Dynamic Host Configuration Protocol
Encyclopedia
The Dynamic Host Configuration Protocol (DHCP) is a network configuration protocol for hosts on Internet Protocol
(IP) networks. Computers that are connected to IP networks must be configured before they can communicate with other hosts. The most essential information needed is an IP address
, and a default route and routing prefix. DHCP eliminates the manual task by a network administrator. It also provides a central database of devices that are connected to the network and eliminates duplicate resource assignments.
In addition to IP addresses, DHCP also provides other configuration information, particularly the IP addresses of local caching DNS resolvers, network boot servers, or other service hosts.
DHCP is used for IPv4
as well as IPv6
. While both versions perform much the same purpose, the details of the protocol for IPv4 and IPv6 are sufficiently different that they may be considered separate protocols.
Hosts that do not use DHCP for address configuration may still use it to obtain other configuration information.
Alternatively, IPv6
hosts may use stateless address autoconfiguration. IPv4 hosts may use link-local addressing to achieve limited local connectivity.
Many worked to clarify the protocol as it gained popularity, and in 1997 RFC 2131 was released, and remains the standard for IPv4 networks. DHCPv6
is documented in RFC 3315. RFC 3633 added a DHCPv6 mechanism for prefix delegation
. DHCPv6 was further extended to provide configuration information to clients configured using stateless address autoconfiguration in RFC 3736.
The BOOTP protocol itself was first defined in RFC 951 as a replacement for the Reverse Address Resolution Protocol RARP. The primary motivation for replacing RARP with BOOTP was that RARP was a data link layer
protocol. This made implementation difficult on many server platforms, and required that a server be present on each individual network link. BOOTP introduced the innovation of a relay agent, which allowed the forwarding of BOOTP packets off the local network using standard IP routing, thus one central BOOTP server could serve hosts on many IP subnets.
When a DHCP-configured client (a computer or any other network-aware device) connects to a network, the DHCP client sends a broadcast query requesting necessary information from a DHCP server. The DHCP server manages a pool of IP addresses and information about client configuration parameters such as default gateway
, domain name
, the name server
s, other servers such as time servers, and so forth. On receiving a valid request, the server assigns the computer an IP address, a lease (length of time the allocation is valid), and other IP configuration parameters, such as the subnet mask and the default gateway
. The query is typically initiated immediately after booting
, and must complete before the client can initiate IP
-based communication with other hosts.
Depending on implementation, the DHCP server may have three methods of allocating IP-addresses:
for BOOTP
: destination UDP port 67 for sending data to the server, and UDP port 68 for data to the client. DHCP communications are connectionless in nature.
DHCP operations fall into four basic phases: IP discovery, IP lease offer, IP request, and IP lease acknowledgement.
DHCP clients and servers on the same subnet communicate via UDP broadcasts, initially. If the client and server are on different subnets, a DHCP Helper or DHCP Relay Agent may be used. Clients requesting renewal of an existing lease may communicate directly via UDP unicast
, since the client already has an established IP address at that point.
(UDP) packet with the broadcast destination of 255.255.255.255 or the specific subnet broadcast address.
A DHCP client can also request its last-known IP address (in the example below, 192.168.1.100). If the client remains connected to a network for which this IP is valid, the server may grant the request. Otherwise, it depends whether the server is set up as authoritative or not. An authoritative server will deny the request, making the client ask for a new IP address immediately. A non-authoritative server simply ignores the request, leading to an implementation-dependent timeout for the client to give up on the request and ask for a new IP address.
The server determines the configuration based on the client's hardware address as specified in the CHADDR (Client Hardware Address) field. Here the server, 192.168.1.1, specifies the IP address in the YIADDR (Your IP Address) field.
The protocol expects the DHCP client to configure its network interface with the negotiated parameters.
After the client obtains an IP address, the client may use the Address Resolution Protocol
(ARP) to prevent IP conflicts caused by overlapping address pools of DHCP servers.
. Such queries do not cause the DHCP server to refresh the IP expiry time in its database.
(IANA) - DHCP and BOOTP PARAMETERS.
A DHCP client can select, manipulate and overwrite parameters provided by a DHCP server.
. The relay agent stores its own IP address in the GIADDR field of the DHCP packet. The DHCP server uses the GIADDR to determine the subnet on which the relay agent received the broadcast, and allocates an IP address on that subnet. When the DHCP server replies to the client, it sends the reply to the GIADDR address, again using unicast. The relay agent then retransmits the response on the local network.
