ch1.pdf

Transcript

JTO Phase-II IT DHCP

1 DYNAMIC HOST CONFIGURATION PROTOCOL
(DHCP)

1.1 INTRODUCTION
DHCP (Dynamic Host Configuration Protocol) is a network
management protocol used to dynamically assign an Internet Protocol (IP) address to
any device, or node, on a network so they can communicate using IP. DHCP automates
and centrally manages these configurations rather than requiring network administrators
to manually assign IP addresses to all network devices. DHCP can be implemented on
small local networks as well as large enterprise networks.

1.2 HOW DHCP WORKS?

Figure 1:

1.3 SCHEMA OF A TYPICAL DHCP SESSION

DHCP uses the same two IANA assigned ports as BOOTP: 67/udp for the server side,
and 68/udp for the client side.
DHCP operations fall into four basic phases. These phases are IP lease request, IP lease
offer, IP lease selection, and IP lease acknowledgement.
After the client obtained an IP address, the client may start an address resolution query
to prevent IP conflicts caused by address poll overlapping of DHCP servers.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 2 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

DHCP discovery
The client broadcasts on the local physical subnet to find available servers. Network
administrators can configure a local router to forward DHCP packets to a DHCP server
on a different subnet. This client-implementation creates a UDP packet with the
broadcast destination of 255.255.255.255 or subnet broadcast address.
A client can also request its last-known IP address (in the example below,
192.168.1.100). If the client is still in a network where this IP is valid, the server might
grant the request. Otherwise, it depends whether the server is set up as authoritative or
not. An authoritative server will deny the request, making the client ask for a new IP
immediately. A non-authoritative server simply ignores the request, leading to an
implementation dependent time out for the client to give up on the request and ask for a
new IP.

DHCP offers
When a DHCP server receives an IP lease request from a client, it extends an IP lease
offer. This is done by reserving an IP address for the client and sending a DHCPOFFER
message across the network to the client. This message contains the client's MAC
address, followed by the IP address that the server is offering, the subnet mask, the lease
duration, and the IP address of the DHCP server making the offer.
The server determines the configuration, based on the client's hardware address as
specified in the CHADDR field. Here the server, 192.168.1.1, specifies the IP address in
the YIADDR field.

DHCP requests
When the client PC receives an IP lease offer, it must tell all the other DHCP servers
that it has accepted an offer. To do this, the client broadcasts a DHCPREQUEST
message containing the IP address of the server that made the offer. When the other
DHCP servers receive this message, they withdraw any offers that they might have
made to the client. They then return the address that they had reserved for the client
back to the pool of valid addresses that they can offer to another computer. Any number
of DHCP servers can respond to an IP lease request, but the client can only accept one
offer per network interface card.

DHCP acknowledgement
When the DHCP server receives the DHCPREQUEST message from the client, it
initiates the final phase of the configuration process. This acknowledgement phase
involves sending a DHCPACK packet to the client. This packet includes the lease
duration and any other configuration information that the client might have requested.
At this point, the TCP/IP configuration process is complete.
The server acknowledges the request and sends the acknowledgement to the client. The
system as a whole expects the client to configure its network interface with the supplied
options.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 3 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

1.4 DHCP GOALS

Compatibility
The DHCP protocol must be compatible with existing interface and protocols; For
example it should be compatible with all the types of clients, each one can have a
different configuration of communication parameters. As mentioned in "Protocol
introduction", the DHCP protocol should have compatibility with the BOOTP protocol
which was used before.

Local control
Although the DHCP protocol is an external mechanism for allocating a web address and
communication parameters, the administrator of the client must have the capability to
control these parameters.
Communication parameters preserving:
The DHCP server has to give a specific client the same communication parameters in as
many sequential requests as possible, so if a client was disconnected from the web and
requests its address/communication parameters again, it would receive the same
communication parameters as before. (if nothing has changed since the disconnection).
The same is for the DHCP server, which should have the capability to give the same
client the same communication parameters even if it was disconnected from the web.
Unique clients
A main goal of the DHCP protocol is to give each client its unique address. A situation
in which two or more clients are allocated with the same web address must not occur in
any circumstances, to prevent a situation of client send a message to the wrong client.
Automatic Configuration
Usually, a single client should have to be configured automatically by the DHCP server
and not manually by the administrator of that client. A situation in which the
configuration of the communication parameters is done manually by the client's
administrator should occur seldom. But when it happens, the DHCP server must be
compatible with the manual configuration as mentioned before.
Saving hardware
There should not be a DHCP server for each and every link interface. There should be a
wide use of relay-agents to transmit a DHCP messages. If less DHCP servers are used,
it's more financialy agreeable because we'll use the relay-agents which are simpler. The
hardware saving will lead to more economically worthwhile network and will save
money as mentioned in "protocol introduction".

