[olug] VNC w/Qwest
Dave Hull
dphull at gmail.com
Thu Oct 18 16:06:12 UTC 2007
On 10/18/07, Obi-Wan <obiwan at jedi.com> wrote:
> When two DHCP servers both operate in the same IP space, they must
> know about each other and their their database. This functionality
> is built into the ISC DHCP server to handle redundant pairs.
According to the RFCs a client initiates the DHCP request by
broadcasting a DHCPDISCOVER message. This message may reach multiple
DHCP servers and all of them can respond with a DHCPOFFER message that
contains offered IP address info along with other options. The RFCs
state that the client can gather multiple DHCPOFFERs and pick the one
it wants based on configuration parameters. The client then responds
again with a DHCPREQUEST that is broadcast, but the request must
contain a server identifier so that all the responding servers know
whether or not they are supposed to commit the configuration
information in their "persistent storage". The DHCPREQUEST also must
contain the IP address that is being accepted.
It's been awhile since I really had to study the RFCs (I worked with a
team of developers that created their own LDAP enabled DHCP server a
few years back), but I don't recall the RFCs specifying that each
server share a common persistent storage, but obviously that would be
one way of doing it. Another possibility would be to allocate
different ranges to different servers and configure them so that they
only respond to DISCOVERs from certain LAN segments.
A co-worker and I wrote an article three plus years ago for SysAdmin
Magazine detailing a new (at the time) passive OS fingerprinting
technique that relied on DHCP broadcast messages. Some vendors (Cisco
for sure) have features in at least some of their switches that will
prevent DISCOVER messages from being broadcasted, the switches
recognize DHCP broadcasts messages when they hit the switch and rather
than sending them too all the hosts on the switch, they can relay
those directly to the DHCP server. This is a nice mitigation strategy
to prevent the use of DHCP broadcasts for fingerprinting. In addition,
you can use some of the built in features on these switches to prevent
unauthorized DHCP servers from working on your network.
--
Dave Hull
More information about the OLUG
mailing list