Security Basics mailing list archives
Re: DHCP Snooping
From: "Dmitry Cherkasov" <doctorchd () gmail com>
Date: Thu, 8 Jun 2006 14:21:19 +0300
2006/6/7, Sven Édouard <sven_edouard () fastmail co uk>:
DHCP Security is ultimately a tricky proposition, keep in mind that these communications are sent over UDP, which can be spoofed, therefore, what you would need to do is force everyone's configuration to be a static one in order to avoid a spoofed respose condition.
Port-based VLANs solve this problem. No traffic between clients is sent past the router.
Also, there is the risk that someone on your network is using the same MAC address as another user, and therefore could see all of the traffic intended for that user. I think you could cover these cases by deploying VLANS but just wanted to bring up these potential issues.
DHCP-authorized ARP solves this issue. The MAC is present in the ARP table of the router only when a corresponding client obtained his settings from DHCP server. Additional security may be gained if you setup proper MAC filters on access ports of your switches.
Sven On 6 Jun 2006 19:52:59 -0000, timpacalypse () yahoo com said: > I'm looking at deploying DHCP Snooping in our environment. I just want > to make sure I've got this straight. > > We only have 1 DHCP server. So the only port that I need to say is > trusted is the one the DHCP Server is connected to, right? I don't want > anyone to be able to deploy any rogue DHCP Servers in the network. We > are using VLANS, but I don't need to set the trunk ports as trusted do I? -- Sven Édouard sven_edouard () fastmail co uk -- http://www.fastmail.fm - One of many happy users: http://www.fastmail.fm/docs/quotes.html
-- Dmitry Cherkasov
Current thread:
- DHCP Snooping timpacalypse (Jun 06)
- Re: DHCP Snooping Sven Édouard (Jun 07)
- Re: DHCP Snooping Dmitry Cherkasov (Jun 09)
- Message not available
- Re: DHCP Snooping Ivan . (Jun 09)
- Re: DHCP Snooping Sven Édouard (Jun 07)
- Re: DHCP Snooping Dmitry Cherkasov (Jun 07)
- Re: DHCP Snooping Kenton Smith (Jun 09)
- <Possible follow-ups>
- Re: DHCP Snooping s (Jun 07)
- DHCP Snooping Juan Munera (Jun 26)