|
Table of Contents I. Overview V. Summary and Closing Appendix A - Format of DHCP Messages in IP Address Allocation/Lease Procedure Appendix B - Format of DHCP Messages in IP Address Renewal Procedure Appendix C - Format of DHCP Messages in IP Address Release Procedure |
I. Overview
This document provides a technical summary of how a DHCP proxy agent that can simultaneously act as a DHCP server or as a DHCP client. Chapter II explains functions and advantages of DHCP proxy agents, and Chapter III describes the basic principles of proxy agent’s DHCP operations. Chapter IV explains the security functions of the DHCP proxy agent. Finally, Appendices present specific message parameters used by DHCP proxy agents in the DHCP procedures.
Before you read this document it is recommended that you refer to the following three companion documents “Understanding the Basic Operations of DHCP” [1], “Understanding the Detailed Operations of DHCP”[2], and “Understanding DHCP Relay Agents” [3].
II. Introduction to DHCP Proxy Agents
A DHCP relay agent simply relays broadcast DHCP packets (DHCP Discover/Request) to DHCP server(s) located in other subnets whenever it receives packets from a DHCP client residing in that same subnet. On the other hand, a DHCP proxy agent not only relays the DHCP packets between subnets, but also acts on behalf of a DHCP server, while also acting as a DHCP client. That is, it acts as a DHCP server to the DHCP client, but as a DHCP client to the DHCP server.
Figure 1 shows a comparison between the DHCP relay agent and the DHCP proxy agent. As you can see, the DHCP relay agent simply relays only the broadcast packets used in IP address allocation/lease procedures while the DHCP proxy agent, performing the functions of both a DHCP server and client, relays from one to the other all the DHCP packets (Broadcast or Unicast) used in IP address allocation/lease, IP address renewal and IP address release procedures.
Figure 1. Comparison between a DHCP relay agent and a DHCP proxy agent
Using a DHCP proxy agent instead of a DHCP relay agent has the following benefits:
III. Basic operations of DHCP Proxy Agents
This chapter describes how a PC (e.g. PC1 in Figure 2) on the 1.1.1.0/24 subnet communicates with a DHCP server using a DHCP proxy agent for all DHCP operations, such as IP address allocation/lease, IP address renewal and IP address release.
Figure 2. Network diagram
3.1 IP Address Allocation/Lease Procedure
The DHCP proxy agent is located between a PC and the DHCP server as shown in Figure 2. The DHCP proxy agent receives DHCP Discover and Request messages broadcasted by the PC and then unicasts the DHCP messages directly to the DHCP server. At this point, the DHCP proxy agent enters its own IP address (the interface address at which DHCP Discover/Request messages are received) into the “Relay Agent IP1 (=Gateway IP=giaddr)” field in the DHCP message.
When the DHCP server unicasts a DHCP Offer/Ack message, it includes the relay agent’s IP address in the “destination IP address field” of the message, and then it sends the message on to the DHCP proxy agent. After checking the “Broadcast Flag” value of the received message, the DHCP proxy agent replaces the destination IP address with the PC IP address (Broadcast Flag=0) or the broadcast IP address (Broadcast Flag=1) depending on the value of the Broadcast Flag field [2], and the source IP with the DHCP proxy agent IP address. Finally, it forwards the modified message on to the PC.
Up to this point, the procedure is similar to that of the DHCP relay agent described in [3]. The important difference between a DHCP proxy agent and a DHCP relay agent is that the former replaces a DHCP server IP with the IP address of the concerned DHCP proxy agent in the DHCP Server Identifier (Option 54) field included in the DHCP Offer/Ack message. Through this process, the DHCP proxy agent is recognized as a DHCP server by the PC (DHCP client).
Figure 3. IP address allocation/lease procedure using a DHCP proxy agent
1. DHCP Discover
The DHCP client (PC) broadcasts a DHCP Discover message on the physical Ethernet subnet [1]. The DHCP proxy agent receives all the packets of which UDP destination port are set to 67 (DHCP Discover/Request), replaces the values in the Destination/Source MAC Address, Destination/Source IP address and Gateway IP Address (i.e. relay agent IP address) fields of the message. Then, it unicasts the message to a DHCP server.
One thing to note here is that, in the DHCP Discover message, the source IP address and the relay agent IP address are replaced with the uplink IP address of the DHCP proxy agent (100.1.1.254) and the downlink IP address of the DHCP proxy agent (1.1.1.254), respectively. This occurs before the message is forwarded to the DHCP server.
