Downloads |
Table Of Contents
DHCP Secured IP Address Assignment
Prerequisites for DHCP Secured IP Address Assignment
Restrictions for DHCP Secured IP Address Assignment
Information About DHCP Secured IP Address Assignment
DHCP Operation in Public Wireless LANs
Security Vulnerabilities in Public Wireless LANs
DHCP Secure IP Address Assignment
Configuring Database Agents to Store DHCP Secured IP Addresses
Configuring DHCP Accounting and DHCP Secured IP Address Assignment
How to Configure DHCP Secured IP Address Assignment
Securing ARP Table Entries to DHCP Leases
Securing Insecure ARP Table Entries
Verifying that ARP Table Entries Have Been Secured
Securing Insecure ARP Table Entries
Configuration Examples for DHCP Secured IP Address Assignment
Securing an ARP Table Entry to an DHCP Lease Example
Verifying Secured ARP Table Entries Example
show ip dhcp server statistics
DHCP Secured IP Address Assignment
The DHCP Secure IP Address Assignment feature introduces the capability to secure ARP table entries to Dynamic Host Configuration Protocol (DHCP) leases in the DHCP database. This feature secures and synchronizes the MAC address of the client to the DHCP binding, preventing unauthorized clients or hackers from spoofing the DHCP server and taking over a DHCP lease of an authorized client. When this feature is enabled and the DHCP server assigns an IP address to the DHCP client, the DHCP server adds a secure ARP entry to the ARP table with the assigned IP address and the MAC address of the client. This ARP entry cannot be updated by any other dynamic ARP packets, and this ARP entry will exist in the ARP table for the configured lease time or as long as the lease is active. The secured ARP entry can be deleted only by an explicit termination message from the DHCP client or by the DHCP server when the DHCP binding expires. This feature can be configured for a new DHCP network or used to upgrade the security of an existing network. The configuration of this feature does not interrupt service and is not visible to the DHCP client.
Feature Specifications for the DHCP Secured IP Address Assignment feature
12.2(15)T
This feature was introduced.
For platforms supported in Cisco IOS Release 12.2(15)T, use Cisco Feature Navigator as described below.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for DHCP Secured IP Address Assignment
•
•
•
•
Prerequisites for DHCP Secured IP Address Assignment
This document assumes that your network is configured to run DHCP. You will also need to complete the following tasks before you can configure this feature:
•
•
Restrictions for DHCP Secured IP Address Assignment
The following restrictions apply to the DHCP Secured IP Address Assignment feature:
•
•
Information About DHCP Secured IP Address Assignment
To configure this feature, you must understand the following concepts
•
•
•
•
•
•
DHCP Operation in Public Wireless LANs
The configuration of DHCP in a public wireless LAN (PWLAN) simplifies the configuration of wireless clients and reduces the overhead necessary to maintain the network. DHCP clients are leased IP addresses by the DHCP server and then authenticated by the Service Selection Gateway (SSG), which allows the clients to access network services. The DHCP server and client exchange DHCP messages for IP address assignments. When a DHCP server assigns an IP address to a client, a DHCP binding is created. The IP address is leased to the client until the client explicitly releases the IP address and disconnects from the network. When the client explicitly disconnects from the network, the DHCP lease is terminated by the DHCP server, and the IP address is returned to the DHCP pool.
Security Vulnerabilities in Public Wireless LANs
If the DHCP lease is not explicitly terminated by the client, the SSG will terminate the lease only when the ping-idle timer expires. This type of termination typically occurs in a PWLAN when an authenticated client moves out of range of the access point. This type of disconnection can expose a security vulnerability during the period of time it takes for the ping-idle timer to expire. By design, DHCP will maintain this lease if it receives an acknowledgement from the client. However, DHCP ARP table entries are dynamic and DHCP alone does not have the capability to secure the transmission and storage of the DHCP binding or verify the integrity of the information that is sent from the client. This exposes the PWLAN to the following security risks:
•
•
A hacker can exploit this vulnerability by snooping for leases that have been dropped by the client but have not expired in the DHCP database. Once the hacker detects the unexpired lease, he or she can quickly reconfigure a laptop to use the unexpired lease. Because DHCP ARP entries are dynamic, a hacker can take control of the unexpired lease and access the network, posing as the authenticated client.
ARP Entries and DHCP Bindings
ARP table entries are dynamic by design. Request and reply ARP packets are sent and received by all the networking devices in a network. In a DHCP network, the DHCP server stores the leased IP address to the MAC address or the client-identifier of the client in the DHCP binding. But as ARP entries are learned dynamically, an unauthorized client can spoof the IP address given by the DHCP server and start using that IP address. The MAC address of this unauthorized client will replace the MAC address of the authorized client in the ARP table and this will allow the unauthorized client to freely use the spoofed IP address.
