Last time when we introduced a DHCP proxy agent through our previous blog post dated in September 1. 2013, we mentioned that this DHCP proxy agent can offer the benefits of enhanced security. So, we will look into these security-related functions in more detail today.
As shown in the figure below, if there is a DHCP proxy agent in a network, all DHCP messages (used in IP address allocation, IP address renewal and IP address release procedures) pass through (i.e. are forwarded to) the DHCP proxy agent. Due to such scheme, the DHCP proxy agent is able to block any traffic coming from users who do not have an IP address allocated through DHCP, but have a static IP address. The proxy agent can do so by using one of the following two methods:
First, this DHCP proxy agent function is generally enabled in the default gateway router of a DHCP client (i.e. the first one the client connects). Then, when the client needs to send any Internet traffic via the DHCP proxy agent (which is the default gateway router), it sends an ARP Request packet, to the default gateway router (DHCP proxy agent) to get the MAC address of the default gateway router.
At this time, the DHCP proxy agent responds only to the ARP Request packets with an IP address allocated through DHCP procedure, and not to the ones with a non-DHCP IP address (i.e. static IP address), as illustrated in the following figure. This function comes standard in most routers.
Second, despite the foregoing function, it only takes the MAC address of a default gateway router for a static IP user (malicious user) to threaten the network security. So, for more enhanced security, the DHCP proxy agent needs to examine the IP address of all user data traffic as well as ARP packets. Then it can either permit the packets with a DHCP IP address or deny ones with a non-DHCP IP address (i.e. static IP address). However, such implementation is practically impossible with most of regular network equipment, and only Broadband Remote Access Server (BRAS), capable of managing users, can support such implementation.
Some of such routers introduced by KT (Korea Telecom) include Juniper E320 and Redback (acquired by Ericsson) SE800. Just so you know, BRAS can process user traffic on data plane (the layers over which user data flows), and thus it is possible to support different “QoS policies per user (e.g. bandwidth control)". That explains why it is so expensive compared to other routers.
Please note we only cover the DHCP proxy agent function today, and will revisit BRAS next time. The figure below illustrates the security functions mentioned above in more detail.
In the figure, when PC1 obtains an IP address (1.1.1.0) through a normal DHCP procedure, the DHCP proxy agent creates an “IP-to-MAC binding table” on the control plane (where no user traffic is delivered, and routers are controlled through functions, such as routing protocol, ARP, DHCP proxy agent, etc.). This table contains a MAC address of a user who received an IP address through a DHCP process, IP address, the interface number of the DHCP proxy agent that the user PC connects to, DHCP lease time and expired time. The expired time is initially set same as the IP lease time, and thereafter decreases by one (1) every second. Then, when it eventually reaches 0, its relevant entry is deleted from the IP-to-MAC binding table.
When PC1 with an allocated IP address sends an ARP Request packet to the default gateway router (DHCP proxy agent) which receives the packet checks whether or not both the Sender MAC address (m1) and IP address (1.1.1.10) in the packet are registered in the IP-to-MAC binding table. If they are, the proxy agent returns its MAC address to the user PC through an ARP Reply message.
However, if PC2 with a static IP address (1.1.1.20) sends an ARP Request packet to the default gateway router (DHCP proxy agent), the DHCP proxy agent does not send any ARP Reply packet since no information (MAC address (m2) and IP address (1.1.1.20)) about the client is found in the IP-to-MAC binding table. So, PC2 cannot have access to the Internet.