If the DHCP server is unreachable for an extended period of time, the DHCP client will attempt to rebind, by broadcasting its DHCPREQUEST rather than unicasting it. Because it is broadcast, the DHCPREQUEST message will reach all available DHCP servers. If some other DHCP server is able to renew the lease, it will do so at this time.
In order for rebinding to work, when the client successfully contacts a backup DHCP server, that server must have accurate information about the client's binding. Maintaining accurate binding information between two servers is a complicated problem; if both servers are able to update the same lease database, there must be a mechanism to avoid conflicts between updates on the independent servers. A standard for implementing fault-tolerant
DHCP servers was developed at the Internet Engineering Task Force.The IETF proposal provided a mechanism whereby two servers could remain loosely in sync with each other in such a way that even in the event of a total failure of one server, the other server could recover the lease database and continue operating. Due to the length and complexity of the specification, it was never published as a standard; however, the techniques described in the specification are in wide use, with one open source implementation in the ISC DHCP server as well as several commercial implementations.
If rebinding fails, the lease will eventually expire. When the lease expires, the client must stop using the IP address granted to it in its lease. At that time, it will restart the DHCP process from the beginning by broadcasting a DHCPDISCOVER message. Since its lease has expired, it will accept any IP address offered to it. Once it has a new IP address, presumably from a different DHCP server, it will once again be able to use the network. However, since its IP address has changed, any ongoing connections will be broken.
Because the client has no way to validate the identity of a DHCP server, unauthorized DHCP servers
can be operated on networks, providing incorrect information to DHCP clients. This can serve either as a denial-of-service attack, preventing the client from gaining access to network connectivity, or as a man-in-the-middle attack
. Because the DHCP server provides the DHCP client with server IP addresses, such as the IP address of one or more DNS servers, an attacker can convince a DHCP client to do its DNS lookups through its own DNS server, and can therefore provide its own answers to DNS queries from the client. This in turn allows the attacker to redirect network traffic through itself, allowing it to eavesdrop on connections between the client and network servers it contacts, or to simply replace those network servers with its own.
Because the DHCP server has no secure mechanism for authenticating the client, clients can gain unauthorized access to IP addresses by presenting credentials, such as client identifiers, that belong to other DHCP clients. This also allows DHCP clients to exhaust the DHCP server's store of IP addresses—by presenting new credentials each time it asks for an address, the client can consume all the available IP addresses on a particular network link, preventing other DHCP clients from getting service.
DHCP does provide some mechanisms for mitigating these problems. The Relay Agent Information Option protocol extension (RFC 3046) allows network operators to attach tags to DHCP messages as these messages arrive on the network operator's trusted network. This tag is then used as an authorization token to control the client's access to network resources. Because the client has no access to the network upstream of the relay agent, the lack of authentication does not prevent the DHCP server operator from relying on the authorization token.
Another extension, Authentication for DHCP Messages (RFC 3118), provides a mechanism for authenticating DHCP messages. Unfortunately RFC 3118 has not seen widespread adoption because of the problems of managing keys for large numbers of DHCP clients.
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
(IP) networks. Computers that are connected to IP networks must be configured before they can communicate with other hosts. The most essential information needed is an IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
, and a default route and routing prefix. DHCP eliminates the manual task by a network administrator. It also provides a central database of devices that are connected to the network and eliminates duplicate resource assignments.
In addition to IP addresses, DHCP also provides other configuration information, particularly the IP addresses of local caching DNS resolvers, network boot servers, or other service hosts.
DHCP is used for IPv4
IPv4
Internet Protocol version 4 is the fourth revision in the development of the Internet Protocol and the first version of the protocol to be widely deployed. Together with IPv6, it is at the core of standards-based internetworking methods of the Internet...
as well as IPv6
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
. While both versions perform much the same purpose, the details of the protocol for IPv4 and IPv6 are sufficiently different that they may be considered separate protocols.
Hosts that do not use DHCP for address configuration may still use it to obtain other configuration information.
Alternatively, IPv6
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
hosts may use stateless address autoconfiguration. IPv4 hosts may use link-local addressing to achieve limited local connectivity.