DHCP Secure IP Address Assignment
The DHCP Secure IP Address Assignment feature introduces the capability to add an ARP entry binding the MAC address of the client to the DHCP offered IP address. The ARP table entry and DHCP binding can only be deleted by the DHCP server when a DHCP lease expires or is terminated by the client. The ARP table entry will not be overwritten if the DHCP server receives any unsolicited ARP request messages. When the DHCP lease expires or the client terminates the lease, the DHCP server will destroy the DHCP binding and the leased IP address is returned to the DHCP address pool. The secure ARP entry will be removed from the ARP table.
Note
When the DHCP Secured IP Address feature is enabled, the ARP table entries and corresponding DHCP leases are secured automatically for all new leases and DHCP bindings. However, existing active leases are not secured. These leases are still insecure until they are renewed. When the lease is renewed, it is treated as a new lease and will be secured automatically. If this feature is disabled on the DHCP server, all existing secured ARP table entries will automatically change to dynamic ARP entries.
Configuring Database Agents to Store DHCP Secured IP Addresses
The DHCP Secured IP Address feature also supports the configuration of DHCP database agents. Database agents are used to configure an IOS DHCP server to store DHCP binding information for recovery after a router is reloaded. When this feature is enabled, secure ARP table entries can also be saved to a file, like DHCP bindings, by a DHCP database agent for recovery. These files are transferred using the File Transfer Protocol (FTP), Trivial File Transport Protocol (TFTP), or remote copy protocol (rcp). If a DHCP database agent is configured, the secured lease information is saved in a remote file system. See the following sample output:
!IP address Type Hardware address Interface-indexarp 10.0.0.1 1 0060.837b.964c 0 0The "arp" keyword that precedes the IP address indicates that the secure ARP entry will be saved before the router reloads. When a router is reloaded, the DHCP bindings are added to the DHCP database and secured ARP entries are added to the ARP table.
The ip dhcp database command is used to configure a database agent on an IOS DHCP server. The database agent will automatically store secure ARP table entries when this feature is configured. No new task are introduced by this feature. For more information about configuring database agents, refer to the "Configuring DHCP" chapter of the Cisco IOS IP Configuration Guide, Release 12.2:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcprt1/1cfdhcp.htm
Configuring DHCP Accounting and DHCP Secured IP Address Assignment
For an additional layer of security, the DHCP Accounting feature can be configured with the DHCP Secured IP Address Assignment feature. The DHCP Accounting feature introduces authentication, authorization, and accounting (AAA) and Remote Authentication Dial-In User Service (RADIUS) support for DHCP configuration. The introduction of AAA and RADIUS support improves PWLAN security by sending secure START and STOP accounting messages. The configuration of this feature adds a layer of security to prevent unauthorized clients or hackers from gaining illegal entry to the network by spoofing authorized DHCP leases. The configuration of these two features greatly improves the security of DHCP operation and can be used to protect PWLANs by preventing unauthorized clients or hackers from gaining illegal entry to the network by spoofing authorized DHCP leases. For more information about the DHCP Accounting feature, see the following document:
How to Configure DHCP Secured IP Address Assignment
This section contains the following procedures for configuring the DHCP Secured IP Address Assignment feature:
•
•
Securing ARP Table Entries to DHCP Leases
Use the following steps to enable the DHCP Secured IP Address Assignment feature:
Securing Insecure ARP Table Entries
When the DHCP Secured IP Address feature is enabled, ARP table entries and their corresponding DHCP leases are secured automatically for all new leases and DHCP bindings. However, existing active leases are not secured. These leases are still insecure until they are renewed. When the lease is renewed, it is treated as a new lease and will be secured automatically. If this feature is disabled on the DHCP server, all existing secured ARP table entries will automatically change to dynamic ARP entries.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Troubleshooting Tips
The clear ip dhcp binding command can be used to clear DHCP bindings and secured ARP table entries.
