.1, specifies the client's IP address in the YIADDR (your IP address) field.
DHCPOFFER Message

3. DHCP Request

R in the term DORA stands for the DHCP Request packet. In response to the DHCP offer, the client replies with a DHCP request, broadcast to the server, requesting the offered address. A client can receive DHCP offers from multiple servers, but it will accept only one DHCP offer. Based on required server identification option in the request and broadcast messaging, servers are informed whose offer the client has accepted. When other DHCP servers receive this message, they withdraw any offers that they might have made to the client and return the offered address to the pool of available addresses.
DHCPREQUEST Message

4. DHCP Acknowledgement

A in the term DORA stands for the DHCP Acknowledge packet. When the DHCP server receives the DHCPREQUEST message from the client, the configuration process enters its final phase. The acknowledgement phase involves sending a DHCPACK packet to the client. This packet includes the lease duration and any other configuration information that the client might have requested. At this point, the IP configuration process is completed.
DHCPACK Message

The protocol expects the DHCP client to configure its network interface with the negotiated parameters.

After the client obtains an IP address, it should probe the newly received address (e.g. with ARP Address Resolution Protocol) to prevent address conflicts caused by overlapping address pools of DHCP servers.

  • DHCP Relaying

In small networks, where only one IP subnet is being managed, DHCP clients communicate directly with DHCP servers. However, DHCP servers can also provide IP addresses for multiple subnets. In this case, a DHCP client that has not yet acquired an IP address cannot communicate directly with the DHCP server using IP routing, because it does not have a routable IP address, nor does it know the IP address of a router.

In order to allow DHCP clients on subnets not directly served by DHCP servers to communicate with DHCP servers, DHCP relay agents can be installed on these subnets. The DHCP client broadcasts on the local link; the relay agent receives the broadcast and transmits it to one or more DHCP servers using unicast. The relay agent stores its own IP address in the GIADDR field of the DHCP packet. The DHCP server uses the GIADDR to determine the subnet on which the relay agent received the broadcast, and allocates an IP address on that subnet. When the DHCP server replies to the client, it sends the reply to the GIADDR address, again using unicast. The relay agent then retransmits the response on the local network.

Advantages of DHCP

Its capability to automatically allocate IP addresses to clients booting on the TCP/IP network for the first time.

  1. Using DHCP reduces the labour involved in managing the network.
  2. Because the DHCP server automatically dispenses IP addresses and other configuration information, the process of connecting a new computer to the network is much simpler.
  3. DHCP is very flexible and allows the network administrator to set up the server one time to serve many thousands of clients.

Disadvantages of DHCP


  1. When client make query to DHCP server (DHCP Discover) it is UDP query it consume more bandwidth. When DHCP server is unavailable client unable to access enterprises network.
  2. Your machine name does not change when you get a new IP address.
  3. Unauthorized DHCP Servers providing false information to clients.
  4. Unauthorized Clients gaining access to resources.
  5. Resources exhaustion attacks from malicious DHCP clients.

DHCP Security Issues?

Not only does DHCP run over IP and UDP, which are inherently insecure, the DHCP protocol itself have in fact no security provisions whatsoever. This is a fairly serious issue in modern networks, because of the sheer power of DHCP: the protocol deals with critical configuration information.

 There are two different classes of potential security problems related to DHCP:

  1. Unauthorized DHCP Servers: If a malicious person plants a “rogue” DHCP server, it is possible that this device could respond to client requests and supply them with spurious configuration information. This could be used to make clients unusable on the network, or worse, set them up for further abuse later on. For example, a hacker could exploit a bogus DHCP server to direct a DHCP client to use a router under the hacker's control, rather than the one the client is supposed to use.
  2. Unauthorized DHCP Clients: A client could be set up that masquerades as a legitimate DHCP client and thereby obtain configuration information intended for that client; this could then be used to compromise the network later on. Alternately, a “bad guy” could use software to generate lots of bogus DHCP client requests to use up all the IP addresses in a DHCP server's pool. More simply, this could be used by a thief to steal an IP address from an organization for his own use.

Adding Security to DHCP

These are obviously serious concerns. The normal recommended solutions to these risks generally involve providing security at lower layers. For example, one of the most important techniques for preventing unauthorized servers and clients is careful control over physical access to the network: layer one security. Security techniques implemented at layer two may also be of use, for example, in the case of wireless LANs. Since DHCP runs over UDP and IP, one could use IPSec at layer three to provide authentication.

DHCP Authentication

To try to address some of the more specific security concerns within DHCP itself, in June 2001 the IETF published RFC 3118, Authentication for DHCP Messages. This standard describes an enhancement that replaces the normal DHCP messages with authenticated ones. Clients and servers check the authentication information and reject messages that come from invalid sources. The technology involves the use of a new DHCP option type, the Authentication option, and operating changes to several of the leasing processes to use this option.

Unfortunately, 2001 was pretty late in the DHCP game, and there are millions of DHCP clients and servers around that don't support this new standard. Both client and server must be programmed to use authentication for this method to have value. A DHCP server that supports authentication could use it for clients that support the feature and skip it for those that do not. However, the fact that this option is not universal means that it is not widely deployed, and most networks must rely on more conventional security measures.
(for more Read: RFC 2131)

 ----
@NetwaxLab
Read more
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)