Lecture 2.1 Gluing IP with Ethernet · Gluing IP with Ethernet ARP and related security issues...
Transcript of Lecture 2.1 Gluing IP with Ethernet · Gluing IP with Ethernet ARP and related security issues...
1
Giuseppe Bianchi
Lecture 2.1Lecture 2.1
Gluing IP with EthernetGluing IP with Ethernet
ARP and related security issuesARP and related security issues
Giuseppe Bianchi
IP addresses (review)IP addresses (review)� 32 bit string
� Bit-wise notation�the natural notation
� dotted notation:
� 4 x 8 bits�each 8 bit = 0:255 integer
�intended for humans
� Address structure
� Network Address + host number�Identified by netmask
» 255.255.252.0
�Or network prefix» /22
� Belongs to network whose IP is:�IPaddr & netmask
10010011101000110001011010000010
10010011 . 10100011 . 00010110 . 10000010
147 . 163 . 22 . 130
10010011.10100011.00010110.10000010
11111111.11111111.11111100.00000000
/22 network prefix
Net: 10010011.10100011.00010100.00000000
Net: 147.163.20.0/22
2
Giuseppe Bianchi
NetAddressNetAddress computation (Masking)computation (Masking)
Local Host Interface:
147.163.21.910010011.10100011.00010101.00001001
147.163.21.9
Netmask:
255.255.248.0 (/21)11111111.11111111.11111000.00000000
NetAddress Computation:Bit-wise AND
(IP_addr)&(netmask)10010011.10100011.00010000.00000000
On which network the host is connected?
(need externally provided netmask)
Result: host is on network 147.163.16.0 /21
Giuseppe Bianchi
Another exampleAnother example
� IP address 147.163.22.130
� Network prefix:
� /22 (equivalently: 255.255.252.0)
� It is an IP address for a HOST
� Simple: not all 0’s in host part
� Which belongs to network 147.163.20.0/22
� Simple: just set 0’s in host part
10010011.10100011.00010110.10000010
11111111.11111111.11111100.00000000
10010011.10100011.00010110.10000010
10010011.10100011.00010100.00000000
3
Giuseppe Bianchi
Three types of IP addressesThree types of IP addresses
host, network, broadcasthost, network, broadcast
� Network: all 0’s in host address
� Broadcast: all 1’s in host address
� Host: otherwise
� TEST:
� 147.163.0.128 (prefix: /26)
� Network? Host? Broadcast?
� 147.163.14.3 (prefix: /30)
� Network? Host? Broadcast?
� 174.163.20.255 (prefix: /22)
� Network? Host? Broadcast?
Think in binary! And everything becomes trivial….
Giuseppe Bianchi
Routing a Packet (direct forwarding)Routing a Packet (direct forwarding)
� Route packet 147.163.22.130
� Starting from interface 147.163.21.9
� With network mask 255.255.252.0
Local Host Interface:
147.163.21.910010011.10100011.00010101.00001001
Destination IPaddr:
147.163.22.13010010011.10100011.00010110.10000010
147.163.22.130
147.163.21.9
Netmask:
255.255.252.011111111.11111111.11111100.00000000
Local interface and destination address
are on same network!!147.163.20.0/22
10010011.10100011.00010100.00000000
Bitwise AND
���� We may give packet to datalink network for delivery
4
Giuseppe Bianchi
GoingGoing through a through a RouterRouter
((indirectindirect forwardingforwarding))
160.80.80.1
• At least one router on the network• Local router IP interface: destination for all packets addressed outside the local physical network
160.80.99.1
(160.80.99.1)&(255.255.248.0) =
= 160.80.96.0
!= 160.80.80.0 (not on this net!)
Send to 160.80.80.1:
he knows more… 160.80.82.29
Netmask 255.255.248.0
Net_id 160.80.80.0/21
Giuseppe Bianchi
Routing table lookupRouting table lookup132.43.3.5 132.43.0.6 208.0.1.12 208.0.1.7
Net132.43.0.0
Net208.0.1.0R1 R2 R3
10.12.1.32
Net10.0.0.0
Other nets
Net 193.33.9.0
208.0.2.8
Dest net /mask Next Hop
132.43.0.0 /16 Direct forward
208.0.1.0 /24 Direct forward
10.0.0.0 /8 132.43.3.5
208.0.2.0 /24 208.0.1.7
193.33.9.0 /24 208.0.1.7
208.1.1.0 /24 132.43.3.5
R2 routing table
Net 208.0.2.0
208.1.1.0
default 132.43.3.5
IP dest: 208.1.1.14
For (rows in rtab)
IP_dest&mask == dest_net?