The reason for these substitutions are made is as follows: First, the source IP address was replaced because a DHCP Discover message should have the IP address of an outgoing interface (the port from which the outgoing packets are sent) as its source IP address. Thus, the source IP of the DHCP Discover message was replaced with the uplink IP address of the DHCP proxy agent. Second, the address in the Relay Agent IP address field is replaced because the DHCP server refers to the IP address in the field when it selects an IP Pool to allocate. Therefore, the field now has the downlink IP address of the DHCP proxy agent, an IP address located on the same subnet as the DHCP client’s.
2. DHCP Offer
Based on the relay agent IP address (giaddr) of the DHCP Discover message, the DHCP server first selects an IP pool and then selects an IP address from the IP pool to allocate to the DHCP client. Next, it sends a DHCP Offer message with the relay agent’s IP address inserted into the Destination IP field of the message. Upon receiving the message, the DHCP proxy agent, replaces the values in the Destination/Source MAC Addresses, Destination/Source IP Address and DHCP Server Identifier (Option 54) fields in the DHCP Offer message, and then unicasts or broadcasts the message to the DHCP client (PC)[2].
A DHCP Server Identifier field distinguishes DHCP servers from each other. The DHCP proxy agent replaces the IP address of the DHCP server (100.1.1.1) with its uplink IP address (100.1.1.254). The DHCP proxy agent is thus recognized by the DHCP client as the DHCP server.
3. DHCP Request
Upon receiving the DHCP Offer message sent by the proxy agent, the DHCP client (PC) broadcasts a DHCP Request message on the physical Ethernet subnet to query network information data including IP address [1]. The DHCP proxy agent, upon receiving this message, replaces the values in the Destination/Source MAC address, the Destination/Source IP address, the Gateway IP Address (i.e. the relay agent IP address) and the DHCP Server Identifier (Option 54) fields of the message. Then, it unicasts the modified message to the DHCP server.
The values in the Source IP Address and Gateway IP Address (i.e. the relay agent IP address) fields of a DHCP Request message are replaced in the same way as in the DHCP Discover message. In case of the DHCP Server Identifier field, the DHCP server discards the DHCP message if the IP address of this field does NOT match its own IP address. So, the DHCP proxy agent replaces its uplink IP address (100.1.1.254) with the DHCP server IP address (100.1.1.1).
4. DHCP Ack
The DHCP server finally determines an IP address to allocate/lease to the DHCP client. And the server sends a DHCP Ack message with the relay agent IP address (giaddr) in the DHCP Request message inserted into the destination IP address. Upon receiving this message, the DHCP proxy agent replaces the values in the Destination/Source MAC Address, Destination/Source IP Address and DHCP Server Identifier (Option 54) fields of the message. Next it unicasts or broadcasts the modified message to the DHCP client [2]. The message fields replaced here are the same as in the DHCP Offer message.
Again, an important function the DHCP proxy agent performs in the IP address allocation/lease procedure is to replace the value in the DHCP Server Identifier field in the DHCP message that is exchanged between the DHCP client and server. Figure 4 summarizes and illustrates said function and procedure.
Figure 4. Replacing the value in the DHCP Server Identifier field
3.2 IP Address Renewal Procedure
According to the reference “Understanding the Basic Operations of DHCP” [1], a DHCP client (PC) keeps/stores a DHCP server IP address acquired through a DHCP Ack message (in the DHCP Server Identifier field) during the IP address allocation procedure. Then, when the DHCP client needs to extend an IP address lease time, it does NOT broadcast, but unicasts a DHCP Request message to the DHCP server. As shown in Figure 5, the DHCP server IP address known to the DHCP client is the uplink IP address of the DHCP proxy agent. So the message is unicasted to the DHCP proxy agent, which then re-processes and forwards the message to the DHCP server.
In respond to the message, the DHCP server unicasts a DHCP Ack message to the DHCP client. The destination IP address used at this point is the relay gent IP address (giaddr) of the DHCP Request message. So this message is forwarded to the DHCP proxy agent, which then re-processes and forwards the message to the DHCP client.
Figure 5. IP address renewal procedure in the network with a DHCP proxy agent
As described in the reference “Understanding DHCP Relay Agents” [3], a DHCP relay agent is NOT involved in this procedure, but a DHCP proxy agent receives and re-processes a DHCP Request/Ack message in communication between a client and a server.
1. DHCP Request
The DHCP client (PC) unicasts a DHCP Request message with the proxy agent’s IP address inserted into the Destination IP field of the message. Upon receiving the message, the DHCP proxy agent replaces the values in the Destination/Source MAC Address, the Destination/Source IP Address and the Gateway IP Address (i.e. the relay agent IP address) fields of the message. Next, it unicasts the modified message to the DHCP server.
