- If a network is to operate normally, the host in the network must know some important network parameters, such as IP address, network mask, gateway address, DNS server address, network printer address, etc. Obviously, it is very difficult or impossible to manually configure these parameters on each host.
- To this end, the IETF released the Dynamic Host Configuration Protocol ( DHCP : Dynamic Host Configuration Protocol ) in 1993 . The application of DHCP realizes the automation of the network parameter configuration process. So how is DHCP technology implemented? Faced with the expansion of network scale, how does DHCP respond? How does DHCP protect against attacks on the network ?
Problems with manually configuring network parameters
- High personnel quality requirements
- Host users need to know how to configure network parameters, which is difficult to do in practice.
- Error-prone
- It is very easy for human misoperation to occur during manual configuration.
- Poor flexibility
- When network parameters change, reconfiguration is required. For example, if the location of a host in the network changes, the gateway address of the host may also change. In this case, the gateway address of the host needs to be reconfigured.
- Low utilization of IP address resources
- IP addresses cannot be reused.
- Heavy workload
- The configuration workload increases as the number of hosts increases.
The introduction of the DHCP concept
- With the expansion of user scale and the instability of user locations, the traditional static manual configuration method can no longer meet the needs. In order to realize the network's dynamic and reasonable allocation of IP addresses to hosts, the Dynamic Host Configuration Protocol DHCP is needed .
- DHCP has the following advantages over static manual configuration:
- efficient
- High flexibility
- Easy to manage
DHCP basic working process (1)
- DHCP adopts the Client/Server model; the DHCP Client needs to obtain various network configuration parameters from the DHCP Server . This process is achieved by exchanging various DHCP messages between the DHCP Client and the DHCP Server . DHCP messages are encapsulated in UDP packets. The DHCP Server uses port number 67 to receive DHCP messages, and the DHCP Client uses port number 68 to receive DHCP messages. In this course, we are mainly concerned with how the DHCP Client obtains its own IP address.
- The figure shows the basic process of a DHCP Client applying to obtain its own IP address through DHCP . This process includes four stages:
- Discovery phase:
- The discovery phase is the phase where the DHCP Client on the PC searches for the DHCP Server . After the DHCP Client on the PC starts running, it will send a DHCP Discover message in a broadcast manner .
- It should be noted that in the Layer 2 broadcast domain shown in the figure, in addition to the DHCP Server running on the router R , there may be other devices running the DHCP Server . If so, then all these DHCP Servers will receive the DHCP Discover message sent by the PC , and will also respond to the received DHCP Discover message.
- provision stage
- The provision phase is the phase in which the DHCP Server provides an IP address to the DHCP Client . Each DHCP Server (including the DHCP Server running on the router R ) that receives the DHCP Discover message will select an appropriate IP address from the address pool it maintains. , and send this IP address to the DHCP Client through the DHCP Offer message . The DHCP Server sends DHCP Offer messages in unicast mode .
DHCP basic working process (2)
- Every time the DHCP Server assigns an IP address to the DHCP Client , it only establishes a lease ( Lease ) for this IP address with the DHCP Client . Each lease has a lease period ( Duration of Lease ). The DHCP protocol stipulates that the default value of the lease period shall not be less than 1 hour. However, when DHCP is actually deployed , the default value of the lease period is usually 24 hours. During the lease period, the DHCP Client can use the corresponding IP address. When the lease period expires, the DHCP Client is not allowed to continue using this IP address. When the lease period has not expired, the DHCP Client can apply to renew the IP address. The process is as shown in the figure.
- The DHCP protocol stipulates that by default, the T1 time in the figure is the time when the lease period reaches half, and the T2 time is the time when the lease period reaches 87.5% . At time T1 , the DHCP Client on the PC will send a DHCP Request message to the DHCP Server on R in unicast mode , requesting to renew the IP address (that is, requesting to restart the lease period). If the DHCP Client on the PC receives the responding DHCP Ack message before time T2 , it means that the lease renewal has been successful. If the DHCP Client on the PC does not receive a response DHCP Ack message until time T2 , then at time T2 , the DHCP Client on the PC will send a DHCP Request message in broadcast mode to continue requesting to renew the IP address. If the DHCP Client on the PC receives a response DHCP Ack message before the lease period expires , the lease renewal is successful. If the DHCP Client on the PC has not received a response DHCP Ack message until the lease period expires , then the PC must stop using the original IP address. In other words, the PC can only re-apply for one from the discovery phase. IP address.
