Home | Reports | Technical Documents | Tech-Blog | One-Shot Gallery | Korea ICT News | Korea Communication Market Data | List of Contributors | Become a Contributor |    
 
 
Section 5G 4G LTE C-RAN/Fronthaul Gigabit Internet IPTV/Video Streaming IoT SDN/NFV Wi-Fi KT SK Telecom LG U+ Network Protocol Samsung   Korean Vendors
 
CHANNELS     HFR    |  Mobile Fronthaul Solution  |  Carrier Ethernet Solution  | Resources        
CHANNELS     ZARAM    |  XGSPON 10G SFP+ ONT  |  Use cases  | Evolution of FTTH Access Network    

 

DHCP Security Using a DHCP Proxy Agent
October 01, 2013 | By Chris Yoo (tech@netmanias.com)
Online viewer:
Comments (0)
8

Last time when we introduced a DHCP proxy agent through our previous blog post dated in September 1. 2013, we mentioned that this DHCP proxy agent can offer the benefits of enhanced security. So, we will look into these security-related functions in more detail today.

 

 As shown in the figure below, if there is a DHCP proxy agent in a network, all DHCP messages (used in IP address allocation, IP address renewal and IP address release procedures) pass through (i.e. are forwarded to) the DHCP proxy agent. Due to such scheme, the DHCP proxy agent is able to block any traffic coming from users who do not have an IP address allocated through DHCP, but have a static IP address. The proxy agent can do so by using one of the following two methods: 

 

First, this DHCP proxy agent function is generally enabled in the default gateway router of a DHCP client (i.e. the first one the client connects). Then, when the client needs to send any Internet traffic via the DHCP proxy agent (which is the default gateway router), it sends an ARP Request packet, to the default gateway router (DHCP proxy agent) to get the MAC address of the default gateway router.

 

 At this time, the DHCP proxy agent responds only to the ARP Request packets with an IP address allocated through DHCP procedure, and not to the ones with a non-DHCP IP address (i.e. static IP address), as illustrated in the following figure. This function comes standard in most routers.   

 

Second, despite the foregoing function, it only takes the MAC address of a default gateway router for a static IP user (malicious user) to threaten the network security. So, for more enhanced security, the DHCP proxy agent needs to examine the IP address of all user data traffic as well as ARP packets. Then it can either permit the packets with a DHCP IP address or deny ones with a non-DHCP IP address (i.e. static IP address). However, such implementation is practically impossible with most of regular network equipment, and only Broadband Remote Access Server (BRAS), capable of managing users, can support such implementation.  

 

Some of such routers introduced by KT (Korea Telecom) include Juniper E320 and Redback (acquired by Ericsson) SE800. Just so you know, BRAS can process user traffic on data plane (the layers over which user data flows), and thus it is possible to support different “QoS policies per user (e.g. bandwidth control)". That explains why it is so expensive compared to other routers. 

 

 

Please note we only cover the DHCP proxy agent function today, and will revisit BRAS next time. The figure below illustrates the security functions mentioned above in more detail.  

 

In the figure, when PC1 obtains an IP address (1.1.1.0) through a normal DHCP procedure, the DHCP proxy agent creates an “IP-to-MAC binding table” on the control plane (where no user traffic is delivered, and routers are controlled through functions, such as routing protocol, ARP, DHCP proxy agent, etc.). This table contains a MAC address of a user who received an IP address through a DHCP process, IP address, the interface number of the DHCP proxy agent that the user PC connects to, DHCP lease time and expired time. The expired time is initially set same as the IP lease time, and thereafter decreases by one (1) every second. Then, when it eventually reaches 0, its relevant entry is deleted from the IP-to-MAC binding table. 

 

When PC1 with an allocated IP address sends an ARP Request packet to the default gateway router (DHCP proxy agent) which receives the packet checks whether or not both the Sender MAC address (m1) and IP address (1.1.1.10) in the packet are registered in the IP-to-MAC binding table. If they are, the proxy agent returns its MAC address to the user PC through an ARP Reply message.

 

However, if PC2 with a static IP address (1.1.1.20) sends an ARP Request  packet to the default gateway router (DHCP proxy agent), the DHCP proxy agent does not send any ARP Reply packet since no information (MAC address (m2) and IP address (1.1.1.20)) about the client is found in the IP-to-MAC binding table. So, PC2 cannot have access to the Internet. 

 

 

 

 

 

Thank you for visiting Netmanias! Please leave your comment if you have a question or suggestion.
Related Contents
11/07/2013
Netmanias Technical Documents
11/05/2013
Netmanias Technical Documents
11/01/2013
Netmanias Blog
10/30/2013
Netmanias Technical Documents
10/23/2013
Netmanias Technical Documents
10/11/2013
Netmanias One-Shot Gallery
09/01/2013
Netmanias Blog
08/01/2013
Netmanias Blog
07/01/2013
Netmanias Blog
View All (819)
4.5G (1) 5G (88) AI (6) AR (1) ARP (3) AT&T (1) Akamai (1) Authentication (5) Big Data (2) Blockchain (3) C-RAN/Fronthaul (17) CDN (4) CPRI (4) Carrier Ethernet (3) China (1) China Mobile (2) Cisco (1) Cloud (5) CoMP (6) Connected Car (4) DHCP (5) Edge Computing (1) Ericsson (2) FTTH (6) GSLB (1) GiGAtopia (2) Gigabit Internet (19) Google (7) Google Global Cache (3) HLS (5) HSDPA (2) HTTP Adaptive Streaming (5) Handover (1) Huawei (1) IEEE 802.1 (1) IP Routing (7) IPTV (21) IoST (3) IoT (55) KT (42) Korea (19) Korea ICT Market (1) Korea ICT Service (13) Korea ICT Vendor (1) LG U+ (18) LSC (1) LTE (78) LTE-A (16) LTE-B (1) LTE-H (2) LTE-M (3) LTE-U (4) LoRa (7) MEC (3) MPLS (2) MPTCP (3) MWC 2015 (8) NB-IoT (6) Netflix (2) Network Protocol (21) Network Slicing (4) New Radio (9) Nokia (1) OSPF (2) OTT (3) PCRF (1) Platform (2) QoS (3) RCS (4) Roaming (1) SD-WAN (17) SDN/NFV (71) SIM (1) SK Broadband (2) SK Telecom (34) Samsung (5) Security (16) Self-Driving (1) Small Cell (2) Spectrum Sharing (2) Switching (6) TAU (2) UHD (5) VR (2) Video Streaming (12) VoLTE (8) VoWiFi (2) Wi-Fi (31) YouTube (6) blockchain (1) eICIC (1) eMBMS (1) iBeacon (1) security (1) telecoin (1) uCPE (2)
Password confirmation
Please enter your registered comment password.
Password