Found:
208.1.1.0
Lookup?
goto 132.43.3.5
5
Giuseppe Bianchi
Route print (Route print (DOS,unixDOS,unix))shows routing table of your PCshows routing table of your PC
(remember: your PC is a simple IP router)(remember: your PC is a simple IP router)
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.163.57.1 10.163.57.77 1
10.163.57.0 255.255.255.0 10.163.57.77 10.163.57.77 1
10.163.57.77 255.255.255.255 127.0.0.1 127.0.0.1 1
10.255.255.255 255.255.255.255 10.163.57.77 10.163.57.77 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 224.0.0.0 10.163.57.77 10.163.57.77 1
255.255.255.255 255.255.255.255 10.163.57.77 10.163.57.77 1
Default Gateway: 10.163.57.1
===========================================================================
Giuseppe Bianchi
Forwarding a Packet
Address Resolution Protocol (ARP)
RFC 826
Basic concepts summarized in RFC 1180, section 4
6
Giuseppe Bianchi
Problem statementProblem statement
�Routing decision for packet X taken:
�You are arrived to the final network: go directly to host X
�You are NOT arrived: go through router interface Y
�Routing decision result:
�an IP address on THIS network
�Problem: how can we send data to the interface?
�Need to use physical network facilities!
�Three issues:�Encapsulate packet in datalink frame
�Deliver according to local Networking Technology (e.g. Ethernet)
�Send the frame to the destionation
» Which is NOT an IP address, but an hardware address!
Giuseppe Bianchi
Address Resolution ProtocolAddress Resolution Protocol
48 bit Ethernet Address
ARP RARP
32 bit IP address
ARP: RFC 826
Here described for Ethernet, but
valid for more general networks:
designed for any datalink with
broadcast capabilities
� Dynamic mapping
� not a concern for application & user
� not a concern for system administrator!
� Any network layer protocol
� not IP-specific
� supported protocol in datalinklayer
� not a datalink layer protocol !!!!
� Need datalink with broadcasting capability
� e.g. ethernet shared bus
� Note: ARP NOT STRICTLY NECESSARY!
� May have manual IP�MAC mapping�Tedious, error prone, requires manual
updating» E.g. when attaching a new PC must
touch all others
7
Giuseppe Bianchi
ARP ideaARP idea
????Not me!
Who has IP address
131.175.15.124 ??
It’s me! I have 0:0:a2:32:5a:3
131.175.15.8 131.175.15.12 131.175.15.124
�Send broadcast request
�receive unicast response
Giuseppe Bianchi
ARP request/replyARP request/replyEncapsulation in Ethernet FrameEncapsulation in Ethernet Frame
Ethernet sourceaddress
Ethernet destination
address
frametype ARP Request / Reply CRC
6 bytes 6 bytes 2B 28 bytes (for IP) 4 bytes
�Ethernet Destination Address�ff:ff:ff:ff:ff:ff (broadcast) for ARP request
�Ethernet Source Address �of ARP requester
�Frame Type�ARP request/reply: 0x0806�RARP request/reply: 0x8035�IP datagram: 0x0800
Protocoldemultiplexingcodes!
8
Giuseppe Bianchi
ARP request/reply formatARP request/reply format0 7 8 15 16 31
Protocol Type
Dest MAC address (bytes 2-5)
Sender MAC address (bytes 0-3)
Hardware len Protocol len ARP operation
Hardware Type
Sender IP address (bytes 0-1)Sender MAC address (bytes 4-5)
Sender IP address (bytes 2-3) Dest MAC address (bytes 0-1)
Dest IP address (bytes 0-3)
Hardware type: 1 for ethernetProtocol type: 0x0800 for IP (0000.1000.0000.0000)
� the same of Ethernet header field carrying IP datagram!