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 4 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

1.5 HISTORICAL BACKGROUND
At first, most TCP/IP networks were relatively small and static. Manual IP address
management techniques were sufficient for them. Each station kept its own IP address
somewhere in its secondary storage. Once the address had to be changed, it required
manual administrator action, usually at the machine console, and in most cases involved
a reboot.
Soon afterwards, as more complex networks were established, as more and more
underlying network hardware was used for TCP/IP communication networks and as
cheap client workstations without secondary storage came in use, a need for central
administration of the hardware to P addresses bindings became obvious. A special
protocol (RARP) for such bindings was designed. It allowed a machine on a network
segment to learn its own IP address and then to begin normal TCP/IP operation.
Another protocol, BOOTP, was also developed to allow diskless stations retrieve all the
TCP/IP configuration parameters and other operating system data, needed to start
functioning normally after a startup. It allowed configuration over broader networks as
it was not limited to a single segment. For that purpose BOOTP defined the concept of a
BOOTP relay agent which specified how BOOTP traffic is forwarded between multiple
segments.
BOOTP was designed to be easily extended by the BOOTP extension mechanism. This
mechanism uses the last field in the frame for more (vendor) specific data and message
options.
The next attempt to extend BOOTP provided the Dynamic Host Configuration Protocol,
DHCP. DHCP was designed to be backward compatible with BOOTP in order to
support BOOTP clients and BOOTP relay agents, yet there are two primary differences
between DHCP and BOOTP:
1. DHCP defines a mechanism through which a client can be assigned a network
address for a finite lease, allowing for a serial reuse the same network address by
different clients.
2. DHCP provides a mechanism for a client to request and acquire all the IP
configuration parameters that it needs in order to operate, and only them.
DHCP comes with a predefined set of DHCP options, which it inherits from the BOOTP
vendor extensions mechanism, and it is open for further extension, inheriting the
openness from BOOTP.

1.6 MAIN DIFFERENCES BETWEEN BOOTP AND DHCP:
The DHCP is an extension of the previous BOOTP protocol, thus it must be compatible
with BOOTP messages, but there are some differences between BOOTP and DHCP.
One difference is that DHCP is designed to allocate a web address to a client
temporarily so the client can disconnect allowing another client to get this web address,
or renew the lease of the web address, a capability which the BOOTP protocol does not
have.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 5 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

Another difference is that the DHCP can configure a client with all the IP parameters
that the client needs in order to establish communication. One BOOTP transfer only
some of these parameters.
Moreover, the BOOTP protocol had a field named 'vendor extentions', to specify the
requested parameters and other options, which were replaced with the field 'options' in
the DHCP protocol.
In addition, the BOOTP protocol had a field named "chaddr" in order to specify the
address of the client which has requested the communication parameters. In DHCP
protocol, there is the field "client identifier". This field can have the physical address of
the client as in "chaddr" of the BOOTP protocol, or it can have another identifier like
DNS name, or another types. New types of identifier can be registered in IANA.
DHCP is currently the most advanced host configuration mechanism for TCP/IP,
although it still has its problems, giving researchers things to work on, for an even better
configuration protocol in the future.

1.7 PROTOCOL INTRODUCTION
General
The Dynamic Host Configuration Protocol (DHCP) provides configuration parameters
to Internet hosts in a client-server model. DHCP server hosts allocate network addresses
and deliver configuration parameters to other (client) hosts.
DHCP consists of two components: a protocol for delivering host-specific configuration
parameters from a server to a host and a mechanism for allocation of network addresses
to hosts.
IP Address Allocation
DHCP supports three mechanisms for IP address allocation.
1. Automatic allocation -- in which a permanent IP address is assigned to the client.
2. Dynamic allocation -- in which the address is assigned for a limited period of
time (a "lease").
3. Manual allocation -- in which the address is assigned manually by the network
administrator.

