Security Basics mailing list archives
DHCP Snooping
From: "Juan Munera" <jmunera () avborne aero>
Date: Mon, 26 Jun 2006 08:38:19 -0400
Ports that should be trusted are the DHCP server as well as the gateway/router. All client ports should be un-trusted. They will only be able to forward DHCP requests. In the case that any client sends out a DHCP acknowledgement, that port is shut down. -----Original Message----- From: Dmitry Cherkasov [mailto:doctorchd () gmail com] Sent: Thursday, June 08, 2006 7:21 AM To: Sven Édouard Cc: security-basics () securityfocus com Subject: Re: DHCP Snooping 2006/6/7, Sven Édouard <sven_edouard () fastmail co uk>:
DHCP Security is ultimately a tricky proposition, keep in mind that these communications are sent over UDP, which can be spoofed, therefore, what you would need to do is force everyone's configuration to be a static one in order to avoid a spoofed respose condition.
Port-based VLANs solve this problem. No traffic between clients is sent past the router.
Also, there is the risk that someone on your network is using the same MAC address as another user, and therefore could see all of the traffic intended for that user. I think you could cover these cases by deploying VLANS but just wanted to bring up these potential issues.
DHCP-authorized ARP solves this issue. The MAC is present in the ARP table of the router only when a corresponding client obtained his settings from DHCP server. Additional security may be gained if you setup proper MAC filters on access ports of your switches.
Sven On 6 Jun 2006 19:52:59 -0000, timpacalypse () yahoo com said:I'm looking at deploying DHCP Snooping in our environment. I just want to make sure I've got this straight. We only have 1 DHCP server. So the only port that I need to say is trusted is the one the DHCP Server is connected to, right? I don't want anyone to be able to deploy any rogue DHCP Servers in the network. We are using VLANS, but I don't need to set the trunk ports as trusted do I?-- Sven Édouard sven_edouard () fastmail co uk -- http://www.fastmail.fm - One of many happy users: http://www.fastmail.fm/docs/quotes.html
-- Dmitry Cherkasov --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- DHCP Snooping timpacalypse (Jun 06)
- Re: DHCP Snooping Sven Édouard (Jun 07)
- Re: DHCP Snooping Dmitry Cherkasov (Jun 09)
- Message not available
- Re: DHCP Snooping Ivan . (Jun 09)
- Re: DHCP Snooping Sven Édouard (Jun 07)
- Re: DHCP Snooping Dmitry Cherkasov (Jun 07)
- Re: DHCP Snooping Kenton Smith (Jun 09)
- <Possible follow-ups>
- Re: DHCP Snooping s (Jun 07)
- DHCP Snooping Juan Munera (Jun 26)