Hello everyone,
Today I will share the information on DHCP in HCNP.
DHCP is an extension of BOOTP.
DHCP is based on the Client-Server model.
DHCP assigns an IP address in this order
If there is a manual IP address configured.
IP Address assigned to the same client before.
First IP Address free found.
If there isn't search for the one with a timeout and conflicting addresses if there isn't an error is reported.
Remember since the DHCP Discover goes by broadcast the Origin MAC address is the same that is delivered to the DHCP server so when the DHCP server sends the unicast has the destination address of the host in this way he knows the packet it's for him.
DHCP Working Procedure
Just as shows UP with the Discovery, Offer, Request, and Ack.
Just remember when a client logs into the network again it doesn't need to send a DHCPDISCOVER again, instead, he sends a DHCPREQUEST containing the last IP address allocated to check with the DHCP server if he could use the same. If the IP address is not free the DHCP server answer with a DHCPNAK and the host started the process from 0.
Configuring a DHCP server in each segment of a network is uneconomical. The DHCP Relay function solves this issue.
Through a DHCP relay agent, a client can apply to the DHCP server on another network. This allows centralized management.
DHCP packets are generally broadcast and broadcast packets aren't forwarded by routers.
To make it possible need relays agents.
DHCP relay agent must listen to all UDP packets whose destination port is 67.
In the DHCP packet, there is a Field called giaddr this field indicates the IP address of the first DHCP relay agent. When a client broadcasts a packet this field is in 0 then fills this field with his own IP address to forward to the DHCP Server.
If the packet is a response packet from the DHCP server, the Relay Agent broadcast or unicasts the packet to the DHCP client depending on the broadcast flag.
DHCP Snooping
DHCP snooping ensures that DHCP clients obtain IP addresses from authorized DHCP servers and records mappings between IP addresses and MAC addresses of DHCP clients, preventing DHCP attacks on the network.
DHCP snooping acts as a firewall between DHCP clients and a DHCP server to prevent DHCP attacks on the network, ensuring security in communication services.
A DHCP security feature intercepts and analyzes DHCP messages transmitted between DHCP clients and a DHCP relay agent.
DHCP snooping creates and maintains a DCHP snooping binding table, and filters untrusted DHCP messages according to the table.
The table contains MAC address, IP address, Lease time, VLAN ID, and interface information.
DHCP snooping creates a firewall between clients and the DHCP server by maintaining this binding table.
DHCP snooping protects DHCP enable devices against DoS attacks, bogus DHCP server attacks.
Trusted Interface
Snooping provides the trusted interface to ensure that the client obtains an IP address from an authorized server.
The interfaces that reach some DHCP servers are trusted interfaces the other ones no. If an untrusted interface receives a packet with the giaddr different of 0 this isn't analyzed.
You can set a physical interface or a VLAN as trusted or untrusted.
DCHP messages received from untrusted interfaces are directly discarded.
It is the same as STP Guard. If the port shouldn't send DHCP with the giaddr address field different of 0 this means this port shouldn't have a relay agent connected doesn't analyst and dropped. In this way avoids a DoS attack since someone could connect a DHCP relay agent and overload the network with DHCP discovery packets.
Ip DHCP snooping trust -> Cisco command to enable the trust of DHCP packets.
DHCP snooping records a DHCP binding table that contains the client's IP and MAC addresses, port number, and VLAN ID of the interface that received the client's request. When a client is connected an entry is created when the client goes offline the entry is deleted.
When or after a binding table is generated, DHCP snooping checks DHCP packets and compares the fields in the packet with the binding table if there is something different this packet is discarded.
DHCP snooping is used to prevent
Denial of Service DoS
Bogus DHCP server attacks | False DHCP who answer with wrong IP, DNS and Gateway |
ARP middleman attacks | The MITM disguises itself as the DHCP server for the Clients request and obtains interaction information between them |
IP/MAC spoofing attacks
DHCP snooping can be applied to both layer 2 and layer 3 devices.
DHCP snooping binding table contains dynamic and static binding entries
Static Entries: They are manually entered on the inbound interface.
Dynamic Entries: They are generated on the inbound interface according to DHCP packets
Static Binding:
If static IP addresses are allocated to clients you can configure static binding entries for these allocated IP addresses to prevent certain users from stealing these static IP addresses.
Dynamic Binding:
Dynamic entries in the DHCP snooping binding table do not need to be configured
They are automatically generated when DHCP snooping is enabled.
DHCP Snooping Option 82:
When this option is enabled in DHCP the DHCP Relay agent inserted in the originated DHCP packets to the DHCP Server.
Servers recognizing the Option may use the information to implement IP address or other parameter assignment policies.
Users with static IP address have not matched DHCP snooping binding entry on the switch because the user didn't obtain the IP address by DHCP so ARP or IP packet sent it from this user are discarded. To allow the users with statically allocated IP addresses to access the network must configure a static DHCP snooping binding table. This is to avoid someone else configure a static IP address and make use of the network when he shouldn't.
So all packets need to have a Snooping Binding entry where is an entry of which IP address and Which MAC address should have this host. If the MAC address is different from the one recorded the packets are discarded.
Application of DHCP Snooping
DHCP exhaustion attack: The attacker changes his MAC address a requests several IP addresses until the pool is over.
Solution: The MAC address limiting function can prevent this attack. Port-Security feature learned mac addresses.
ARP attacks - The system is overload with ARP requests.
In Cisco, the command is "ip arp inspection trust"
This need to enable in all ports that connect to another Switch as the "ip dhcp snooping trust"
DHCP Structure Packets
The DHCP packet has a Hops field this is put to 0 by the client and each relay agent that passes add 1.
The maximum number of Relay agents allowed is 4. At the 5 relay agent is discarded.
Client IP Address: Used in renew, or rebinding process. In the beginning, is 0.0.0.0 because the customer hasn't an IP address
Your IP Address: IP allocated by the DHCP Server.
Server IP Address: The IP address of a server.
Gateway IP Address: The IP address of the first relay agent.
Client Hardware Address: Indicates the MAC address of a client
That is all I want to share with you! Thank you!