1.8 CONFIGURATION PARAMETERS DELIVERY
The client sends a message to request configuration parameters and the server responds
with a message carrying the desired parameters back to the client.
BOOTP Compatibility
The format of DHCP messages is based on the format of BOOTP messages due to the
following reasons:

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 6 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

1. From the client's point of view, is an extension of the BOOTP mechanism. This
behavior allows existing BOOTP clients to interoperate with DHCP servers
without requiring any change to the clients' initialization software.
2. DHCP supports the BOOTP relay agent behavior.

Use of Relay Agents
DHCP does not require a server on each subnet. To allow for scale and economy, DHCP
can work across routers or through the intervention of BOOTP relay agents. A relay
agent listens to DHCP messages and forwards them on (and onto other network
segments). This eliminates the necessity of having a DHCP server on each physical
network.
Allocation of network addresses
DHCP supports three mechanisms for IP address allocation. The DHCP server can use
any one or more of the of these mechanisms:
1. Automatic allocation: The DHCP server assigns a permanent IP address to a
client without any manual interference. Automatic allocation is best suited for in
cases where hosts are permanently connected to a network and the network does
not suffer from an address shortage.
2. Manual allocation: The client's IP address is assigned manually by the network
administrator. The DHCP server simply retrieves it from its storage and delivers
it to the client. Manual allocation is best suited for giving IP addresses to servers
of any kind. As servers are the ones to be addressed, rather than to initiate a
conversation, their location should be permanent and known in the network.
Manual allocation would guarantee that (although a clever use of Automatic
allocation can accomplish that too).
3. Dynamic allocation: The DHCP server assigns a temporary IP address to a client
without any manual interference.
Dynamic allocation is the most interesting method of the three, because it involves not
only the assigning of a network address but also reclaiming and reusing of the same
address by another client. Therefore, using Dynamic allocation allows for an efficient
managing of a pool of network addresses and is particularly useful in cases where:
1. There is a limited amount of network addresses on the net.
2. The network has computers which temporarily connect and disconnect to it (e.g.
portable computers) and so the network is changing frequently.
The basic mechanism for the dynamic allocation of network addresses is simple: the
client requests the use of an address for a limited period of time (which is called a
lease). The DHCP server allocates an address for the client, marks it as 'used' and
notifies the client about the address and the lease time approved. The client, in his turn,
can:
1. Extend its lease with subsequent requests.
2. Ask for a permanent assignment by asking for an infinite lease.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 7 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

3. Release the address back to the server before the lease expires, in case it doesn't
need it.

Renewing and acquiring addresses
The client holds two times in its memory ? time1, and time2.
The first time is the time in which the client starts to ask its server for renewing the lease
of its address ? RENEWING state in the states diagram of the protocol.
The second time is the time in which the client starts to ask other servers for address ?
REBINDING state in the states diagram of the DHCP protocol.
When the first time arrives, the client sends the DHCPREQUEST message to the server
with unique ID to this request. If the renew is approved, the server will send an answer
in DHCPACK message with this ID. Then the client returns to normal functioning. The
new time1 will be the sum of the time in the server's answer and the time which has
passed from the start of the request to the answer.
If no answer has arrived until time2 has passed, the client will enter the REBINDING
state in the states diagram of the DHCP protocol, and will send a multicast message to
all the servers available to acquire new address.
These times can be changed by servers in the 'option' field, and have default values. The
default of time1 is half of the lease time of the current address, and the default of time2
is 0.875x(lease time).
In both cases ? time1 and time2, if the client has not got an answer from the DHCP
servers, it should wait half of the time which is left before sending DHCPREQUEST
again. The shortest waiting time is one minute.
If the client has got its previous address, it continues to work normally. If the client
didn't get its previous address but got a new one, he should continue working, but not
with the current web parameters, and must inform the users about this. If the client
didn't manage to get an address at all, it should stop its work and go back to INIT state
in the states diagram of the DHCP protocol.