History
DHCP was first defined as a standards track protocol in RFC 1531 in October 1993, as an extension to the Bootstrap Protocol (BOOTP). The motivation for extending BOOTP was that BOOTP required manual intervention to add configuration information for each client, and did not provide a mechanism for reclaiming disused IP addresses.Many worked to clarify the protocol as it gained popularity, and in 1997 RFC 2131 was released, and remains the standard for IPv4 networks. DHCPv6
DHCPv6
DHCPv6 is the Dynamic Host Configuration Protocol for IPv6. Although IPv6's stateless address autoconfiguration can also be used to acquire IPv6 access, DHCPv6 may be a more suitable solution to assign addresses, nameservers and other configuration information as being done today with DHCP for IPv4...
is documented in RFC 3315. RFC 3633 added a DHCPv6 mechanism for prefix delegation
Prefix delegation
In IPv6 networking, prefix delegation is used to assign a network address prefix to a user site, configuring the user's router with the prefix to be used for each LAN. This is one of the methods for delegating IPv6 address prefixes to an IPv6 subscriber's network...
. DHCPv6 was further extended to provide configuration information to clients configured using stateless address autoconfiguration in RFC 3736.
The BOOTP protocol itself was first defined in RFC 951 as a replacement for the Reverse Address Resolution Protocol RARP. The primary motivation for replacing RARP with BOOTP was that RARP was a data link layer
Data link layer
The data link layer is layer 2 of the seven-layer OSI model of computer networking. It corresponds to, or is part of the link layer of the TCP/IP reference model....
protocol. This made implementation difficult on many server platforms, and required that a server be present on each individual network link. BOOTP introduced the innovation of a relay agent, which allowed the forwarding of BOOTP packets off the local network using standard IP routing, thus one central BOOTP server could serve hosts on many IP subnets.
Technical overview
Dynamic Host Configuration Protocol automates network-parameter assignment to network devices from one or more DHCP servers. Even in small networks, DHCP is useful because it makes it easy to add new machines to the network.When a DHCP-configured client (a computer or any other network-aware device) connects to a network, the DHCP client sends a broadcast query requesting necessary information from a DHCP server. The DHCP server manages a pool of IP addresses and information about client configuration parameters such as default gateway
Default gateway
In computer networking, a gateway is a node on a TCP/IP network that serves as an access point to another network. A default gateway is the node on the computer network that the network software uses when an IP address does not match any other routes in the routing table.In home computing...
, domain name
Domain name
A domain name is an identification string that defines a realm of administrative autonomy, authority, or control in the Internet. Domain names are formed by the rules and procedures of the Domain Name System ....
, the name server
Name server
In computing, a name server is a program or computer server that implements a name-service protocol. It maps a human-recognizable identifier to a system-internal, often numeric, identification or addressing component....
s, other servers such as time servers, and so forth. On receiving a valid request, the server assigns the computer an IP address, a lease (length of time the allocation is valid), and other IP configuration parameters, such as the subnet mask and the default gateway
Default gateway
In computer networking, a gateway is a node on a TCP/IP network that serves as an access point to another network. A default gateway is the node on the computer network that the network software uses when an IP address does not match any other routes in the routing table.In home computing...
. The query is typically initiated immediately after booting
Booting
In computing, booting is a process that begins when a user turns on a computer system and prepares the computer to perform its normal operations. On modern computers, this typically involves loading and starting an operating system. The boot sequence is the initial set of operations that the...
, and must complete before the client can initiate IP
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
-based communication with other hosts.
Depending on implementation, the DHCP server may have three methods of allocating IP-addresses:
- dynamic allocation: A network administratorNetwork administratorA network administrator, network analyst or network engineer is a person responsible for the maintenance of computer hardware and software that comprises a computer network...
assigns a range of IP addresses to DHCP, and each client computer on the LAN is configured to request an IP address from the DHCP serverServer (computing)In the context of client-server architecture, a server is a computer program running to serve the requests of other programs, the "clients". Thus, the "server" performs some computational task on behalf of "clients"...
during network initialization. The request-and-grant process uses a lease concept with a controllable time period, allowing the DHCP server to reclaim (and then reallocate) IP addresses that are not renewed. - automatic allocation: The DHCP server permanently assigns a free IP address to a requesting client from the range defined by the administrator. This is like dynamic allocation, but the DHCP server keeps a table of past IP address assignments, so that it can preferentially assign to a client the same IP address that the client previously had.
- static allocation: The DHCP server allocates an IP address based on a table with MAC addressMAC addressA Media Access Control address is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet...
