Dynamic host control protocol

The Dynamic Host Control Protocol


The dynamic host control protocol is a popular and effective networking design. In this day and age, it is difficult to find a network-capable gadget that does not include DHCP capability. Computers, smart phones, printers, and a variety of other devices can get a dynamic IP address using DHCP, and networking capacity is being implemented into an increasing number of traditional products such as household appliances, automobiles, and others. The dynamic host control protocol has become the industry standard for the majority of current local area networks. However, as with many other networking protocols designed for public usage, security was not a top priority throughout the creation of DHCP. Hackers are fully aware of this fact and consequently, many strategies have been developed to exploit the weaknesses of dynamic host control protocol. Man in the middle attacks address spoofing, and denial of service attacks are commonly used methods for breaching networks built on DHCP (Ornaghi & Valleri, 2003). There have been a number of countermeasures developed to address the weaknesses of DHCP. Of these, port security is arguably the most widely used.


Port Security


Port security gives the switch administrator the ability to specify the maximum number of MAC addresses that could appear on any particular LAN port. This constraint can be established manually or the switch can be instructed to lock down on the first dynamically obtained MAC address. Port security is a highly effective response to MAC flooding attacks and its continued use is for that reason. Sadly, the use of port security alone is not sufficient to prevent exhaustion on DHCP servers. Since the dynamic host control protocol typically lasts several days and timers for port security last only for a few minutes, an intelligent hacker would utilize this weakness by changing his MAC address slowly enough to get past the port security feature and obtain a lease from the server. In this context, port security is of only limited value in the fight against dynamic host control protocol exhaustion (Press, 2008).


DHCP Snooping


It was for this reason that DHCP snooping was developed and introduced by CISCO as the new standard in the fight against unauthorized access to DHCP networks. In this paper, it is argued that DHCP snooping is a viable and effective countermeasure against any attempt to compromise the integrity, confidentiality, and availability of information on any DHCP based network. This argument is supported by the results from a review of peer-reviewed research on the subject.


What is DHCP Snooping?


In networking DHCP snooping refers to the various techniques employed to safeguard information relayed through dynamic host control protocol infrastructure. As DHCP servers assign IP addresses to clients on a local area network, snooping can be set up on the LAN switches in order to prevent the transmission of abnormal or malicious data (Skoudis & Liston, 2005). DHCP snooping allows the switching device, which may be either a router or switch to monitor messages coming from in verified devices that have a connection to the switching infrastructure. When this service is started on a virtual local area network, the system assesses the DHCP traffic sent from unverified hosts and known to be part of the virtual LAN. The system studies the DHCP messages received from the unverified hosts and obtains their lease information and IP addresses. This information can be used by other verification or security services. Other services may make use of the dynamic host control protocol database information to ascertain the integrity of the IP address on a Layer 2 switched domains. This kind of information would give the network the ability to make certain that hosts are restricted to the IP addresses that have been allocated to them when used in combination with a source lockdown or source guard; when used with SNMP or AAA accounting, the information would allow for tracking of the physical location of the IP addresses (Sankaran et al, 2011). The information can also give a network the ability to sanitize ARP requests when used in combination with ARP inspection. Only the hosts that can be trusted based on this database are allowed access to network resources.


How Does DHCP Snooping Work?


DHCP assigns IP addresses in a dynamically, in other words, the addresses are only lent out to the devices. Consequently, the addresses can be re-assigned when the devices that they have been allocated to do not need them anymore. The end devices and hosts that need IP addresses assigned through dynamic host control protocol must interact with a Dynamic host control protocol server across the local area network. This protocol works as a regulatory mechanism ensuring that the network remains secure by closely monitoring the authentic IP address that has been allocated to low-end network devices by a verified DHCP server, which has been connected to a trusted network port. As a default setting, all trunk ports situated on a switch are trusted and all access ports are not trusted for dynamic host control protocol snooping. The instant snooping is enabled; the lease information provided by the server is used to create a DHCP binding table, also referred to as a DHCP binding table. The table displays existing MAC-IP bound addresses and the time the IP address was leased, the names of connected virtual LANs, interfaces and the binding type. Snooping is not active in the factory switch configuration. The service may be automatically started by the operating system while the user is configuring any port security features at hierarchy level. For some server operating systems, snooping in DHCP or DHCP 6 can be enabled without the activation of any other features of port security. For snooping alone to be enabled, the service should be allowed per virtual LAN but not per port of interface.


Activation and Configuration of DHCP Snooping


Snooping in DHCP and DHCP version 6 are turned off in the original switch configuration. However, there is not any standard method required for the activation of snooping in DHCP or DHCPv6. Once any other port security features for a virtual LAN at the hierarchy level are configured, snooping in DHCP and DHCPv6 are automatically enabled for that specific virtual Local Area Network. IPv6 neighbor discovery inspection, DAI, IPv6 source guard, IP source guard, DHCPv6 options and DHCP option 82 must be set up for each virtual local area network. The virtual LAN must be configured before the DHCP port security features can be configured. The port security features that have been specified for the virtual LAN will apply to all the interfaces added to that particular VLAN. However, different attributes can be assigned to an access interface or a collection of access interfaces within the virtual LAN. The access interface or group of interfaces should be configured collectively through the use of the group statement at the hierarchy level configuration of group access interfaces on a virtual network automatically starts snooping on that particular Virtual LAN. Each group should have one interface at the very least. Attributes such as which interface should have an unchanging MAC-IP address, which interface should not transmit DHCPv6 or DHCP option 82 and which access interface should work as a trusted interface for the Dynamic host control protocol can be configured for access interfaces.


The DHCP Snooping Process


The DHCP snooping process takes occurs in about six steps; the network device generates a DHCPDISCOVER packet. This is used to request for an IP address. The switch sends the packet to the Dynamic host control protocol server; the server then relays a DHCPOFFER packet as an offer of an address to the network device. The switch registers an MAC-IP placeholder binding to the snooping registry. At this stage, the record is still taken to be a placeholder because the DHCPACK packet has not yet been received from the server. Before the switch receives this packet, the IP address is may be allocated to another host. The DHCPACK packet is sent from the server to fully assign the IP address if the server denies the IP address request, a DHCPNAK packet is sent instead. The switch then changes the data the registry to reflect the outcome of the request for the IP address; if the switch received a DHCPACK packet, the lease information in the registry is updated for the MAC-IP pair in the table (Press, 2008).

References


Ornaghi, A., & Valleri, M. (2003). Man in the middle attacks. In Blackhat Conference Europe.


Sankaran, G. C., Swaminathan, V., Simaria, N., & Veerapandian, K. (2011). U.S. Patent No. 8,006,282. Washington, DC: U.S. Patent and Trademark Office.


Skoudis, E., & Liston, T. (2005). Counter hack reloaded: a step-by-step guide to computer attacks and effective defenses. Prentice Hall Press.


Press, C. (2008). LAN Switch Security.


Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., & Carney, M. (2003). Dynamic host configuration protocol for IPv6 (DHCPv6) (No. RFC 3315).

Deadline is approaching?

Wait no more. Let us write you an essay from scratch

Receive Paper In 3 Hours
Calculate the Price
275 words
First order 15%
Total Price:
$38.07 $38.07
Calculating ellipsis
Hire an expert
This discount is valid only for orders of new customer and with the total more than 25$
This sample could have been used by your fellow student... Get your own unique essay on any topic and submit it by the deadline.

Find Out the Cost of Your Paper

Get Price