DHCP configuration implementation
- If the DHCP Server is configured with an interface-based address allocation method, it will only respond to DHCP requests received by the interface; if it is configured with a global address pool-based address allocation method, it can respond to DHCP requests received by all ports .
- dhcp enable // Enable the DHCP function. This command must be executed before configuring the DHCP server before other DHCP functions can be configured and take effect.
- ip pool HW // Set a global address pool named HW
p
gateway-list 192.168.1.1 //
Set the assigned gateway
IP
p
network 192.168.1.0 mask 255.255.255.0 //
Set the assigned address network segment
p
excluded-
ip
-address 192.168.1.2 // Set the
IP address range
that does not participate in automatic allocation
p
lease day 3 hour 0 minute 0 //
Set
the lease validity period of the
IP address in the address pool, the default is
1 day
p
dns
-list 192.168.1.2 //
Set the assigned
DNS
server address
- interface GigabitEthernet0/0/0
p
ip
address 192.168.1.1 255.255.255.0
p
dhcp
select global //
Enable global address allocation on the interface
Why is DHCP Relay needed ?
- As can be seen from the previous description, the DHCP Client and DHCP Server must be in the same Layer 2 broadcast domain to receive DHCP messages sent by each other. DHCP messages cannot be delivered across the Layer 2 broadcast domain.
- An actual IP network usually contains multiple Layer 2 broadcast domains. If DHCP needs to be deployed , there are two methods:
- Method 1: Deploy a DHCP Server in each Layer 2 broadcast domain (the cost is too high, and this method is generally not recommended in reality).
- Method 2: Deploy a DHCP Server to serve DHCP Clients in multiple Layer 2 broadcast domains at the same time . This requires the introduction of DHCP Relay .
Basic working principle of DHCP Relay
- The basic function of DHCP Relay is to exclusively transfer DHCP messages between DHCP Client and DHCP Server .
- As shown in the figure, when the DHCP Client uses DHCP Relay to obtain the IP address and other configuration parameters from the DHCP Server , the DHCP Relay must be in the same Layer 2 broadcast domain as the DHCP Client , but the DHCP Server can be in the same Layer 2 broadcast domain as the DHCP Relay. domain , and can also be located in a different Layer 2 broadcast domain from the DHCP Relay . DHCP messages are exchanged between DHCP Client and DHCP Relay in broadcast mode, but DHCP messages are exchanged between DHCP Relay and DHCP Server in unicast mode (this means that DHCP Relay must know the IP address of DHCP Server in advance ) .
DHCP Relay configuration implementation
- Configure DHCP-Server : //DHCP server can use global address allocation or interface address allocation. Here, the global address pool allocation address is used as an example.
p
dhcp enable
p
ip pool DHCP-relay //"DHCP-relay"
is only the name of
the DHCP
address pool
p
ip route-static 192.168.1.0 24 10.1.1.2 //
Since the relayed
DHCP
message is a unicast message with the source address
192.168.1.1
, a return route is required. Currently, for simplicity, static routing is used to complete it.
IGP
can be configured in a normal network
so that the address can communicate
- Configure DHCP relay ( GW ):
p
dhcp server group DHCP //
Configure the
DHCP
server group name
p
dhcp-server 10.1.1.1 //
Set the
DHCP
server address
p
dhcp enable //
The relay device also needs to enable
DHCP
, otherwise the commands under the subsequent interface cannot be enabled.
p
interface g0/0/1 //
Enter the interface to connect to the client
p
ip address 192.168.1.1 24
p
dhcp select relay //
Start
the DHCP Relay
function
p
dhcp relay server-select DHCP //
Set
the server group to be used by
DHCP Relay
Security threats facing DHCP
- Network attacks are ubiquitous, and attacks against DHCP are no exception. For example, a company suddenly had a large area of users unable to access the Internet. After checking, the user terminals have not obtained IP addresses, and all the addresses in the DHCP Server address pool have been allocated. This situation is likely to be caused by DHCP being affected . Caused by starvation attack.
- The design of DHCP did not take security factors into full consideration, leaving many security holes, making DHCP vulnerable to attacks. In actual networks, there are three main types of attacks against DHCP :
- DHCP starvation attack
- Fake DHCP Server attack
- DHCP man-in-the-middle attack
DHCP starvation attack
- A DHCP starvation attack is implemented by an attacker continuing to apply for a large number of IP addresses from the DHCP Server . Its purpose is to exhaust the IP addresses in the DHCP Server address pool , causing the DHCP Server to have no IP addresses to allocate to normal users. There is a field called CHADDR ( Client Hardware Address ) in the DHCP message. This field is filled in by the DHCP client and represents the client's hardware address (that is, the client's MAC address). DHCP Server allocates IP addresses based on CHADDR . For different CHADDRs , DHCP Server will allocate different IP addresses; DHCP Server cannot distinguish what kind of CHADDR is legal and what kind of CHADDR is illegal. Taking advantage of this vulnerability, the attacker fills in a different value in the CHADDR field of the DHCP message every time he applies for an IP address , thereby pretending that a different user is applying for an IP address.