/IP addressIP addressAn Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
pairs, which are manually filled in (perhaps by a network administratorNetwork administratorA network administrator, network analyst or network engineer is a person responsible for the maintenance of computer hardware and software that comprises a computer network...
). Only requesting clients with a MAC address listed in this table will be allocated an IP address. This feature (which is not supported by all DHCP servers) is variously called Static DHCP Assignment (by DD-WRTDD-WRTDD-WRT is a Linux-based firmware for several wireless routers, most notably the Linksys WRT54G . Like other similar projects, DD-WRT is third-party firmware designed to replace the firmware that ships pre-installed on many commercial routers...
), fixed-address (by the dhcpd documentation), Address Reservation (by Netgear), DHCP reservation or Static DHCP (by Cisco/LinksysLinksysLinksys by Cisco, commonly known as Linksys, is a brand of home and small office networking products now produced by Cisco Systems, though once a separate company founded in 1995 before being acquired by Cisco in 2003...
), and IP reservation or MAC/IP binding (by various other router manufacturers).
Technical details
DHCP uses the same two ports assigned by IANAInternet Assigned Numbers Authority
The Internet Assigned Numbers Authority is the entity that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System , media types, and other Internet Protocol-related symbols and numbers...
for BOOTP
BOOTP
In computer networking, the Bootstrap Protocol, or BOOTP, is a network protocol used by a network client to obtain an IP address from a configuration server. The BOOTP protocol was originally defined in RFC 951....
: destination UDP port 67 for sending data to the server, and UDP port 68 for data to the client. DHCP communications are connectionless in nature.
DHCP operations fall into four basic phases: IP discovery, IP lease offer, IP request, and IP lease acknowledgement.
DHCP clients and servers on the same subnet communicate via UDP broadcasts, initially. If the client and server are on different subnets, a DHCP Helper or DHCP Relay Agent may be used. Clients requesting renewal of an existing lease may communicate directly via UDP unicast
Unicast
right|200pxIn computer networking, unicast transmission is the sending of messages to a single network destination identified by a unique address.-Addressing methodologies:...
, since the client already has an established IP address at that point.
DHCP discovery
The client broadcasts messages on the physical subnet to discover available DHCP servers. Network administrators can configure a local router to forward DHCP packets to a DHCP server from a different subnet. This client-implementation creates a User Datagram ProtocolUser Datagram Protocol
The User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
(UDP) packet with the broadcast destination of 255.255.255.255 or the specific subnet broadcast address.
A DHCP client can also request its last-known IP address (in the example below, 192.168.1.100). If the client remains connected to a network for which this IP is valid, the server may grant the request. Otherwise, it depends whether the server is set up as authoritative or not. An authoritative server will deny the request, making the client ask for a new IP address immediately. A non-authoritative server simply ignores the request, leading to an implementation-dependent timeout for the client to give up on the request and ask for a new IP address.
UDP User Datagram Protocol The User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring... Src=0.0.0.0 sPort=68 Dest=255.255.255.255 dPort=67 | |||
OP | HTYPE | HLEN | HOPS |
---|---|---|---|
0x01 | 0x01 | 0x06 | 0x00 |
XID | |||
0x3903F326 | |||
SECS | FLAGS | ||
0x0000 | 0x0000 | ||
CIADDR (Client IP Address) | |||
0x00000000 | |||
YIADDR (Your IP Address) | |||
0x00000000 | |||
SIADDR (Server IP Address) | |||
0x00000000 | |||
GIADDR (Gateway IP Address) | |||
0x00000000 | |||
CHADDR (Client Hardware Address) | |||
0x00053C04 | |||
0x8D590000 | |||
0x00000000 | |||
0x00000000 | |||
192 octets of 0s. BOOTP BOOTP In computer networking, the Bootstrap Protocol, or BOOTP, is a network protocol used by a network client to obtain an IP address from a configuration server. The BOOTP protocol was originally defined in RFC 951.... legacy | |||
Magic Cookie | |||
0x63825363 | |||
DHCP Options | |||
DHCP option 53: DHCP Discover | |||
DHCP option 50: 192.168.1.100 requested | |||
DHCP option 55: Parameter Request List: Request Subnet Mask (1), Router (3), Domain Name (15), Domain Name Server (6) |
DHCP offer
When a DHCP server receives an IP lease request from a client, it reserves an IP address for the client and extends an IP lease offer by sending a DHCPOFFER message to the client. This message contains the client's MAC address, the IP address that the server is offering, the subnet mask, the lease duration, and the IP address of the DHCP server making the offer.The server determines the configuration based on the client's hardware address as specified in the CHADDR (Client Hardware Address) field. Here the server, 192.168.1.1, specifies the IP address in the YIADDR (Your IP Address) field.
