DHCP defined and how it works
The
ability to network devices quickly and easily is critical in a hyper-connected
world, and although it has been around for decades, DHCP remains an essential
method to ensure that devices are able to join networks and are configured
correctly.
DHCP greatly reduces the errors that are
made when IP addresses are assigned manually, and can stretch IP addresses by
limiting how long a device can keep an individual IP address.
DHCP stands for dynamic host configuration protocol and is a
network protocol used on IP networks where a DHCP server automatically assigns
an IP address and other information to each host on the network so they can
communicate efficiently with other endpoints.
In addition to the IP
address, DHCP also assigns the subnet mask, default gateway address, domain
name server (DNS) address and other pertinent configuration parameters. Request
for comments (RFC) 2131 and 2132 define DHCP as an Internet Engineering Task
Force (IETF)- defined standard based on the BOOTP protocol.
DHCP simplifies IP
address management
The primary reason DHCP is
needed is to simplify the management of IP addresses on networks. No two
hosts can have the same IP address, and configuring them manually will likely
lead to errors. Even on small networks manually assigning IP addresses can be
confusing, particularly with mobile devices that require IP addresses on a
non-permanent basis. Also, most users aren’t technically proficient enough to
locate the IP address information on a computer and assign it. Automating this
process makes life easier for users and the network administrator.
Components of DHCP
When working with DHCP, it’s
important to understand all of the components. Below is a list of them
and what they do:
·
DHCP
server: A networked device running the DCHP service that holds IP addresses and
related configuration information. This is most typically a server or a router
but could be anything that acts as a host, such as an SD-WAN appliance.
·
DHCP
client: The endpoint that receives configuration information from a DHCP
server. This can be a computer, mobile device, IoT endpoint or anything else
that requires connectivity to the network. Most are configured to receive
DHCP information by default.
·
IP
address pool: The range of addresses that are available to DHCP clients.
Addresses are typically handed out sequentially from lowest to highest.
·
Subnet:
IP networks can be partitioned into segments known as subnets. Subnets help
keep networks manageable.
·
Lease:
The length of time for which a DHCP client holds the IP address information.
When a lease expires, the client must renew it.
·
DHCP
relay: A router or host that listens for client messages being broadcast on
that network and then forwards them to a configured server. The server then
sends responses back to the relay agent that passes them along to the client.
This can be used to centralize DHCP servers instead of having a server on each
subnet.
Benefits of DHCP servers
In addition to simplified
management, the use of a DHCP server provides other benefits. These
include:
·
Accurate
IP configuration: The IP address configuration parameters must be exact and
when dealing with inputs such as “192.168.159.3”, it’s easy to make a mistake.
Typographical errors are typically very difficult to troubleshoot and the use
of a DHCP server minimizes that risk.
·
Reduced
IP address conflicts: Each connected device must have an IP address. However,
each address can only be used once and a duplicate address will result in a
conflict where one or both of the devices cannot be connected. This can happen
when addresses are assigned manually, particularly when there are a large
number of endpoints that only connect periodically, such as mobile
devices. The use of DHCP ensures that each address is only used once.
·
Automation
of IP address administration: Without DHCP, network administrators would need
to assign and revoke addresses manually. Keeping track of which device
has what address can be an exercise in futility as it’s nearly impossible to
understand when devices require access to the network and when they leave.
DHCP allows this to be automated and centralized so network professionals can
manage all locations from a single location.
·
Efficient
change management: The use of DHCP makes it very simple to change addresses,
scopes or endpoints. For example, an organization may want to change its IP
addressing scheme from one range to another. The DHCP server is configured with
the new information and the information will be propagated to the new
endpoints. Similarly, if a network device is upgraded and replaced, no network
configuration is required.
DHCP poses securityrisks
The DHCP protocol requires no
authentication so any client can join a network quickly. Because of this, it
opens up a number of security risks, including unauthorized servers handing out
bad information to clients, unauthorized clients being given IP addresses and
IP address depletion from unauthorized or malicious clients.
Since the client has no way
of validating the authenticity of a DHCP server, rouge ones can be used to
provide incorrect network information. This can cause denial-of-service attacks
or man-in-the-middle attacks where a fake server intercepts data that can be
used for malicious purposes. Conversely, because the DHCP server has no way of
authenticating a client, it will hand out IP address information to any device
that makes a request. A threat actor could configure a client to
continually change its credentials and quickly exhaust all available IP
addresses in the scope, preventing company endpoints from accessing the network.
The DHCP specification does
addresses some of these issues. There is a Relay Agent Information Option that
enables engineers to tag DHCP messages as they arrive on the network. This tag
can be used to control access to the network. There is also a provision to
authenticate DHCP messages, but key management can be complicated and has held
back adoption. The use of 802.1x authentication, otherwise known as network
access control (NAC), can be used to secure DHCP. Most of the leading
network vendors support NAC, and it has become significantly simpler to deploy.
No comments:
Post a Comment