Shulou(Shulou.com)06/01 Report--

Preface: DHCP services are relatively simple, and the purpose of this article is to talk about some DHCP security technologies.

1. DHCP Foundation

DHCP, the full name of dynamic Host configuration Protocol (Dynamic Host Configuration Protocol), is used to automatically assign IP addresses to terminal devices such as PC, IPad, mobile phones, etc.

The working process is simple, efficient and easy to master. First of all, introduce the basic working principle of DHCP through a diagram:

It can be clearly seen from the figure that the process for the client to obtain information such as IP address through DHCP protocol can be divided into four steps:

1.1 Discovery phase, that is, the stage in which DHCP clients discover DHCP servers.

The DHCP client sends DHCP DISCOVER messages to discover the DHCP server. Because the DHCP client does not know the IP address of the DHCP server, the DHCP client broadcasts the DHCP DISCOVER message (the destination IP address is 255.255.255.255 and the source IP address is 0.0.0.0), which can be received by all DHCP servers in the same network segment.

1.2 provision phase, that is, the stage in which the DHCP server provides the IP address.

After receiving the DHCP DISCOVER message, the server selects the address pool in the same network segment as the IP address of the receiving DHCP DISCOVER message interface, selects an available IP address, and then sends it to the DHCP client through the DHCP OFFER message. The DHCP OFFER message contains the configuration parameters such as the IP address (the yiaddr field in the DHCP message) and the lease period that you want to assign to the client of the specified MAC address.

1.3 selection phase, that is, the stage in which DHCP clients select IP addresses.

Because DHCP DISCOVER messages are broadcast, if there are multiple DHCP servers in the same network segment, the server that receives the DHCP DISCOVER message will respond to the DHCP OFFER message. If multiple DHCP servers respond to DHCP OFFER messages to the DHCP client, the DHCP client generally receives only the first received DHCP OFFER message.

DHCP REQUEST messages are broadcast to inform all DHCP servers that it will select the IP address provided by one DHCP server, and that other DHCP servers can reassign the IP address that has been assigned to the client to other clients.

1.4 confirmation phase, that is, the stage in which the DHCP server confirms the assigned IP address.

When the DHCP server receives the DHCP REQUEST message sent by the DHCP client, the DHCP server responds to the DHCP ACK message, indicating that the requested IP address in the DHCP REQUEST message is assigned to the client.

Summary: the four steps in the working process of DHCP involve four kinds of data packets, which are DISCOVER, OFFER, REQUEST and ACK.

2 、 DHCP Snooping

In the actual network environment of enterprises, it is often encountered that the computer gets the wrong IP address, which leads to the inability to access the Internet normally. This is because the DHCP server is illegally connected to the network (the most common illegal DHCP server is the TP-link home router).

At this point, it is necessary to configure the DHCP snooping function on the network switch to prevent illegal DHCP servers from assigning IP addresses to clients.

DHCP Snooping is simple in terms of configuration and working principle, so continue to use a diagram to illustrate:

In the DHCP Snooping-enabled scenario of layer 2 network access devices (i.e. switches), the interfaces directly connected to legitimate DHCP servers are generally set as trusted interfaces (such as the if1 interface in the figure above), and other interfaces are set as untrusted interfaces (such as the if2 interface in the figure above). Switches with DHCP Snooping enabled detect all kinds of DHCP packets received from each interface and discard them if they are received from untrusted interfaces So that the four kinds of DHCP packets can only be forwarded or accepted from the trust interface, thus ensuring that the DHCP client can only obtain the IP address from the legitimate DHCP server, and the privately set up DHCP Server counterfeiters can not assign the IP address to the DHCP client.

Summary: DHCP Snooping is enabled on the switch, and the interface connecting to the legitimate server is set as the trusted interface, and the other interfaces are untrusted interfaces by default.

3. DHCP Relay (relay)

The DHCP client and server mentioned above are all on the same network segment, which is more suitable for home network and small business network. However, in medium to large enterprise networks, there are many network segments, and it is not recommended to deploy a DHCP server in each network segment, which is neither economical nor easy to manage.

In fact, in large networks, a high-performance server is often used as a DHCP server, which exists only in one network segment. Because the work of DHCP is highly dependent on broadcasting, and we know that broadcast packets cannot be transmitted across network segments, clients of other network segments are normally unable to obtain IP addresses.

The emergence of DHCP Relay is to solve this problem, with a picture to illustrate:

It is the same four steps that you are familiar with before, but this time there is an additional DHCP trunk device between the client and the server, usually the DHCP trunk is the gateway device for each segment of the network (that is, a layer 3 switch with DHCP Relay enabled).

DHCP relay converts the broadcast message received from the client into a unicast message so that the message can be transmitted across network segments. A unicast message means a clear and unique destination IP address, so devices that turn on DHCP relay must manually explicitly configure the IP address of the DHCP server.

With DHCP relay, no matter how many IP network segments there are in the enterprise network, we only need to deploy the DHCP server in one network segment, and the gateway devices turn on the relay function in the other network segments, so that the whole network can obtain the IP address through the DHCP server.

Summary: by turning on the DHCP Relay function in each network segment of the layer 3 switch and manually specifying the IP address of the DHCP server, the whole network can share a DHCP server.

4. A little thought about DHCP Snooping and DHCP Relay

On which devices should DHCP Snooping be enabled in a network where DHCP Relay is deployed?

As shown in the figure:

There are three departments, that is, three network segments, and the DHCP server is a router and does not belong to any of these network segments.

In this network, DHCP Snooping should be enabled in every layer 2 network that contains DHCP clients, while a layer 2 network with only servers does not need to enable DHCP Snooping.

Note: it is easy to understand why the client layer 2 network enables DHCP Snooping, while the reason behind the server layer 2 network does not need to enable DHCP Snooping is a little complicated. The specific reason is that when the DHCP Relay is deployed, the DHCP messages received by the DHCP server must be the unicast messages converted by the relay equipment, and the unicast message has a clear and unique purpose IP, so there will be no problem of impersonating the DHCP server.

In fact, if the DHCP Snooping function is really enabled on the switch in the server layer 2 network, it will not affect the normal operation of the DHCP, because the source port number of the UDP layer in the unicast DHCP message sent by the relay device has been modified by the relay device to UDP 67 (while the original message is UDP 68). Once the switch detects this change, it will automatically ignore it and forward all kinds of DHCP messages normally. No extra DHCP Snooping processing.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.