UDP Src=192.168.1.1 sPort=67 Dest=255.255.255.255 dPort=68 | ||||
OP | HTYPE | HLEN | HOPS | |
---|---|---|---|---|
0x02 | 0x01 | 0x06 | 0x00 | |
XID | ||||
0x3903F326 | ||||
SECS | FLAGS | |||
0x0000 | 0x0000 | |||
CIADDR (Client IP Address) | ||||
0x00000000 | ||||
YIADDR (Your IP Address) | ||||
0xC0A80164 | ||||
SIADDR (Server IP Address) | ||||
0xC0A80101 | ||||
GIADDR (Gateway IP Address) | ||||
0x00000000 | ||||
CHADDR (Client Hardware Address) | ||||
0x00053C04 | ||||
0x8D590000 | ||||
0x00000000 | ||||
0x00000000 | ||||
192 octets of 0s. BOOTP BOOTP In computer networking, the Bootstrap Protocol, or BOOTP, is a network protocol used by a network client to obtain an IP address from a configuration server. The BOOTP protocol was originally defined in RFC 951.... legacy | ||||
Magic Cookie | ||||
0x63825363 | ||||
DHCP Options | ||||
DHCP option 53: DHCP Offer | ||||
DHCP option 1: 255.255.255.0 subnet mask | ||||
DHCP option 3: 192.168.1.1 router | ||||
DHCP option 51: 86400s (1 day) IP lease time | ||||
DHCP option 54: 192.168.1.1 DHCP server | ||||
DHCP option 6: DNS servers 9.7.10.15, 9.7.10.16, 9.7.10.18 |
DHCP request
A client can receive DHCP offers from multiple servers, but it will accept only one DHCP offer and broadcast a DHCP request message. Based on the Transaction ID field in the request, servers are informed whose offer the client has accepted. When other DHCP servers receive this message, they withdraw any offers that they might have made to the client and return the offered address to the pool of available addresses. The DHCP request message is broadcast, instead of being unicast to a particular DHCP server, because the DHCP client has still not received an IP address. Also, this way one message can let all other DHCP servers know that another server will be supplying the IP address without missing any of the servers with a series of unicast messages.UDP Src=0.0.0.0 sPort=68 Dest=255.255.255.255 dPort=67 | ||||
OP | HTYPE | HLEN | HOPS | |
---|---|---|---|---|
0x01 | 0x01 | 0x06 | 0x00 | |
XID | ||||
0x3903F326 | ||||
SECS | FLAGS | |||
0x0000 | 0x0000 | |||
CIADDR (Client IP Address) | ||||
0x00000000 | ||||
YIADDR (Your IP Address) | ||||
0x00000000 | ||||
SIADDR (Server IP Address) | ||||
0xC0A80101 | ||||
GIADDR (Gateway IP Address) | ||||
0x00000000 | ||||
CHADDR (Client Hardware Address) | ||||
0x00053C04 | ||||
0x8D590000 | ||||
0x00000000 | ||||
0x00000000 | ||||
192 octets of 0s. BOOTP BOOTP In computer networking, the Bootstrap Protocol, or BOOTP, is a network protocol used by a network client to obtain an IP address from a configuration server. The BOOTP protocol was originally defined in RFC 951.... legacy | ||||
Magic Cookie | ||||
0x63825363 | ||||
DHCP Options | ||||
DHCP option 53: DHCP Request | ||||
DHCP option 50: 192.168.1.100 requested | ||||
DHCP option 54: 192.168.1.1 DHCP server. |
DHCP acknowledgement
When the DHCP server receives the DHCPREQUEST message from the client, the configuration process enters its final phase. The acknowledgement phase involves sending a DHCPACK packet to the client. This packet includes the lease duration and any other configuration information that the client might have requested. At this point, the IP configuration process is completed.The protocol expects the DHCP client to configure its network interface with the negotiated parameters.