Hardware len = 6 bytes) for ethernetProtocol len = 4 bytes for IPARP operation: 1=request; 2=reply; 3/4=RARP req/reply
28
bytes
Giuseppe Bianchi
Sample ARP request/replySample ARP request/reply
IP: 131.175.15.8
MAC: 0:0:8c:3d:54:1 IP: 131.175.15.24
MAC: 0:4f:33:3:ee:67
Ethernet Packet: ARP reply
00:4f:33:03:ee:67
0x06 0x04
0x0806
00:00:8c:3d:54:01
0x0001 0x0800
0x0002
00:4f:33:03:ee:67
131.175.15.24
00:00:8c:3d:54:01
131.175.15.8
checksum
00:00:8c:3d:54:01
0x06 0x04
0x0806
FF:FF:FF:FF:FF:FF
0x0001 0x0800
0x0001
00:00:8c:3d:54:01
131.175.15.8
00:00:00:00:00:00
131.175.15.24
checksum
Ethernet Packet: ARP REQUEST
dest MAC
src MAC
ARP frame type
Ethernet / IP
MAC=6 / IP=4 / rq=1,rpl=2
src MAC
src IP
dest MAC
dest IP
Ethernet checksum
9
Giuseppe Bianchi
ARP cacheARP cache
�Avoids arp request for every IP datagram!
�Entry lifetime defaults to 20min�deleted if not used in this time
�3 minutes for “incomplete” cache entries (i.e. arp requests to non existent host)
�it may be changed in some implementations
» in particularly stable (or dynamic) environments
�arp -a to display all cache entries
C:\Documents and Settings\Giuseppe>arp -a
Interfaccia: 160.80.82.29 --- 0x2
Indirizzo Internet Indirizzo fisico Tipo
160.80.80.1 00-b0-8e-31-64-54 dinamico
160.80.81.106 00-c0-f0-3c-32-42 dinamico
160.80.82.1 00-b0-8e-31-64-54 dinamico
160.80.88.207 00-03-93-ba-fd-a0 dinamico
Giuseppe Bianchi
Test: Test: arparp cachingcaching
try a traceroute or ping to check ARP caching!
�First packet generally delays more
� includes an ARP request/reply!
C:\Documents and Settings\Giuseppe>ping 160.80.80.2
Esecuzione di Ping 160.80.80.2 con 32 byte di dati:
Risposta da 160.80.80.2: byte=32 durata=1ms TTL=64
Risposta da 160.80.80.2: byte=32 durata<1ms TTL=64
Risposta da 160.80.80.2: byte=32 durata<1ms TTL=64
Risposta da 160.80.80.2: byte=32 durata<1ms TTL=64
Statistiche Ping per 160.80.80.2:
Pacchetti: Trasmessi = 4, Ricevuti = 4, Persi = 0 (0% persi),
Tempo approssimativo percorsi andata/ritorno in millisecondi:
Minimo = 0ms, Massimo = 1ms, Medio = 0ms
10
Giuseppe Bianchi
ARP cache updatingARP cache updating
�ARP requests carry requestor IP/MAC
pair
�ARP requests are broadcast
�thus, they MUST be read by everyone
�Therefore, it comes for free, for every
computer, to update its cache with
requestor pair
�Cannot do this with ARP reply, as it is unicast!
Giuseppe Bianchi
Proxy ARPProxy ARPRFC 1027RFC 1027
�Device that responds to an ARP request on
behalf of some other machine
�allows having ONE logical (IP) network composed of more
physical networks
�especially important when different techologies used (e.g.
100 PC ethernet + 2 PC dialup SLIP)
IP: 131.175.15.24
ARP request
for 131.175.15.24
ARP reply
on behalf of 131.175.15.24
returns router MAC address! Then router will forward
packets to remote host
11
Giuseppe Bianchi
Gratuitous ARPGratuitous ARP�APR request issued by an IP address and
addressed to the same IP address!!
�Clearly nobody else than ME can answer!
�WHY asking the network which MAC address do I have???
�Two main reasons:
�determine if another host is configured with the same IP
address
�in this case respond occurs, and MAC address of duplicated
IP address is known.
�Use gratuitous ARP when just changed hardware address
�all other hosts update their cache entries!
�A problem is that, despite specified in RFC, not all ARP
cache implementations operate as described….
Giuseppe Bianchi
ARP: not only ARP: not only thisthis mechanism!mechanism!
�Described mechanism for broadcast
networks (e.g. based on shared media)
�Non applicable for non broadcast
networks
�in this case OTHER ARP protocols are used
�e.g. distributed ARP servers
�e.g. algorithms to map IP address in network
address
12
Giuseppe Bianchi
SecuritySecurity issuesissues in in SwitchedSwitched LANsLANs
Giuseppe Bianchi
SwitchSwitch vsvs hubhub securitysecuritySome people Some people saysay: :
““SwitchesSwitches are more are more securesecure thanthan hubshubs””
� An unsupported“legend”
� Modivated by the fact that
� Malicious user may sniff hub traffic �It is broadcasted on
all ports
� While he cannot sniff switched traffic�It is forwarded only
on properdestination port
Switch
SNIFFER
???