1.9 CONFIGURATION PARAMETERS DELIVERY
The DHCP server is designed to supply DHCP clients with the configuration parameters
defined in the Host Requirements RFCs (1122 and 1123). Most of those parameters are
related to the TCP/IP protocol stack but DHCP allows the configuration of non-related
parameters too.
The server provides a permanent storage of network parameters for network clients. The
DHCP storage model is a set of key-value pairs for each client, where the key is some
unique identifier and the value contains the configuration parameters for the client. In
other words, the storage model is a per-host list of entries of the form:
key = value

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 8 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

The client addresses the server with a request message to retrieve its configuration
parameters. The server answer with a response message carrying the configuration
parameters in the (later discussed) options field.
Not all clients require initialization of all possible parameters. Two techniques are used
to reduce the number of parameters delivered from the server to the client:
1. Most of the parameters have defaults defined in the Host Requirements RFCs
(1122 and 1123). If the client receives no parameters from the server that
override the defaults, a client uses those default values.
2. A client and server may negotiate for the delivery of only those parameters
required by the client. In a case like that the client includes the parameter request
list option in the requested message and fills it with the list of parameters it
needs.

1.10 MESSAGE FORMAT
As mentioned earlier, the format of the DHCP messages is based on the format of
BOOTP messages in order to keep compatible with BOOTP relay agents and BOOTP
clients.
Here is the DHCP message format. The numbers in parentheses indicate the size of each
Field in Bytes.

Figure 2: Description of Fields in a DHCP message

Field Bytes Description

Message op code / message type.
op 1
1 = BOOTREQUEST, 2 = BOOTREPLY

htype 1 Hardware address type (e.g., '1' = 10Mb Ethernet)

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 9 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

hlen 1 Hardware address length (e.g. '6' for 10Mb Ethernet)

Client sets to zero, optionally used by relay agents when booting via a
hops 1
relay agent.

Transaction ID.
xid 4 A random number chosen by the client, used by the client and server to
associate the request message with its response.

Seconds passed since client began the request process.
secs 2
Filled in by client.

flags 2 Flags

Client IP address.
ciaddr 4 Filled in by client if it knows its IP address (from previous requests or
from manual configurations) and can respond to ARP requests.

yiaddr 4 'your' (client) IP address. Server's response to client.

Server IP address. Address of sending server or of the next server to
siaddr 4
use in the next bootstrap process step.

giaddr 4 Relay agent IP address, used in booting via a relay agent.

chaddr 16 Client hardware address.

sname 64 Optional server host name. Null terminated string.

Boot file name.
file 128 Null terminated string; "generic" name or null in request, fully
qualified directory-path name in reply.

Field to hold the optional parameters.
options variable
(See next section).

Table 1. The 'options' Field in a DHCP message
Apart from the small amount of the Fields imported from the BOOTP frame format
there came a need for a lot more Fields, some of them changing from one message to
another, others from one subnet to another etc.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 10 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

That need came first after defining the BOOTP protocol which led to the BOOTP
extension mechanism, where the last Field in the frame format, the 'vendor extensions'
filed was of variable length and could contain the extra information. DHCP improved
this mechanism, changing the Field name to 'options' and adding more options.
One way to categorize those options would be to split them into two groups:
1. Configuration parameters.
2. Message control information.
All options begin with a tag octet, which uniquely identifies the option. The next octet is
the option length specifier, its value does not include the two Bytes specifying the tag
and length. The length octet is followed by length Bytes of data.
All these options/vendor extensions are defined in RFC 2132, where they are split to the
following groups:
1. RFC 1497 Vendor Extensions.
2. IP Layer Parameters per Host.
3. IP Layer Parameters per Interface.
4. Link Layer Parameters per Interface.
5. TCP Parameters.
6. Application and Service Parameters.
7. DHCP Extensions.

1.11 SOME IMPORTANT DHCP OPTIONS:

Message Type (a DHCP control):
Specifies the type of the DHCP message in order to be more specific than the originally
BOOTP Field 'op'. Different message types are used at different stages of the
client/server interaction. Appears in every DHCP message (therefore the 'options' Field
is never empty):
Renewal Time Value (a DHCP control):
Specifies the time interval from address assignment until the client attempts to contact
the server that originally issued the client's network address before the lease expire.
Parameter Request List (a DHCP control):
A list of valid DHCP option codes. Used by a DHCP client to request values for
specified configuration parameters.
Subnet Mask (a Configuration parameter):
Specifies the client's subnet mask.
DNS Option (a Configuration parameter):

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 11 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

Specifies a list of DNS name servers available to the client.
Message Format in IPv6
Every message in DHCP protocol of IPv6 has a constant length header and variable
length data. This data is located in the "options" Field, and composed from Bytes, in
network byte format (least significant byte first. This is the format of a message which
sent from client directly to the server:

Figure 3:

Field Bytes Description

This is the type of the message chosen from the 11 types of direct
msg-type 1 messages from client to server (an exact list in "Message Types
Summary").

transaction-
3 The ID for this message transport.
id

options variable The options for this message.