UDP Src=192.168.1.1 sPort=67 Dest=255.255.255.255 dPort=68 | ||||
OP | HTYPE | HLEN | HOPS | |
---|---|---|---|---|
0x02 | 0x01 | 0x06 | 0x00 | |
XID | ||||
0x3903F326 | ||||
SECS | FLAGS | |||
0x0000 | 0x0000 | |||
CIADDR (Client IP Address) | ||||
0x00000000 | ||||
YIADDR (Your IP Address) | ||||
0xC0A80164 | ||||
SIADDR (Server IP Address) | ||||
0xC0A80101 | ||||
GIADDR (Gateway IP Address switched by relay) | ||||
0x00000000 | ||||
CHADDR (Client Hardware Address) | ||||
0x00053C04 | ||||
0x8D590000 | ||||
0x00000000 | ||||
0x00000000 | ||||
192 octets of 0s. BOOTP BOOTP In computer networking, the Bootstrap Protocol, or BOOTP, is a network protocol used by a network client to obtain an IP address from a configuration server. The BOOTP protocol was originally defined in RFC 951.... legacy | ||||
Magic Cookie | ||||
0x63825363 | ||||
DHCP Options | ||||
DHCP option 53: DHCP ACK | ||||
DHCP option 1: 255.255.255.0 subnet mask | ||||
DHCP option 3: 192.168.1.1 router | ||||
DHCP option 51: 86400s (1 day) IP lease time | ||||
DHCP option 54: 192.168.1.1 DHCP server | ||||
DHCP option 6: DNS servers 9.7.10.15, 9.7.10.16, 9.7.10.18 |
After the client obtains an IP address, the client may use the Address Resolution Protocol
Address Resolution Protocol
Address Resolution Protocol is a telecommunications protocol used for resolution of network layer addresses into link layer addresses, a critical function in multiple-access networks. ARP was defined by RFC 826 in 1982. It is Internet Standard STD 37...
(ARP) to prevent IP conflicts caused by overlapping address pools of DHCP servers.
DHCP information
A DHCP client may request more information than the server sent with the original DHCPOFFER. The client may also request repeat data for a particular application. For example, browsers use DHCP Inform to obtain web proxy settings via WPADWeb Proxy Autodiscovery Protocol
The Web Proxy Auto-Discovery Protocol is a method used by clients to locate a URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete it can be executed to determine the proxy for a specified URL...
. Such queries do not cause the DHCP server to refresh the IP expiry time in its database.
DHCP releasing
The client sends a request to the DHCP server to release the DHCP information and the client deactivates its IP address. As client devices usually do not know when users may unplug them from the network, the protocol does not mandate the sending of DHCP Release.Client configuration parameters in DHCP
A DHCP server can provide optional configuration parameters to the client. RFC 2132 describes the available DHCP options defined by Internet Assigned Numbers AuthorityInternet Assigned Numbers Authority
The Internet Assigned Numbers Authority is the entity that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System , media types, and other Internet Protocol-related symbols and numbers...
(IANA) - DHCP and BOOTP PARAMETERS.
A DHCP client can select, manipulate and overwrite parameters provided by a DHCP server.
Options
An option exists to identify the vendor and functionality of a DHCP client. The information is a variable-length string of characters or octets which has a meaning specified by the vendor of the DHCP client. One method that a DHCP client can utilize to communicate to the server that it is using a certain type of hardware or firmware is to set a value in its DHCP requests called the Vendor Class Identifier (VCI) (Option 60). This method allows a DHCP server to differentiate between the two kinds of client machines and process the requests from the two types of modems appropriately. Some types of set-top boxes also set the VCI (Option 60) to inform the DHCP server about the hardware type and functionality of the device. The value that this option is set to gives the DHCP server a hint about any required extra information that this client needs in a DHCP response.DHCP Relaying
In small networks, where only one IP subnet is being managed, DHCP clients communicate directly with DHCP servers. However, DHCP servers can also provide IP addresses for multiple subnets. In this case, a DHCP client that has not yet acquired an IP address cannot communicate directly with the DHCP server using IP routing, because it doesn't have a routable IP address, nor does it know the IP address of a router. In order to allow DHCP clients on subnets not directly served by DHCP servers to communicate with DHCP servers, DHCP relay agents can be installed on these subnets. The DHCP client broadcasts on the local link; the relay agent receives the broadcast and transmits it to one or more DHCP servers using unicastUnicast
right|200pxIn computer networking, unicast transmission is the sending of messages to a single network destination identified by a unique address.-Addressing methodologies:...