2. DHCP Ack
The DHCP server sends a DHCP Ack message with the relay agent IP address (giaddr) of the DHCP Request message inserted into the Destination IP address field of the message. Upon receiving the message, the DHCP proxy agent replaces the values in the Destination/Source MAC Address, the Destination/Source IP Address and the DHCP Server Identifier (Option 54) fields of the message. Next, it unicasts the modified message to the DHCP client.
3.3 IP Address Release Procedure
In case of IP address release, a DHCP client (PC) unicasts a DHCP Release message to a DHCP server. As shown in Figure 6, the DHCP server IP address known to the DHCP client is the uplink IP address of a DHCP proxy agent. So the message is forwarded to the DHCP proxy agent, which re-processes and forwards the message to the DHCP server.
As described in the reference “Understanding DHCP Relay Agents” [3], a DHCP relay agent is NOT involved in this procedure, but a DHCP proxy agent receives and re-processes a DHCP Release message in communication between a client and a server.
Figure 6. IP address release procedure in the network with a DHCP proxy agent
1. DHCP Release
The DHCP client (PC) unicasts a DHCP Release message with the DHCP proxy agent address inserted into the Destination IP address field. Upon receiving the message, the DHCP proxy agent replaces the values in the Destination/Source MAC Address, Destination/Source IP Address, Gateway IP Address (i.e. the relay agent IP address) and DHCP Server Identifier (Option 54) message fields. Next it unicasts the modified message to the DHCP server.
IV. Security Functions of DHCP Proxy Agents2
As studied in the previous chapters, a DHCP proxy agent is involved in all the DHCP messages that is exchanged between a DHCP client and server. This chapter covers the security function of a DHCP proxy agent, specifically the procedure for blocking any data traffic from unauthorized users whose IP addresses have not been allocated through a normal DHCP procedure. Figure 7 shows an overview of the DHCP security functions.
Figure 7. DHCP security functions of a DHCP proxy agent
4.1 Procedure for Creating an IP-to-MAC Binding Table
Figure 8 describes how an IP-to-MAC binding table is created for a DHCP proxy agent through DHCP messages.
Figure 8. Procedure for creating an IP-to-MAC binding table
❶ The DHCP proxy agent parses the parameters of a DHCP Ack message received in the last phase of the IP address allocation/lease procedure. Then in an IP-to-MAC binding table, it stores the collected information - a client (PC) MAC address (m1), a client (PC) IP address (1.1.1.10), IP address lease time (3,600 sec.) and the interface information (Ge1/1) of the DHCP proxy agent connected to a DHCP client. In addition, the DHCP proxy agent maintains the Expired Time field. Initially the value in this field is set to the same value as in the IP address Lease Time field and then it decreases by one (1) every second over time.
❷ Once the T1 timer of the DHCP client is expired (after 1,800 seconds of the IP address allocation), the DHCP client starts the IP address renewal procedure [2]. In the meantime, the DHCP proxy agent updates the Lease Time and Expired Time fields of the IP-to-MAC binding table with the IP address Lease Time (3,600 seconds) included in the DHCP Ack message.
❸ Let us assume that the DHCP client (PC) is turned off later. In this case, neither the DHCP proxy agent nor the DHCP server is aware of the situation. So, the value in the Expired Time field continues to decrease by one (1) every second until it reaches to “0”, deleting the related entry in the IP-to-MAC binding table. Obviously, the entry related to the DHCP client is also deleted when a DHCP Release message is sent by the DHCP client (PC).
4.2 Procedure for Blocking Traffic from Users with an Abnormal IP Address
The DHCP proxy agent function is generally enabled in the default gateway router of a DHCP client (i.e. the first router the client connects). Upon receiving ARP Request packets sent by a DHCP client, the DHCP proxy agent examines its own IP-to-MAC table, checking the validity of the DHCP client. Figure 9 shows the procedure in detail.
Figure 9. Blocking traffic using an IP-to-MAC binding table
❶ As PC1 in the above figure has obtained its IP address through a normal DHCP procedure, a DHCP proxy agent has already collected the information about PC1 in its IP-to-MAC binding table. When the DHCP proxy agent receives an ARP Request packet sent by PC1, it checks whether both the sender MAC address (m1) and IP address (1.1.1.10) in the packet are registered in the IP-to-MAC binding table. If they are, the proxy agent sends an ARP Reply message to the PC1.