This is the format of a message from relay-agent to another relay-agent or a server:

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 12 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 13 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

Figure 4:

Field Bytes Description

msg-type 1 The code of the message, RELAY-FORW or RELAY-REPL.

hop-count 1 Counts the relay-agents which the message has passed until now.

link- Used by the server to identify the link of the client in RELAY-
12
address FORW message or in RELAY-REPL message.

peer- The address of the relay-agent or the client from which the message
12
address was received ? the current hop.

Options for the message. Here the message has to have "Relay
options variable
Message option" among the other options.

Table 2.

The options are in this format:

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 14 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

Figure 5:

Field Bytes Description

option- The number of option according to "types of
2
code options".

option-len 2 The length of the option-data in bytes.

option- the value in "option-len" in
The data of the options.
data bytes

Table 3.

1.12 CLIENT/SERVER MODEL
The client and the server negotiate in a series of messages in order for the client to get
the parameters it needs.
The following diagram shows the messages exchanged between the DHCP client and
servers when allocating a new network address. Next is a detailed explanation of all the
various messages and a description of the communication steps.
This process can involve more than one server but only one server is selected by the
client. In the figure, the selected server is marked 'selected' and the other, 'not selected'
server stands for all the possible not selected servers.

1.13 STEPS OF COMMUNICATION :
1. The client broadcasts a DHCPDISCOVER.
2. Each server may responds with a DHCPOFFER message.
3. The client receives one or more DHCPOFFER messages from one or more
servers and chooses one server from which to request configuration parameters.
4. The client broadcasts a DHCPREQUEST message.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 15 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

5. Those servers not selected by the DHCPREQUEST message use the message as
notification that the client has declined that server's offer.
6. The server selected in the DHCPREQUEST message commits the responds with
a DHCPACK message containing the configuration parameters for the
requesting client.
7. The client receives the DHCPACK message with configuration parameters. At
this point, the client is configured.
8. If the client receives a DHCPNAK message, the client restarts the configuration
process.
9. The client may choose to relinquish its lease on a network address by sending a
DHCPRELEASE message to the server (e.g. on shutdown).
10. The server receives the DHCPRELEASE message and marks the lease as free.

Variations on the timeline diagram. There are two main variations on the
presented client/server interaction scenario:

1. Reuse of a previously allocated network address: If a client remembers (in its
cache) and wishes to reuse a previously allocated network address, a client may
choose to omit some of the steps taken in case of a new allocation. In the first
DHCPREQUEST the client includes its network address in the 'requested IP
address' option. The server that has the knowledge of the client's configuration
respond with a DHCPACK message and from then on the diagram continues
from step (5).
2. Obtaining parameters with externally configured network address:
If a client has obtained a network address through some other means (e.g.,
manual configuration), it may use a DHCPINFORM request message to obtain
other local configuration parameters. Servers receiving a DHCPINFORM
message construct a DHCPACK message with any local configuration
parameters appropriate for the client without allocating a new address.

1.14 MESSAGE TYPES
Message Use

DHCPDISCOVER Client broadcast to locate available servers.

DHCPOFFER Server to client in response to DHCPDISCOVER with offer
of configuration parameters.

DHCPREQUEST Client message to servers either (a) requesting offered
parameters from one server and implicitly declining offers
from all others, (b) confirming correctness of previously
allocated address after, e.g., system reboot, or (c) extending

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 16 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

the lease on a particular network address.

DHCPACK Server to client with configuration parameters, including
committed network address.

DHCPNAK Server to client indicating client's notion of network address
is incorrect (e.g., client has moved to new subnet) or client's
lease as expired

DHCPDECLINE Client to server indicating network address is already in use.

DHCPRELEASE Client to server relinquishing network address and canceling
remaining lease.

DHCPINFORM Client to server, asking only for local configuration
parameters; client already has externally configured network
address.

1.15 MESSAGE TYPES IN IPV6
Message Use

SOLICIT This message is sent by a node to discover new DHCP servers

ADVERTISE This message is sent by the DHCP server in response to a
"SOLICIT" message. It means that this DHCP server is available to
serve the client.

