Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
TECH-BLOG
Last time when we introduced a DHCP proxy agent through our previous blog post dated in September 1. 2013,
we mentioned that this DHCP proxy agent can offer the benefits of enhanced security. So, we will look into
these security-related functions in more detail today.
As shown in the figure below, if there is a DHCP proxy agent in a network, all DHCP messages (used in IP
address allocation, IP address renewal and IP address release procedures) pass through (i.e. are forwarded to)
the DHCP proxy agent. Due to such scheme, the DHCP proxy agent is able to block any traffic coming from
users who do not have an IP address allocated through DHCP, but have a static IP address. The proxy agent
can do so by using one of the following two methods:
First, this DHCP proxy agent function is generally enabled in the default gateway router of a DHCP client (i.e.
the first one the client connects). Then, when the client needs to send any Internet traffic via the DHCP proxy
agent (which is the default gateway router), it sends an ARP Request packet, to the default gateway router
(DHCP proxy agent) to get the MAC address of the default gateway router.
At this time, the DHCP proxy agent responds only to the ARP Request packets with an IP address allocated
through DHCP procedure, and not to the ones with a non-DHCP IP address (i.e. static IP address), as illustrated
in the following figure. This function comes standard in most routers.
Second, despite the foregoing function, it only takes the MAC address of a default gateway router for a static
IP user (malicious user) to threaten the network security. So, for more enhanced security, the DHCP proxy
agent needs to examine the IP address of all user data traffic as well as ARP packets. Then it can either permit
the packets with a DHCP IP address or deny ones with a non-DHCP IP address (i.e. static IP address). However,
such implementation is practically impossible with most of regular network equipment, and only Broadband
Remote Access Server (BRAS), capable of managing users, can support such implementation.
DHCP Server
Authorized User
User Traffic
DHCP Client
DHCP Proxy
Agent
Unauthorized User
Internet
User Traffic
Static IP illegally
Some of such routers introduced by KT (Korea Telecom) include Juniper E320 and Redback (acquired by
Ericsson) SE800. Just so you know, BRAS can process user traffic on data plane (the layers over which user data
flows), and thus it is possible to support different QoS policies per user (e.g. bandwidth control)". That
explains why it is so expensive compared to other routers.
Please note we only cover the DHCP proxy agent function today, and will revisit BRAS next time. The figure
below illustrates the security functions mentioned above in more detail.
In the figure, when PC1 obtains an IP address (1.1.1.0) through a normal DHCP procedure, the DHCP proxy
agent creates an IP-to-MAC binding table on the control plane (where no user traffic is delivered, and
routers are controlled through functions, such as routing protocol, ARP, DHCP proxy agent, etc.). This table
contains a MAC address of a user who received an IP address through a DHCP process, IP address, the
interface number of the DHCP proxy agent that the user PC connects to, DHCP lease time and expired time.
The expired time is initially set same as the IP lease time, and thereafter decreases by one (1) every second.
Then, when it eventually reaches 0, its relevant entry is deleted from the IP-to-MAC binding table.
When PC1 with an allocated IP address sends an ARP Request packet to the default gateway router (DHCP
proxy agent) which receives the packet checks whether or not both the Sender MAC address (m1) and IP
address (1.1.1.10) in the packet are registered in the IP-to-MAC binding table. If they are, the proxy agent
returns its MAC address to the user PC through an ARP Reply message.
However, if PC2 with a static IP address (1.1.1.20) sends an ARP Request packet to the default gateway router
(DHCP proxy agent), the DHCP proxy agent does not send any ARP Reply packet since no information (MAC
address (m2) and IP address (1.1.1.20)) about the client is found in the IP-to-MAC binding table. So, PC2
cannot have access to the Internet.
PC MAC=m1
L2 Network
PC1
MAC=m10
IP=1.1.1.254 Proxy
DHCP
DHCP Discover/Reqeust
DHCP Discover/Reqeust
DHCP Offer/Ack
DHCP Offer/Ack
Ge1/1
ARP Reply
Ge1/1
1 Matched
Internet Access
SIP=1.1.1.10
Ge1/1
Internet
PC MAC=m2
PC2
Configure IP address=1.1.1.20 at PC illegally
1.1.1.254 !
2 Not Matched
So, Ignore(Discard) ARP Request packet
00
01
02
03
04
05
06
07
08
09
10
11
12
13
eMBMS/Mobile IPTV
CDN/Mobile CDN
Transparent Caching
BSS/OSS
Services
Cable TPS
Voice/Video Quality
IMS
Policy Control/PCRF
IPTV/TPS
LTE
Mobile
Network
Mobile WiMAX
Carrier WiFi
LTE Backaul
Data Center Migration
Carrier Ethernet
FTTH
Wireline
Network
Data Center
Metro Ethernet
MPLS
IP Routing
CDN
Transparent
Caching
Analysis
Networks
eMBMS
LTE
IMS
Infrastructure Services
Concept Design
DRM
POC
Training
Wi-Fi
protocols
IP/MPLS
Carrier Ethernet
Consulting
Future