What to Do Next
The DHCP Accounting feature can be configured to provide an additional layer of security. When this feature is configured, the SSG will use secure START and STOP accounting messages to control DHCP lease assignment and termination. For more information about the DHCP Accounting feature, refer to the following document:
The ip dhcp database command can be used to configure a database agent on an IOS DHCP server. The database agent will automatically store secure ARP table entries when this feature is configured. No new task are introduced by this feature. For more information about configuring database agents, refer to the "Configuring DHCP" chapter of the Cisco IOS IP Configuration Guide, Release 12.2:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcprt1/1cfdhcp.htm
Verifying that ARP Table Entries Have Been Secured
Use the following steps to verify that ARP table entries have been secured to their corresponding DHCP leases:
Securing Insecure ARP Table Entries
The show ip dhcp server statistics command has been enhanced for this feature to show how many secure ARP entries have been added by the DHCP server.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Configuration Examples for DHCP Secured IP Address Assignment
•
•
Securing an ARP Table Entry to an DHCP Lease Example
The following example configures the Cisco IOS DHCP server to secure ARP table entries to their corresponding DHCP leases within the DHCP pool named WIRELESS-POOL:
Router(config)# ip dhcp pool WIRELESS-POOLRouter(dhcp-config)# update arpRouter(dhcp-config)# exit
Note
Verifying Secured ARP Table Entries Example
To verify that the ARP table entries have been secured to their corresponding DHCP leases, use the show ip dhcp server statistics command. The output from this command displays the number of secure ARP table entries on the last line in the first section of the output. The following output shows that 1 secured ARP table entry exists:
Router# show ip dhcp server statisticsMemory usage 13745Address pools 1Database agents 0Automatic bindings 1Manual bindings 0Expired bindings 0Malformed messages 0Secure arp entries 1Message ReceivedBOOTREQUEST 2DHCPDISCOVER 2DHCPREQUEST 2DHCPDECLINE 0DHCPRELEASE 1DHCPINFORM 0Message SentBOOTREPLY 0DHCPOFFER 0DHCPACK 2DHCPNAK 0Where to Go Next
For information about configuring the DHCP Accounting feature, refer to the following document:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ftdhcpac.htm
Additional References
For additional information related to DHCP Secured IP Address Assignment, refer to the following references:
Related Documents
DHCP commands
Cisco IOS IP Command Reference, Volume1 of 3: Addressing and Services, Release 12.2
DHCP configuration tasks, including the configuration of DHCP database agents
Cisco IOS IP Configuration Guide, Release 12.2
DHCP accounting for the transmission of secure START and STOP messages.
DHCP Accounting, Release 12.2(15)T
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ftdhcpac.htm
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
1 Not all supported standards are listed.
MIBs
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
1 Not all supported MIBs are listed.
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
RFCs
RFC 2131
Dynamic Host Configuration Protocol
RFC 2132
DHCP Options and BOOTP Vendor Extensions
1 Not all supported RFCs are listed.
Technical Assistance
Command Reference
This section documents new and modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications.
New Commands
Modified Commands
•
update arp
To secure dynamic ARP table entries to their corresponding DHCP bindings, use the update arp command in DHCP pool configuration mode. To disable this command and change secure ARP entries to dynamic ARP entries, use the no form of this command.
update arp
no update arp
Syntax Description
This command has no keywords or arguments.
Defaults
No default behavior or values.
Command Modes
DHCP pool configuration
Command History
Usage Guidelines
The update arp dhcp pool configuration command is used to secure ARP table entries and their corresponding DHCP leases. However, existing active leases are not secured. These leases are will remain insecure until they are renewed. When the lease is renewed, it is treated as a new lease and will be secured automatically. If this feature is disabled on the DHCP server, all existing secured ARP table entries will automatically change to dynamic ARP entries.
This command can be configured only under the following conditions:
•
•
The configuration of this command is not visible to the client. When this command is configured, secured ARP table entries that are created by a DHCP server cannot be removed from the ARP table by the clear arp-cache command. This is designed behavior. If a secure ARP entry created by the DHCP server has to be removed, the clear ip dhcp binding command can be used. This command will clear the DHCP binding and secured ARP table entry.
Note
Examples
The following example configures the IOS DHCP server to secure ARP table entries to their corresponding DHCP leases within the DHCP pool named WIRELESS-POOL:
Router(config)# ip dhcp pool WIRELESS-POOLRouter(dhcp-config)# update arpRouter(dhcp-config)# exitRelated Commands
show ip dhcp server statistics
To display Cisco IOS Dynamic Host Configuration Protocol (DHCP) Server statistics, use the show ip dhcp server statistics EXEC command.
show ip dhcp server statistics
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
12.0(1)T
This command was introduced.
12.2(15)T
Support for secure ARP entries was added Cisco IOS Release 12.2(15)T.
Examples
The following example displays DHCP Server statistics. Table 1 lists descriptions for each field in the example.
Router> show ip dhcp server statisticsMemory usage 40392Address pools 3Database agents 1Automatic bindings 190Manual bindings 1Expired bindings 3Malformed messages 0Secure arp entries 1Message ReceivedBOOTREQUEST 12DHCPDISCOVER 200DHCPREQUEST 178DHCPDECLINE 0DHCPRELEASE 0DHCPINFORM 0Message SentBOOTREPLY 12DHCPOFFER 190DHCPACK 172DHCPNAK 6
Related Commands
