Dynamic Host Configuration Protocol

This requires an agent on every host that is to be protected. In this case, a DHCP client that has not yet acquired an IP address cannot communicate directly with the DHCP server using IP routing, because it doesn't have a routable IP addr, nor does it know the IP address of a router.

Some switch vendors have devised a defense against this form of attack that imposes very strict control over what ARP packets are allowed into the network. For example, browsers use DHCP Inform to obtain web proxy settings via WPAD.

When DHCP servers are allocating IP addresses to the clients on the LAN, DHCP snooping can be configured on LAN switches to harden the security on the LAN to allow only clients with specific IP/MAC addresses to have access to the network. Alternatively IPv6 hosts may use stateless address autoconfiguration to generate an IP addr.. A DHCP client may request more information than the server sent with the original DHCPOFFER.1.1, specifies the IP addr. in the YIADDR (Your IP Address) field.

In addition to IP addresses, DHCP also provides other configuration information, particularly the IP addresses of local caching DNS resolvers. In computer networking DHCP snooping is a series of techniques applied to ensure the security of an existing DHCP infrastructure. While both versions bear the same name and perform much the same purpose, the details of the protocol for IPv4 and IPv6 are sufficiently different that they can be considered separate protocols. Computers that are connected to IP networks must be configured before they can communicate with other computers on the network. DHCP allows a computer to be configured automatically, eliminating the need for intervention by a network administrator. The DHCP server manages a pool of IP addresses and information about client configuration parameters such as default gateway, domain name, the name servers, other servers such as time servers, and so forth. However, DHCP servers can also provide IP addresses for multiple subnets. This message contains the client's MAC address, the IP address that the server is offering, the subnet mask, the lease duration, and the IP address of the DHCP server making the offer. It is a portable ARP handler which detects and blocks all Man In The Middle attacks through ARP poisoning and spoofing attacks with a static ARP inspection (SARPI) and dynamic ARP inspection (DARPI) approach on switched or hubbed LANs with or without DHCP. Such queries do not cause the DHCP server to refresh the IP expiry time in its database. When a DHCP server receives an IP lease request from a client, it reserves an IP address for the client and extends an IP lease offer by sending a DHCPOFFER message to the client. The query is typically initiated immediately after booting, and must complete before the client can initiate IP-based communication with other hosts. Dynamic Host Configuration Protocol automates network-parameter assignment to network devices from one or more DHCP servers. It also provides a central database for keeping track of computers that have been connected to the network.The Dynamic Host Configuration Protocol (DHCP) is an auto configuration protocol used on IP networks.

DHCP Host - There are two versions of DHCP, one for IPv4 and one for IPv6. Even in small networks, DHCP is useful because it makes it easy to add new machines to the network. Hosts that do not use DHCP for address configuration may still use it to obtain other configuration information. The relay agent stores its own IP address in the GIADDR field of the DHCP packet. The DHCP client broadcasts on the local link; the relay agent receives the broadcast and transmits it to one or more DHCP servers using unicast.

An open source solution is ArpON "Arp handler inspectiON". In small networks, where only one IP subnet is being managed, DHCP clients communicate directly with DHCP servers. On receiving a valid request, the server assigns the computer an IP address, a lease (length of time the allocation is valid), and other IP configuration parameters, such as the subnet mask and the default gateway.

In the absence of DHCP, hosts may be manually configured with an IP address. ARP security checks the IP address in the Source Protocol Address field of ARP packets.

If that IP address is not an address that DHCP snooping has recorded as being in use by a host connected to the ingress port of the ARP, then the ARP packet is dropped. This prevents two computers from accidentally being configured with the same IP address.[2]. The client may also request repeat data for a particular application. The DHCP server uses the GIADDR to determine the subnet on which the relay agent received the broadcast, and allocates an IP address on that subnet.168. In order to allow DHCP clients on subnets not directly served by DHCP servers to communicate with DHCP servers, DHCP relay agents can be installed on these subnets.

When a DHCP-configured client (a computer or any other network-aware device) connects to a network, the DHCP client sends a broadcast query requesting necessary information from a DHCP server. ARP spoofing is a common method of attacking a network by stealing the IP address of a network server and sniffing the traffic passed to it. IPv4 hosts may use link-local addressing to achieve limited local connectivity.

ARP security can guard against this poisoning by its strict control of what ARP packets are allowed to be forwarded..

The server determines the configuration based on the client's hardware address as specified in the CHADDR (Client Hardware Address) field. The relay agent then retransmits the response on the local network. When the DHCP server replies to the client, it sends the reply to the GIADDR address, again using unicast.

ARP security, correctly implemented, makes it impossible for a host to poison the ARP cache of other hosts, as network switches will only allow through ARP packets that have genuine, authenticated information in the Source Protocol Address field of ARP packets. Allied Telesis switches have a sub-feature of DHCP Snooping, known as ARP Security[1], while the equivalent feature on Cisco devices is called Dynamic ARP Inspection.