REQUEST A request of an address and communication parameters after a node
has found a DHCP server.

CONFIRM A multicast message to all DHCP servers which are available, to
confirm, that its address is still appropriate to its link.

RENEW A request to renew address lifetime or updating communication
parameters. The message is sent to a specific DHCP server which has
sent its address/communication parameters beforehand.

REBIND A multi Broadcast message to all the servers available with the request to
renew addraddreess or updating its communication parameter. This
message is sent sentafter a "RENEW" request didn't get any response
from the node‟s DHDHCPPrver.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 17 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

REPLY A message that is sent to a node by a DHCP server.
Address/communication parameters are sent in response to a
"SOLICIT", "REQUEST", "RENEW" or "REBIND" messages from
a node. Additionally it is used to confirm or reject an address in
response to a "CONFIRM" message, or it simply used as an ack
message in response to a "RELEASE" or "DECLINE" message from
a node.

RELEASE A message from a node to the DHCP server which granted it an
address. It is sent when the node no longer needs that adress. This
message is mean to let the DHCP server know that this address is
free to use by other nodes.

DECLINE A message to the DHCP server which means that a node declines the
address which is already taken, and the node requests another
address. It can happen when a node discovers that an address which
the DHCP server has gaven it is used by another node in the link.

RECONFIGURE A message sent by the DHCP server when it wants to update a node's
communication parameters. The node response should be a
"RENEW" message back to the DHCP server.

INFORMATION- This message is sent to a DHCP server when a node wants to get
REQUEST communication parameters without an address.

RELAY-FORW A message which is sent from relay-agent to a DHCP server or
another relay-agent, and encapsulates the innitial message from a
node to the DHCP server.

RELAY-REPL A message which is sent from DHCP server or another relay-agent to
a certain relay-agent, and encapsulates the innitial message from a
DHCP server to the node.

1.16 SECURITY IN DHCP
Security is a significant subject in when considering DHCP, this is because the main
goal is to get communication parameters/IP address from an external source. This can
give an opportunity do damage the host from outside of the system.
There numerous threats to a host which using DHCP. For example: Deploying fake
DHCP servers that will always deny service. Another way is by sending incorrect
communication parameters and wrong DHCP server information either because of
flawed server, or deliberately.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 18 of 167
For Restricted Circulation
 JTO Phase-II IT DHCP

These threats require authentication of the DHCP server or/and the communication
parameters to ensure that we are dealing with real DHCP server which sends valid
parameters.
In order to achieve higher safety, the following two rules must be obeyed:
1. The protocol cannot be changed. (i.e. its structure, msg types etc. must remain
intact.)
2. Interact with the DHCP server as little as possible ? minimize the number of
stages of the communication with the DHCP server.
Main way to authenticate a DHCP message is to include an authentication field in the
"option" field of the DHCP message.

Figure 6: This is the format of DHCP client/server message with "authentication
option?:

Description of Fields in a DHCP message

Code Bytes Description

op 1 The code of an authentication message is 90.

Length 1 The length of the information data.

The name of the protocol used for authentication (there are
Protocol 1
number of techniques).

The name of the algorithm used by the protocol in the "protocol"
Algorithm 1
field.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 19 of 167
For Restricted Circulation
JTO Phase-II IT DHCP

RDM stands for "Replay Detection Method" ? the method used for
RDM 4
replay detection.

Replay This is a sequence of authentication. If the RDM field is 0x00, the
8
Detection sequence must be a monotonic increasing counter.

1.17 SUMMARY
In addition to the method of adding "options", like in IPv4, there is also use of the IPsec
mechanisms for communication between relay-agents or relay-agent - server in IPv6.
IPSec is mechanism of security on the IP level. It provides services such as reply
detection, access control etc.
The servers and relay-agents are configured manually. Each relay-agent or server has to
hold a list of pairs of servers and relay-agents to know which one will get the message.
Servers and relay agents can accept messages only from DHCP sources which are on the
list in their configuration.
In addition to this tool, one can use also the general security tools of IPv6 for DHCP
security. There are many sources to these tools in the web, and a partial list can be found
in this Link.

JTO Phase –II DNIT Version 1.0 Sep 2021 Page 20 of 167
For Restricted Circulation