The truth: Switched LANs remain extremely vulnerable to attacks!!
13
Giuseppe Bianchi
ARP ARP weaknessesweaknesses
�ARP maps IP address into reachable MAC address
�ARP does not involve any authentication mechanism
�ARP replies are considered trustable
�Many OS do accept unsolicited ARP replies
�i.e. not only the ones following an ARP request
�Vulnerable OSs:�windows 95-98-2000-NT-XP
�Linux
�Non (or better: less) vulnerable OSs�Sun Solaris
Giuseppe Bianchi
ARP ARP PoisoningPoisoning
Switch
Attacker
160.80.80.100
0044-5511-2222
Victim 1
160.80.80.10
0044-5511-1111
Victim 2
160.80.80.11
0044-5511-3333
I am 160.80.80.11
MAC 0044-5511-2222
I am 160.80.80.10
MAC 0044-5511-2222
Arp –a
160.80.80.11 0044-5511-2222
Arp –a
160.80.80.10 0044-5511-2222
“poison” ARP cache of victims – make them believe hacker MAC is associated to the destination IP
1. (against dumb OSs): spoof ARP replies
2. (against smart OSs): spoof ICMP packet to solicit an ARP request
immediately after, spoof ARP reply
Attacker: safer (!!) on switched LAN (only victims see ARP replies)
rather than on HUB (monitoring computer might get alerted)
14
Giuseppe Bianchi
ResultResult: Man In The Middle : Man In The Middle attackattack!!
Switch
Attacker
(sniffs & forwards)
(but may tamper, etc)
160.80.80.100
0044-5511-2222
IP forwarding enabled
Victim 1
160.80.80.10
0044-5511-1111
Victim 2
160.80.80.11
0044-5511-3333
IP.DST=160.80.80.11
MAC 0044-5511-2222
Arp –a
160.80.80.11 0044-5511-2222
Arp –a
160.80.80.10 0044-5511-2222
IP.DST=160.80.80.11
MAC 0044-5511-3333
How to Enable TCP/IP Forwarding in Windows XP:
http://support.microsoft.com/default.aspx?scid=kb;en-us;315236&Product=winxp
Once in the middle, MANY things can be done…
Giuseppe Bianchi
DefenseDefense againstagainst ARP ARP poisoningpoisoningstaticstatic ARP (note: ARP (note: otherother defensesdefenses availableavailable))
Arp -a
� Indirizzo Internet Indirizzo fisico Tipo
� 160.80.80.1 00-b0-8e-31-64-54 dinamico
Arp –s 160.80.80.1 00-b0-8e-31-64-54
Arp -a
� Indirizzo Internet Indirizzo fisico Tipo
� 160.80.80.1 00-b0-8e-31-64-54 statico
If you have windows, consider that this works only for XP!!
BUG in win9x and win2000: static = persistent (never expires but can be modified) ☺☺☺☺
15
Giuseppe Bianchi
PortPort StealingStealing /1 /1 maliciousmalicious usageusage of bridge of bridge learninglearning capabilitiescapabilities
Switch
Attacker
160.80.80.100
0044-5511-2222
Victim
160.80.80.10
0044-5511-1111
Router
160.80.80.1
0044-5511-3333
Forwarding DB
0044-5511-1111 P1 13
P1 P2
�Initial situation:
�Victim is downloading remote information from router
Giuseppe Bianchi
PortPort StealingStealing /2/2
Switch
Attacker
160.80.80.100
0044-5511-2222
Victim
160.80.80.10
0044-5511-1111
Router
160.80.80.1
0044-5511-3333
Forwarding DB
0044-5511-1111 P1 13
0044-5511-2222 P2 5
P1 P2
� Attack:
� Attacker sends Ethernet frame with�Source address = Victim address
�Destination address = attacker address
D=0044-5511-2222S=0044-5511-1111
Frame filtered by switch:
(attacker MAC already in forwading DB)
Non visible to others!
16
Giuseppe Bianchi
PortPort StealingStealing /3/3
Switch
Attacker
160.80.80.100
0044-5511-2222
Victim
160.80.80.10
0044-5511-1111
Router
160.80.80.1
0044-5511-3333
Forwarding DB
0044-5511-1111 P1 13
0044-5511-1111 P2 0
0044-5511-2222 P2 5
P1 P2
�Switch updates forwarding DB
�Traffic diverted to port P2!
