NETMANIAS

TECH-BLOG

Please visit www.netmanias.com to view more posts

DHCP Security Using a DHCP Proxy Agent

October 1, 2013 | By Chris (tech@netmanias.com) | Netmanias Tech-Blog | www.netmanias.com

Last time when we introduced a DHCP proxy agent through our previous blog post dated in September 1. 2013,
we mentioned that this DHCP proxy agent can offer the benefits of enhanced security. So, we will look into
these security-related functions in more detail today.
As shown in the figure below, if there is a DHCP proxy agent in a network, all DHCP messages (used in IP
address allocation, IP address renewal and IP address release procedures) pass through (i.e. are forwarded to)
the DHCP proxy agent. Due to such scheme, the DHCP proxy agent is able to block any traffic coming from
users who do not have an IP address allocated through DHCP, but have a static IP address. The proxy agent
can do so by using one of the following two methods:

First, this DHCP proxy agent function is generally enabled in the default gateway router of a DHCP client (i.e.
the first one the client connects). Then, when the client needs to send any Internet traffic via the DHCP proxy
agent (which is the default gateway router), it sends an ARP Request packet, to the default gateway router
(DHCP proxy agent) to get the MAC address of the default gateway router.
At this time, the DHCP proxy agent responds only to the ARP Request packets with an IP address allocated
through DHCP procedure, and not to the ones with a non-DHCP IP address (i.e. static IP address), as illustrated
in the following figure. This function comes standard in most routers.

Second, despite the foregoing function, it only takes the MAC address of a default gateway router for a static
IP user (malicious user) to threaten the network security. So, for more enhanced security, the DHCP proxy
agent needs to examine the IP address of all user data traffic as well as ARP packets. Then it can either permit
the packets with a DHCP IP address or deny ones with a non-DHCP IP address (i.e. static IP address). However,
such implementation is practically impossible with most of regular network equipment, and only Broadband
Remote Access Server (BRAS), capable of managing users, can support such implementation.
DHCP Server

Authorized User
User Traffic

DHCP Client

DHCP Proxy
Agent

Unauthorized User

Internet
User Traffic

Static IP illegally

A DHCP proxy agent:

Refers to the IP-to-MAC binding table
Discards all ARP Request packets sent by a user who has not acquired its
IP address through DHCP
Prevents such users from accessing the Internet

Some of such routers introduced by KT (Korea Telecom) include Juniper E320 and Redback (acquired by
Ericsson) SE800. Just so you know, BRAS can process user traffic on data plane (the layers over which user data
flows), and thus it is possible to support different QoS policies per user (e.g. bandwidth control)". That
explains why it is so expensive compared to other routers.

Netmanias Tech-Blog: DHCP Security Using a DHCP Proxy Agent

Please note we only cover the DHCP proxy agent function today, and will revisit BRAS next time. The figure
below illustrates the security functions mentioned above in more detail.
In the figure, when PC1 obtains an IP address (1.1.1.0) through a normal DHCP procedure, the DHCP proxy
agent creates an IP-to-MAC binding table on the control plane (where no user traffic is delivered, and
routers are controlled through functions, such as routing protocol, ARP, DHCP proxy agent, etc.). This table
contains a MAC address of a user who received an IP address through a DHCP process, IP address, the
interface number of the DHCP proxy agent that the user PC connects to, DHCP lease time and expired time.
The expired time is initially set same as the IP lease time, and thereafter decreases by one (1) every second.
Then, when it eventually reaches 0, its relevant entry is deleted from the IP-to-MAC binding table.
When PC1 with an allocated IP address sends an ARP Request packet to the default gateway router (DHCP
proxy agent) which receives the packet checks whether or not both the Sender MAC address (m1) and IP
address (1.1.1.10) in the packet are registered in the IP-to-MAC binding table. If they are, the proxy agent
returns its MAC address to the user PC through an ARP Reply message.
However, if PC2 with a static IP address (1.1.1.20) sends an ARP Request packet to the default gateway router
(DHCP proxy agent), the DHCP proxy agent does not send any ARP Reply packet since no information (MAC
address (m2) and IP address (1.1.1.20)) about the client is found in the IP-to-MAC binding table. So, PC2
cannot have access to the Internet.
PC MAC=m1

L2 Network
PC1

MAC=m10
IP=1.1.1.254 Proxy

DHCP

DHCP Discover/Reqeust

DHCP Discover/Reqeust

DHCP Offer/Ack

DHCP Offer/Ack

DHCP Payload {Your IP=1.1.1.10, Client MAC=m1}

1.1.1.254 !
ARP Request Please let us know your MAC address !
Who has 1.1.1.254? Tell 1.1.1.10/m1

Ge1/1

IP-to-MAC Binding Table

MAC IP Address Interface Lease Time Expired Time
m1
1.1.1.10
Ge1/1
3600 sec
3000 sec

ARP Reply

My MAC address is m10

1.1.1.254 is at m10

Ge1/1

1 Matched

Internet Access
SIP=1.1.1.10

Ge1/1

Internet

PC MAC=m2

PC2
Configure IP address=1.1.1.20 at PC illegally
1.1.1.254 !

ARP Request Please let us know your MAC address !

IP-to-MAC Binding Table

Who has 1.1.1.254? Tell 1.1.1.20/m2

I need the MAC address of default
gateway (1.1.1.254) to access the
Internet
Whats taking so long?

MAC IP Address Interface Lease Time Expired Time

m1
1.1.1.10
Ge1/1
3600 sec
3000 sec
Ge1/1

2 Not Matched
So, Ignore(Discard) ARP Request packet

Netmanias Research and Consulting Scope

99

00

01

02

03

04

05

06

07

08

09

10

11

12

13

eMBMS/Mobile IPTV
CDN/Mobile CDN
Transparent Caching
BSS/OSS

Services

Cable TPS
Voice/Video Quality
IMS
Policy Control/PCRF
IPTV/TPS
LTE

Mobile
Network

Mobile WiMAX
Carrier WiFi
LTE Backaul
Data Center Migration
Carrier Ethernet
FTTH

Wireline
Network

Data Center
Metro Ethernet
MPLS
IP Routing

CDN
Transparent
Caching

Analysis

Networks

eMBMS

LTE
IMS
Infrastructure Services

Analyze trends, technologies and market

Report
Technical documents
Blog
One-Shot gallery

Concept Design
DRM

POC

Training

Wi-Fi

We design the future

protocols

IP/MPLS

We design the future

Carrier Ethernet

We design the future

Consulting

Visit http://www.netmanias.com to view and download more technical documents.

Future

About NMC Consulting Group (www.netmanias.com)

NMC Consulting Group is an advanced and professional network consulting company, specializing in IP network areas (e.g., FTTH, Metro Ethernet and IP/MPLS), service
areas (e.g., IPTV, IMS and CDN), and wireless network areas (e.g., Mobile WiMAX, LTE and Wi-Fi) since 2002.
Copyright 2002-2013 NMC Consulting Group. All rights reserved.