Fake DHCP Server attack
- After an attacker privately installs and runs the DHCP Server program, he can disguise himself as a legitimate DHCP Server . This is the so-called counterfeit DHCP Server . The working principle of the counterfeit DHCP Server is exactly the same as that of the legitimate DHCP Server . The difference is that the counterfeit DHCP Server will assign the wrong IP address to the client and provide the wrong gateway address and other parameters, causing the client to be unable to access the network normally. .
- We know that after the client sends a DHCP Discover message in broadcast mode, both the counterfeit DHCP Server and the legitimate DHCP Server can receive the DHCP Discover message, and both respond with a DHCP Offer message. If the first DHCP Offer message received by the client is from a counterfeit DHCP Server , the client will continue to request parameters such as an IP address from the counterfeit DHCP Server (instead of the legitimate DHCP Server ), and the counterfeit DHCP Server will take the opportunity to request the counterfeit DHCP Server . The client assigns the wrong IP address and provides the wrong gateway address and other parameters.
DHCP man-in-the-middle attack
- As shown in the figure, the attacker uses the ARP mechanism to let PC-A learn the mapping relationship between IP-S and MAC-B , and also allows the Server to learn the mapping relationship between IP-A and MAC-B . When PC-A sends an IP message to the DHCP Server , the destination IP address is IP-S and the source IP address is IP-A . The destination MAC address of the frame encapsulating this IP message is MAC-B and the source MAC address is MAC-A , so this frame will reach the attacker PC-B first . After the attacker receives this frame, he changes the destination MAC address of the frame to MAC-S and the source MAC address to MAC-B , and then sends the frame to the server . In this way, the server cannot see any flaws. On the other hand, when the DHCP Server sends an IP message to PC-A , the destination IP address is IP-A , the source IP address is IP-S , and the destination MAC address of the frame encapsulating this IP message is MAC-B . The source MAC address is MAC-S , so this frame will also reach the attacker PC-B first . After the attacker receives this frame, he changes the destination MAC address of the frame to MAC-A and the source MAC address to MAC-B , and then sends the frame to PC-A . Similarly, PC-A can't see any flaws.
- Since IP messages between PC-A and DHCP Server are transferred by attackers (middlemen), attackers can easily steal certain information in these IP messages and use this information to carry out other damage . Behavior. An attacker can also easily tamper with the DHCP messages between PC-A and the DHCP Server (these messages are encapsulated in UDP packets, and UDP packets are encapsulated in IP packets) to achieve the goal of Directly attacking the purpose of DHCP .
The emergence of DHCP Snooping technology
DHCP Snooping is used to prevent DHCP starvation attacks
- A DHCP starvation attack is implemented by an attacker continuing to apply for a large number of IP addresses from the DHCP Server . Its purpose is to exhaust the IP addresses in the DHCP Server address pool , causing the DHCP Server to have no IP addresses to allocate to normal users. There is a field called CHADDR ( Client Hardware Address ) in the DHCP message. This field is filled in by the DHCP client and represents the client's hardware address (that is, the client's MAC address). DHCP Server allocates IP addresses based on CHADDR . For different CHADDRs , DHCP Server will allocate different IP addresses; DHCP Server cannot distinguish what kind of CHADDR is legal and what kind of CHADDR is illegal. Taking advantage of this vulnerability, the attacker fills in a different value in the CHADDR field of the DHCP message every time he applies for an IP address , thereby pretending that a different user is applying for an IP address.
- In order to make up for the above loopholes and prevent starvation attacks, DHCP Snooping technology supports consistency checking of the source MAC address and CHADDR of the DHCP Request message under the port : if they are the same, the message is forwarded; if they are not the same, then discard. If you want to check the consistency between the source MAC address and CHADDR on a certain port , you can use the command dhcp snooping check dhcp-chaddr enable on the port .
- There may also be such a starvation attack, that is, the attacker constantly changes the MAC address and CHADDR at the same time, and every time the change is made, the CHADDR and the MAC address are the same. In this way, the above-mentioned source MAC address and CHADDR can be avoided . Consistency check!