❷ As PC2 represents a client with a static IP address, there is no information (MAC address or IP address) about the client in the IP-to-MAC binding table. Thus, when the DHCP proxy agent receives an ARP Request packet sent by PC2, it does not send an ARP Reply packet since no information (MAC address (m2) and IP address (1.1.1.20)) about the client is found in the table. PC2 therefore cannot acquire the MAC address of the DHCP proxy agent (i.e. default gateway router), and will eventually fail to access the Internet.
Having these security functions enabled means that users’ attempts to access the network (e.g. Internet) are managed through the responses to an ARP Request packet. Note this doesn’t mean all of data traffic coming from users is examined. If a hacker knows the MAC address of a default gateway (DHCP proxy agent), which is not difficult for a hacker, the security features of a DHCP proxy agent can be disarmed. To make up for this vulnerability, some network operators have adopted a new robust security network system, called BRAS (Broadband Remote Access Server). The BRAS system can monitor and inspect all of uplink and downlink user traffic. Some of BRAS products introduced by Korean domestic network operators include Juniper E320 and Redback (acquired by Ericsson) SE800.
V. Summary and Closing
In this document, we have reviewed all the procedures of IP address allocation/lease, IP address renewal and IP address release performed by a DHCP proxy agent. We have also examined its security functions. Table 1 summarizes our finding, comparing a DHCP relay agent to a DHCP proxy agent.
Table 1. Comparison between a DHCP relay agent and a DHCP proxy agent
References
[1] Netmanias Technical Document, “Understanding the Basic Operations of DHCP”, November 2013
[2] Netmanias Technical Document, “Understanding the Detailed Operations of DHCP”, October 2013
[3] Netmanias Technical Document, “Understanding DHCP Relay Agents”, October 2013
Footnotes
1 Both agents perform one common function of relaying messages between a DHCP client and a DHCP server and the IETF standards requires the IP address of an agent be stored in the Gateway IP Address (giaddr) field. In this document, a relay agent IP refers to the address in the Gateway IP Address field.
2 The security functions explained in this chapter are also supported by the DHCP Relay Agent. However, in such case, a DHCP relay agent should be able to snoop all of DHCP messages (unicast) used in the IP address allocation and release procedures.
Appendix A - Format of DHCP Messages in IP Address Allocation/Lease Procedure
Appendix A provides detailed examples of DHCP message parameters that are replaced by a DHCP proxy agent during the IP address allocation procedure.
DHCP Discover Message
Figure 10. IP address allocation/lease procedure: DHCP Discover message
Ethernet Header
IP Header
DHCP Message Payload
DHCP Offer Message
Figure 11. IP address allocation/lease procedure: DHCP Offer message
Ethernet Header
IP Header
Note: In this example, as we assumed that “Broadcast Flag” value is set to 1, the proxy agent broadcasts the message.
DHCP Message Payload
DHCP Request Message
Figure 12. IP address allocation/lease procedure: DHCP Request message
Ethernet Header
IP Header
DHCP Message Payload
DHCP Ack Message
Figure 13. IP address allocation/lease procedure: DHCP Ack message
Ethernet Header
IP Header
Note: In this example, as we assumed that “Broadcast Flag” is set to 1, the proxy agent broadcasts the message.
DHCP Message Payload
Appendix B – Format of DHCP Messages in IP Address Renewal Procedure
Appendix B provides detailed examples of DHCP message parameters that are replaced by a DHCP proxy agent during the IP address renewal procedure.
DHCP Request Message
Figure 14. IP address renewal procedure: DHCP Request message
Ethernet Header
IP Header
DHCP Message Payload
DHCP Ack Message
Figure 15. IP address renewal procedure: DHCP Ack message
Ethernet Header
IP Header
DHCP Message Payload
Appendix C – Format of DHCP Messages in IP Address Release Procedure
Appendix C provides detailed examples of DHCP message parameters that are replaced by a DHCP proxy agent during the IP address release procedure.
DHCP Release Message
Figure 16. IP address release procedure: DHCP Release message
Ethernet Header
IP Header
DHCP Message Payload
|
|
Register | About Us | Sponsor Channel Service (Korean Market) | Advertise | Contact Us | LinkedIn | Our Korean Site
|
|||
|
HQ: 201, Hanho Building 33, Nonhyeon-ro 64-gil, Gangnam-gu, Seoul, 06228, Rep. of KOREA Netmanias USA: 5214 36th Ave. NE Seattle, WA 98105 USA Netmanias was founded in year 2002, and provides in-depth analysis and overview of 4G & 5G mobile, IoT, SDN/NFV, Gigabit Internet and video streaming technologies as well as trends in the evolution of Korean operators’ networks and services Copyright ⓒ 2002-2023 NMC Consulting Group. All rights reserved. |
||||