� attacker has “stolen” switch port from victim
Giuseppe Bianchi
PortPort StealingStealing /4/4
� May now transform into man in the middle attach�Works also with static ARPed victim
� After receiving frame:�Send broadcast ARP request to victim’s IP
�Victim ARP reply restores switch port
�Forward tampered frame
�Re-steal port and repeat
� Easy to say, much more difficult to do…�lose some frames
�Disclose many ARP requests that may alert
� Probably, proper application of port stealing is sniffing the initial part of a session �The one which contains passwords ☺
� Defense:
� “intelligent” switch (with port security functionalities)�port security feature example: allow only ONE MAC entry per port
17
Giuseppe Bianchi
MAC MAC FloodingFlooding
� overloaded switch (forwarding DB full) ���� "hub" mode.
� broadcasts all network traffic to every computer in your network.
� Idea: ARP Poison the switch forwarding DB!
� By sending a LARGE number of spoofed ARP replies with variousSRC/DST addresses�Public domain tools capable of O(150.000) MAC entries / min
� While the switch is in “hub” mode, SNIFF!
� Defense
� port security limits number of MAC connected to port
� when this number overflows, port goes shutdown (but many otheralternatives are possible on commercial switches)
Giuseppe Bianchi
Ricordarsi di accennare a:Ricordarsi di accennare a:
�DNS spoofing
�DHCP spoofing
�ICMP redirect
�Come fare ARP poisoning su
solaris (ICMP echo request)
18
Giuseppe Bianchi
Lecture Lecture 2.22.2
Getting an IP address Getting an IP address
RARP/BOOTP/DHCPRARP/BOOTP/DHCP
Giuseppe Bianchi
Getting an IP address:
Reverse Address Resolution
Protocol (RARP)
19
Giuseppe Bianchi
The problemThe problem�Bootstrapping a diskless terminal
�this was the original problem in the 70s and 80s
�Reverse ARP [RFC903]
�a way to obtain an IP address starting from MAC address
�Today problem: dynamic IP address assignment
�limited pool of addresses assigned only when needed
�RARP not sufficiently general for modern usage
�BOOTP (Bootstrap Protocol - RFC 951): significant changes to RARP (a different approach)
�DHCP (Dynamic Host Configuration Protocol - RFC 1541): extends and replaces BOOTP
Giuseppe Bianchi
RARP packet formatRARP packet formatalmost identical to ARP. Differences:almost identical to ARP. Differences:
Src addrDest addrftyp:
0x8035
RARP Request / Reply CRC
6 bytes 6 bytes 2B 28 bytes (for IP) 4 bytes
0 7 8 15 16 31
Protocol Type
Dest MAC address (bytes 2-5)
Sender MAC address (bytes 0-3)
Hardware len Protocol len oper: 3 (RARP req) or 4 (RARP reply)
Hardware Type
Sender IP address (bytes 0-1)Sender MAC address (bytes 4-5)
Sender IP address (bytes 2-3) Dest MAC address (bytes 0-1)
Dest IP address (bytes 0-3)
20
Giuseppe Bianchi
RARP Request/replyRARP Request/replyIP = ????
MAC = 0:0:8c:3d:54:1
My MAC address is
0:0:8c:3d:54:1.
What is my IP address??
Broadcast request
Your IP is131.175.21.53
Unicast reply
Giuseppe Bianchi
RARP limitsRARP limits
� Network traffic
� for reliability, multiple RARP servers need to be configured on the same Ethernet�to allow bootstrap of terminals even when one server is down
� But this implies that ALL servers simultaneously respond to RARP request�contention on the Ethernet occurs
� RARP requests not forwarded by routers
� being hardware level broadcasts...
� Allows only to retrieve the IP address information
� and what about all the remaining full set of TCPIP configuration parameters???�Netmask?
�name of servers, proxies, etc?
�other proprietary/vendor/ISP-specific info?