DHCP Snooping is used to prevent counterfeit DHCP Server attacks
- DHCP Snooping divides the ports on the switch into two types, namely trusted ports ( Trusted ports) and untrusted ports ( Untrusted ports); the ports connected to the legal DHCP Server should be configured as Trusted ports, and other ports should be configured as Untrusted port.
- After the switch receives DHCP response messages (such as DHCP Offer messages, DHCP Ack messages, etc.) from the Trusted port , it will forward these messages to ensure that the legal DHCP Server can normally allocate IP addresses and provide other network parameters; After the switch receives DHCP response messages (such as DHCP Offer messages, DHCP Ack messages, etc.) from the Untrusted port , it discards these messages, thereby preventing the fake DHCP Server from allocating IP addresses and providing other network parameters.
- Key configuration commands: The switch port defaults to an Untrusted port. If you need to configure a port of the switch as a Trusted port, you can use the dhcp snooping trusted command in the port view . If you need to restore a Trusted port to an Untrusted port, you can use the undo dhcp snooping trusted command in the port view .
DHCP Snooping is used to prevent DHCP man-in-the-middle attacks
- We already know that the DHCP man-in-the-middle attack is essentially a Spoofing IP/MAC attack. To prevent DHCP man-in-the-middle attacks, you actually need to prevent Spoofing IP/MAC attacks.
- The switch running DHCP Snooping will "listen ( Snooping )" to the DHCP messages between the user and the DHCP Server , and collect the user's MAC address ( the MAC address here refers to the value of the CHADDR field in the DHCP message ), user IP address ( the IP address here refers to the IP address assigned by the DHCP Server to the corresponding CHADDR ) and other information. This information will be stored in a database, which is also called the DHCP Snooping binding table. A switch that runs DHCP Snooping will establish and dynamically maintain a DHCP Snooping binding table. In addition to the user's MAC address and the user's IP address, the binding table also includes IP address lease period, VLAN-ID and other information.
- As shown in the figure, assuming that the DHCP Server assigns the IP address IP-A to PC-A and assigns the IP address IP- B to PC- B , then IP-A and MAC-A form a binding relationship, IP-B A binding relationship is also formed with MAC-B , and this binding relationship is stored in the DHCP Snooping binding table. In order to let the server learn the mapping relationship between IP-A and MAC-B , the attacker will send an ARP request message (fill in the source IP address in the ARP message as IP-A and the source MAC address as MAC-B ). After receiving the ARP request message, the switch will check the source IP address and source MAC address in the ARP request message and find that the IP/MAC ( IP-A/MAC-B ) mapping relationship cannot match the DHCP Snooping binding table. entry, the ARP request message will be discarded, thus effectively preventing Spoofing IP/MAC attacks.
- If you need to use the method described above to prevent Spoofing IP/MAC attacks (and thus prevent man-in-the-middle), you must execute the configuration command arp dhcp-snooping-detect enable in the system view of the switch .
Linkage between DHCP Snooping and IPSG technology
- Attacks that spoof source IP addresses often occur on the network . For example, attackers forge the IP addresses of legitimate users to send IP packets to the server. For this type of attack, the corresponding prevention technology is called IPSG ( IP Source Guard ) technology.
- After the IPSG function is enabled on the switch , it will check the validity of the packets entering the switch port and filter the packets (if they are legal, they will be forwarded; if they are illegal, they will be discarded).
- DHCP Snooping technology can be associated with IPSG technology, that is, packets entering the switch port are checked for matching in the DHCP Snooping binding table. If the information in the packet is consistent with the binding table, it is allowed to pass, otherwise the packet is discarded.
- The check items of the packet can be several combinations of source IP address, source MAC address, VLAN and physical port number. For example, the switch's port view can support IP+MAC , IP+VLAN , IP+MAC+VLAN and other combination checks, and the switch's VLAN view can support: IP+MAC , IP+ physical port number, IP+MAC+ physical port Check the number and other combinations.
- Key configuration command: Execute the configuration command ip source check user-bind enable in the port view or VLAN view of the switch .
Thinking questions
1. What kind of message will the DHCP client send when renewing the lease to the DHCP Server ? (C)
A.DHCP Discover
B.DHCP Offer
C.DHCP Request
D.DHCP Ack
Answer: C.
2. What are the common attacks on DHCP? ( )
Answer: DHCP starvation attack, counterfeit DHCP Server attack, DHCP man-in-the-middle attack.