. The relay agent stores its own IP address in the GIADDR field of the DHCP packet. The DHCP server uses the GIADDR to determine the subnet on which the relay agent received the broadcast, and allocates an IP address on that subnet. When the DHCP server replies to the client, it sends the reply to the GIADDR address, again using unicast. The relay agent then retransmits the response on the local network.
Reliability
The DHCP protocol provides reliability in several ways: periodic renewal, rebinding, and failover. DHCP clients are allocated leases that last for some period of time. Clients begin to attempt to renew their leases once half the lease interval has expired. They do this by sending a unicast DHCPREQUEST message to the DHCP server that granted the original lease. If that server is down or unreachable, it will fail to respond to the DHCPREQUEST. However, the DHCPREQUEST will be repeated by the client from time to time, so when the DHCP server comes back up or becomes reachable again, the DHCP client will succeed in contacting it, and renew its lease.If the DHCP server is unreachable for an extended period of time, the DHCP client will attempt to rebind, by broadcasting its DHCPREQUEST rather than unicasting it. Because it is broadcast, the DHCPREQUEST message will reach all available DHCP servers. If some other DHCP server is able to renew the lease, it will do so at this time.
In order for rebinding to work, when the client successfully contacts a backup DHCP server, that server must have accurate information about the client's binding. Maintaining accurate binding information between two servers is a complicated problem; if both servers are able to update the same lease database, there must be a mechanism to avoid conflicts between updates on the independent servers. A standard for implementing fault-tolerant
Fault-tolerant design
In engineering, fault-tolerant design is a design that enables a system to continue operation, possibly at a reduced level , rather than failing completely, when some part of the system fails...
DHCP servers was developed at the Internet Engineering Task Force.The IETF proposal provided a mechanism whereby two servers could remain loosely in sync with each other in such a way that even in the event of a total failure of one server, the other server could recover the lease database and continue operating. Due to the length and complexity of the specification, it was never published as a standard; however, the techniques described in the specification are in wide use, with one open source implementation in the ISC DHCP server as well as several commercial implementations.
If rebinding fails, the lease will eventually expire. When the lease expires, the client must stop using the IP address granted to it in its lease. At that time, it will restart the DHCP process from the beginning by broadcasting a DHCPDISCOVER message. Since its lease has expired, it will accept any IP address offered to it. Once it has a new IP address, presumably from a different DHCP server, it will once again be able to use the network. However, since its IP address has changed, any ongoing connections will be broken.
Security
The base DHCP protocol does not include any mechanism for authentication. Because of this, it is vulnerable to a variety of attacks. These attacks fall into three main categories:- Unauthorized DHCP servers providing false information to clients.
- Unauthorized clients gaining access to resources.
- Resource exhaustion attacks from malicious DHCP clients.
Because the client has no way to validate the identity of a DHCP server, unauthorized DHCP servers
Rogue DHCP
A rogue DHCP server is a DHCP server on a network which is not under the administrative control of the network staff. It is a network device such as a modem or a router connected to the network by a user who may be either unaware of the consequences of their actions or may be knowingly using it...
can be operated on networks, providing incorrect information to DHCP clients. This can serve either as a denial-of-service attack, preventing the client from gaining access to network connectivity, or as a man-in-the-middle attack
Man-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...
. Because the DHCP server provides the DHCP client with server IP addresses, such as the IP address of one or more DNS servers, an attacker can convince a DHCP client to do its DNS lookups through its own DNS server, and can therefore provide its own answers to DNS queries from the client. This in turn allows the attacker to redirect network traffic through itself, allowing it to eavesdrop on connections between the client and network servers it contacts, or to simply replace those network servers with its own.
Because the DHCP server has no secure mechanism for authenticating the client, clients can gain unauthorized access to IP addresses by presenting credentials, such as client identifiers, that belong to other DHCP clients. This also allows DHCP clients to exhaust the DHCP server's store of IP addresses—by presenting new credentials each time it asks for an address, the client can consume all the available IP addresses on a particular network link, preventing other DHCP clients from getting service.
DHCP does provide some mechanisms for mitigating these problems. The Relay Agent Information Option protocol extension (RFC 3046) allows network operators to attach tags to DHCP messages as these messages arrive on the network operator's trusted network. This tag is then used as an authorization token to control the client's access to network resources. Because the client has no access to the network upstream of the relay agent, the lack of authentication does not prevent the DHCP server operator from relying on the authorization token.
