DHCP (original) (raw)
27. DHCP
27.1. Cheat sheet
- Layer: 2-3 (see below)
- Purpose: Get configurations when first connecting to a network
- Vulnerability: On-path attackers can see requests and send spoofed malicious responses
- Defense: Accept as a fact of life and rely on higher layers
27.2. Protocol: DHCP
DHCP (Dynamic Host Configuration Protocol) is responsible for setting up configurations when a computer first joins a local network. These settings enable communication over LANs and the Internet, so it is sometimes considered a layer 2-3 protocol. The Internet layers are defined primarily for communication, so setup protocols like DHCP don’t fit cleanly into the abstraction barriers in the layering model.
In order to connect to a network, you need a few things:
- An IP address, so other people can contact you
- The IP address of the DNS server, so you can translate a site name like www.google.com into an IP address (DNS is covered in more detail later)
- The IP address of the router (also called the gateway), so you can contact others on the Internet
The DHCP handshake follows four steps, between you (the client) and the server (who can give you the needed IP addresses)
- Client Discover: The client broadcasts a request for a configuration.
- Server Offer: Any server able to offer IP addresses responds with some configuration settings. (In practice, usually only one server replies here.)
- Client Request: The client broadcasts which configuration it has chosen.
- Server Acknowledge: The chosen server confirms that its configuration has been chosen.
The configuration information provided in step 2 (server offer) is sometimes called a DHCP lease. The offer may include a lease time. After the time expires, the client must ask to renew the lease to keep using that configuration, or else the DHCP server will free up those settings for other devices that request leases later.
Notice that both client messages are broadcast. Step 3 (client request) must be broadcast so that if multiple servers made offers in step 2, all the servers know which one has been chosen. Sanity check: why must client discover be broadcast?1
27.3. Networking background: NAT
Because there are more computers than IPv4 addresses on the modern Internet, and not all networks support IPv6 (expanded address space) yet, DHCP supports NAT (Network Address Translation), which allows multiple computers on a local network to share an IP address. When a computer requests a configuration through DHCP, the router (DHCP server) assigns that computer a placeholder IP address. This address usually comes from a reserved block of private IP addresses that are invalid on the Internet, but can be used as placeholders in the local network.
When a computer sends a packet to the Internet, the packet passes through the router first. The router stores a record mapping the internal (source) IP address to the remote (destination) IP address, for processing potential replies. Then the router replaces the placeholder IP address with a valid IP address, and sends the packet to the remote sever on the Internet. Sanity check: does this replacement happen for the source or destination IP address?2 When the router sees an incoming packet, it checks the stored mappings, converts the destination IP address back to the correct placeholder address, and forwards the message to the original computer on the local network. With NAT, the router could potentially use a single valid IP address to send packets on behalf of every computer on the local network.
27.4. Attack
The attack on DHCP is almost identical to ARP spoofing. At the server offer step, an attacker can send a forged configuration, which the client will accept if it arrives before the legitimate configuration reply. The attacker could offer its own IP address as the gateway address, which makes the attacker a man-in-the-middle. Packets intended for the network would be sent to the attacker, who can modify them before forwarding them to the real gateway. The attacker can also become a man-in-the-middle by manipulating the DNS server address, which lets the attacker supply malicious translations between human-readable host names (www.google.com) and IP addresses (6.6.6.6).
27.5. Defenses
In reality, many networks just accept DHCP spoofing as a fact of life and rely on the higher layers to defend against attackers (the general idea: if the message sent is properly encrypted, the man-in-the-middle can’t do anything anyway).
Defending against low-layer attacks like DHCP spoofing is hard, because there is no trusted party to rely on when we’re first connecting to the network.