� This is the main reason that has driven to engineer and use BOOTP and DHCP
21
Giuseppe Bianchi
Getting an IP address:
Dynamic Host Configuration Protocol
(DHCP)
Material taken from:
RFC 2131, RFC 2132, RFC 1542
Giuseppe Bianchi
BOOTP/DHCP approachBOOTP/DHCP approach
� Client/Server model
� Requests/Replies = UDP datagrams�destination IP = 255.255.255.255
� source IP = 0.0.0.0
�destination (server) port: UDP 67
� source (client) port: UDP 68
� To cross routers
� No more dependent on physical medium
� DHCP = evolution of BOOTP
� Advanced capabilities for reusing network addresses
� Additional configuration options
� Same BOOTP message format�But more space for configuration information
�312 bytes options field vs 64 bytes vendor-extensions field
� Backward compatible with BOOTP
22
Giuseppe Bianchi
DHCP DHCP basicsbasics
� Goal: host “full” configuration
� Assign IP address
� Assign Subnet Mask
� Assign gateway IP address
� Assign DNS server
� Assign SMTP server
� Assign <xxx> server
� … assign vendor-extensions (provider-specific) configuration parameters …
� Two basic components
� A protocol�To deliver host-specific configuration parameters
�Same BOOTP message format
� A database mechanism�To manage the allocation of a pool of IP addresses to hosts
Giuseppe Bianchi
ManagingManaging IP IP addressesaddresses
� Three mechanisms for IP addressallocation
� Automatic allocation �Permanent (random) IP address
� Dynamic allocation (lease)� IP assigned for a limited period of time
�Or until host explicitly relinquishes address
�Whenever possible, DCHP tries to reassign the same IP
� Manual allocation�Permament (static) IP address
�Assigned by human network administrator
�DCHP just used to convey it to host
�Eliminate error-prone manual configuration
� DHCP may coexist with manually configured hosts
DHCP Database
IP Address1
IP Address2
IP Address3
DHCP Database
IP Address1
IP Address2
IP Address3
IP Address2
IP Address1
DHCP
Server
DHCP
Client
DHCP
Client
23
Giuseppe Bianchi
ProtocolProtocol basicsbasics44--way way handshakehandshake
DHCP Client DHCP Server
1. Discover
3. Request
2. Offer
4. Ack
DHCPDATABASE
MACaddr - IPaddrlease time
� Terminology:
� DHCP client: host requesting configuration parameters using DHCP
� DHCP server: host returning configuration parameters to DHCP clients.
� Binding: collection of configuration parameters, including at least an IP address, associated with or "bound to" a DHCP client. Bindings are managed by DHCP servers.
Giuseppe Bianchi
Works Works withwith Multiple DHCP Multiple DHCP serversserversneededneeded forfor reliabilityreliability
Client
DHCPDISCOVER DHCPDISCOVER
DHCPOFFER
DHCPOFFER
DHCPREQUEST DHCPREQUEST
DHCPACK
DHCPRELEASE
24
Giuseppe Bianchi
1) DHCP DISCOVER1) DHCP DISCOVER
DHCPDISCOVERDHCPDISCOVER
IP.src = 0.0.0.0
IP.dst = 255.255.255.255
DHCP ServerDHCP client
Hardware Address = 0800F10100EE
IP header
DHCP
IP.src = 0.0.0.0: no address assigned yet!
Broadcast request: server IP not known
Client identification:
Hardware address (MAC)
or a unique client identifier (may differ)
Discover may include options
e.g. desired IP address, leased time
Giuseppe Bianchi
2) DHCP OFFER2) DHCP OFFER
DHCPDISCOVERDHCPDISCOVER
IP.src = 0.0.0.0
IP.dst = 255.255.255.255
DHCP ServerDHCP client
Hardware Address = 0800F10100EE
IP header
DHCP
Broadcast response: host has no IP address
but if unicast possible, better
Host can recognize his offer from internal
Client identification (HWaddr, client_id)
DHCPOFFERDHCPOFFER
IP.src = 131.107.3.24
IP.dst = 255.255.255.255
Offered IP address = 131.107.8.13
Client hardware address = 0800...
Subnet mask = 255.255.255.0
Length of lease = 72 hours
Server identifier = 131.107.3.24
25
Giuseppe Bianchi
3) DHCP REQUEST3) DHCP REQUEST
DHCPREQUESTDHCPREQUEST
Source IP address = 0.0.0.0
Dest. IP address = 255.255.255.255
DHCP serverDHCP client
Hardware Address = 0800F10100EE
Requested IP address = 131.107.8.13
Server identifier = 131.107.3.24
Includes chosen Server identifier
to deal with multiple DHCP servers
Includes accepted IP address
Broadcast request
to alert NON selected DHCP servers
(decline their offer)
Giuseppe Bianchi
4) DHCP ACK4) DHCP ACK
DHCPREQUESTDHCPREQUEST
Source IP address = 0.0.0.0
Dest. IP address = 255.255.255.255
DHCPACKDHCPACK
Source IP address = 131.107.3.24
Dest. IP address = 255.255.255.255
DHCP serverDHCP client
Hardware Address = 0800F10100EE
Requested IP address = 131.107.8.13
Server identifier = 131.107.3.24
Offered IP address = 131.107.8.13
Client hardware address = 0800...