Another extension, Authentication for DHCP Messages (RFC 3118), provides a mechanism for authenticating DHCP messages. Unfortunately RFC 3118 has not seen widespread adoption because of the problems of managing keys for large numbers of DHCP clients.
See also
- DHCP snoopingDHCP snoopingIn computer networking DHCP snooping is a series of techniques applied to ensure the security of an existing DHCP infrastructure.When DHCP servers are allocating IP addresses to the clients on the LAN, DHCP snooping can be configured on LAN switches to harden the security on the LAN to allow only...
- IP addressIP addressAn Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
, especially Static and dynamic IP addresses - Peg DHCPPeg DHCPPeg DHCP is a method defined in RFC 2322 to assign IP addresses in a context where regular DHCP wouldn't work. The "server" hands out wooden clothes-pegs numbered with the IPs to allocate and an additional leaflet with network information...
(RFC 2322) - Preboot Execution EnvironmentPreboot Execution EnvironmentThe Preboot eXecution Environment is an environment to boot computers using a network interface independently of data storage devices or installed operating systems.PXE was introduced as part of the Wired for Management framework by Intel and is described in the specification The Preboot...
(PXE) - Reverse Address Resolution ProtocolReverse Address Resolution ProtocolThe Reverse Address Resolution Protocol is an obsolete computer networking protocol used by a host computer to request its Internet Protocol address from an administrative host, when it has available its Link Layer or hardware address, such as a MAC address.RARP is described in Internet...
(RARP) - Rogue DHCPRogue DHCPA rogue DHCP server is a DHCP server on a network which is not under the administrative control of the network staff. It is a network device such as a modem or a router connected to the network by a user who may be either unaware of the consequences of their actions or may be knowingly using it...
- Web Proxy Autodiscovery ProtocolWeb Proxy Autodiscovery ProtocolThe Web Proxy Auto-Discovery Protocol is a method used by clients to locate a URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete it can be executed to determine the proxy for a specified URL...
(WPAD) - ZeroconfZeroconfZero configuration networking , is a set of techniques that automatically creates a usable Internet Protocol network without manual operator intervention or special configuration servers....
— Zero Configuration Networking - UDP Helper AddressUDP Helper AddressA UDP Helper Address is a special router configuration used to forward broadcast network traffic from a client machine on one subnet to a server in another subnet. This is used primarily in business environments as way to save money by not having to buy a server for each subnet.-Usage Example:In...
— a tool for routing DHCP requests across subnet boundaries - Boot Service Discovery Protocol (BSDP)Boot Service Discovery ProtocolBoot Service Discovery Protocol is an Apple-developed, standards-conforming extension of DHCP. It allows Macintosh computers to boot from bootable images on a network instead of local storage media such as CD, DVD, or hard disk...
, a DHCP extension used by Apple's NetBootNetBootNetBoot is a technology from Apple which enables Macs with capable firmware to boot from a network, rather than a local hard disk or optical disc drive. NetBoot is a derived work from the Bootstrap Protocol , and is similar in concept to the Preboot Execution Environment...
- BOOTPBOOTPIn computer networking, the Bootstrap Protocol, or BOOTP, is a network protocol used by a network client to obtain an IP address from a configuration server. The BOOTP protocol was originally defined in RFC 951....
- earlier protocol for the same purpose
External links
- RFC 2131 - Dynamic Host Configuration Protocol
- RFC 2132 - DHCP Options and BOOTP Vendor Extensions
- DHCP RFC - Dynamic Host Configuration Protocol RFCs (IETF)
- RFC 4242 - Information Refresh Time Option for Dynamic Host Configuration Protocol for IPv6
- DHCP Sequence Diagram - This sequence diagram covers several scenarios of DHCP operation.
- RFC 3046 - DHCP Relay Agent Information Option
- Recommended Operation for Switches Running Relay Agent and Option 82 - Provides a description of how DHCP option 82 works.
- RFC 3942 - Reclassifying Dynamic Host Configuration Protocol Version Four (DHCPv4) Options
- RFC 4361 - Node-specific Client Identifiers for Dynamic Host Configuration Protocol Version Four (DHCPv4)
- RFC 4436 - Detecting Network Attachment in IPv4 (DNAv4)
- DHCP Protocol Messages - A good description of the individual DHCP protocol messages.
- ISC DHCP - Internet Services Consortium's open source DHCP implementation.
- Dynamic Host Configuration Protocol (DHCP) - Microsoft TechNet
- Interactive DHCP basic simulation