Subnet mask = 255.255.255.0
Length of lease = 72 hours
Server identifier = 131.107.3.24
(… full configuration…)
Server binds configuration
and sends full config to client
Broadcast response
same situation as OFFER
(offered IP address not still valid)
(but if unicast possible, better)
26
Giuseppe Bianchi
FailureFailure casescases
� IP address “bound” to client only at DHCPACK
� IP offered might be bound to someone else meanwhile�Not very logical, but permitted
�If this occurs, server responds with DHCPNAK
� Further double-checks necessary
� Client may perform ARP to check IP address validity
� Server may “ping” (ICMP echo request) address�Before and/or after assignment
� If, for any reason, configuration problems are found in DHCPACK, client further responds with a DCHPDECLINE message �E.g. client detects that assigned address is already in use
� Restart procedure upon DHCPNAK reception or DHCPDECLINE transmission
� But wait for a while (typically>10s)
Giuseppe Bianchi
DHCP operation
Details and example traces
27
Giuseppe Bianchi
DHCP DHCP MessageMessage formatformat
transaction ID (xid)
operation
Seconds elapsed
548
Bytes
+
20 IP
+
8 UDP
=
576
(max UDP)
Hardware type
0 7 8 15 16 31
Hardware len hops
Flags (bit1=broadcast, other 15 unused)
Client IP address (ciaddr)
‘Your’ (client) IP address (yiaddr)
DHCP Server IP address (siaddr)
Gateway (DHCP relay agent) IP address (giaddr)
Client Hardware address (chaddr, 16 bytes)
server host name - string (sname, 64 bytes)
boot file name - string (file, 128 bytes) – for bootstrap purposes (BOOTP)
options (variable, up to 312 bytes)
Giuseppe Bianchi
DHCP DHCP messagemessage fieldsfields /1/1� op = operation (message type)
� 1 = BOOTREQUEST (C�S)
� 2 = BOOTREPLY (S�C)
� htype/hlen: same as ARP
� Htype: 1 byte only (vs 2 bytes ARP)
� Example – Ethernet: htype=0x01 hlen=0x06
� Xid = Transaction ID
� Randomly chosen 32 bit string
� To match requests/replies
� Seconds
� From boot time? Or from first request (see RFC 1542)?
� Semantically imprecise, an unused in practice
� File = boot file name
� For bootstrapping purposes
� May be overloaded with options
� Sname = server host name
� May be overloaded with options
28
Giuseppe Bianchi
DHCP DHCP messagemessage fieldsfields /2/2� hops = used through routers
� Initially set to 0
� flags = B000.0000.0000.0000
� B: 1=broadcast reply required; 0=may use unicast reply
� All other 15 bits reserved (must be set to 0)
� chaddr = Client Hardware Address
� E.g Ethernet 6 bytes address
� ciaddr = client IP address
� Only filled if client already has an IP address PROPERLY assigned
� Never filled if address allocation under progress� in BOUND, RENEW or REBINDING states
� yiaddr = “your” (client) IP address
� Offered/assigned by DHCP server
� siaddr = address of server to use in next bootstrap
� giaddr = gateway address
� Relay agent IP address
� Used when relay agents occur (i.e. crossing routers)
Giuseppe Bianchi
Message type: Boot Request (1)Hardware type: EthernetHardware address length: 6Hops: 0Transaction ID: 0x4612d464Seconds elapsed: 10Bootp flags: 0x0000 (Unicast)
0... .... .... .... = Broadcast flag: Unicast.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 0.0.0.0 (0.0.0.0)Your (client) IP address: 0.0.0.0 (0.0.0.0)Next server IP address: 0.0.0.0 (0.0.0.0)Relay agent IP address: 0.0.0.0 (0.0.0.0)Client hardware address: 00:0c:6e:0e:f1:60Server host name not givenBoot file name not givenMagic cookie: (OK)Option 53: DHCP Message Type = DHCP DiscoverOption 57: Maximum DHCP Message Size = 548Option 50: Requested IP Address = 10.163.57.124Option 51: IP Address Lease Time = infinityOption 55: Parameter Request List
1 = Subnet Mask3 = Router6 = Domain Name Server12 = Host Name15 = Domain Name17 = Root Path23 = Default IP Time-to-Live28 = Broadcast Address29 = Perform Mask Discovery31 = Perform Router Discover33 = Static Route40 = Network Information Service Domain41 = Network Information Service Servers42 = Network Time Protocol Servers
Option 60: Vendor class identifier = "Linux 2.4.22-acpi i686"Option 61: Client identifier
Hardware type: EthernetClient hardware address: 00:0c:6e:0e:f1:60
End OptionPadding
DHCP DHCP
DISCOVERDISCOVER
29
Giuseppe Bianchi
DHCP DHCP
OFFEROFFER
Message type: Boot Reply (2)Hardware type: EthernetHardware address length: 6Hops: 0Transaction ID: 0x4612d464Seconds elapsed: 10Bootp flags: 0x0000 (Unicast)
0... .... .... .... = Broadcast flag: Unicast.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 0.0.0.0 (0.0.0.0)Your (client) IP address: 192.168.100.18 (192.168.100.18)Next server IP address: 192.168.100.1 (192.168.100.1)Relay agent IP address: 0.0.0.0 (0.0.0.0)Client hardware address: 00:0c:6e:0e:f1:60Server host name not givenBoot file name not givenMagic cookie: (OK)Option 53: DHCP Message Type = DHCP OfferOption 54: Server Identifier = 192.168.100.1Option 51: IP Address Lease Time = 2 minutesOption 1: Subnet Mask = 255.255.255.0Option 3: Router = 192.168.100.1Option 6: Domain Name Server = 192.168.100.1Option 15: Domain Name = "prova.it"End OptionPadding
Giuseppe Bianchi
DHCP DHCP
REQUESTREQUEST
Message type: Boot Request (1)Hardware type: EthernetHardware address length: 6Hops: 0Transaction ID: 0x4612d464Seconds elapsed: 10Bootp flags: 0x0000 (Unicast)
0... .... .... .... = Broadcast flag: Unicast.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 0.0.0.0 (0.0.0.0)Your (client) IP address: 0.0.0.0 (0.0.0.0)Next server IP address: 0.0.0.0 (0.0.0.0)Relay agent IP address: 0.0.0.0 (0.0.0.0)Client hardware address: 00:0c:6e:0e:f1:60Server host name not givenBoot file name not givenMagic cookie: (OK)Option 53: DHCP Message Type = DHCP RequestOption 57: Maximum DHCP Message Size = 548Option 54: Server Identifier = 192.168.100.1Option 50: Requested IP Address = 192.168.100.18Option 51: IP Address Lease Time = 2 minutesOption 55: Parameter Request List
1 = Subnet Mask3 = Router6 = Domain Name Server12 = Host Name15 = Domain Name17 = Root Path23 = Default IP Time-to-Live28 = Broadcast Address29 = Perform Mask Discovery31 = Perform Router Discover33 = Static Route40 = Network Information Service Domain41 = Network Information Service Servers42 = Network Time Protocol Servers
Option 60: Vendor class identifier = "Linux 2.4.22-acpi i686"Option 61: Client identifier
Hardware type: EthernetClient hardware address: 00:0c:6e:0e:f1:60
End OptionPadding
30
Giuseppe Bianchi
DHCP DHCP
ACKACK
Message type: Boot Reply (2)Hardware type: EthernetHardware address length: 6Hops: 0Transaction ID: 0x4612d464Seconds elapsed: 10Bootp flags: 0x0000 (Unicast)
0... .... .... .... = Broadcast flag: Unicast.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 0.0.0.0 (0.0.0.0)Your (client) IP address: 192.168.100.18 (192.168.100.18)Next server IP address: 192.168.100.1 (192.168.100.1)Relay agent IP address: 0.0.0.0 (0.0.0.0)Client hardware address: 00:0c:6e:0e:f1:60Server host name not givenBoot file name not givenMagic cookie: (OK)Option 53: DHCP Message Type = DHCP ACKOption 54: Server Identifier = 192.168.100.1Option 51: IP Address Lease Time = 2 minutesOption 1: Subnet Mask = 255.255.255.0Option 3: Router = 192.168.100.1Option 6: Domain Name Server = 192.168.100.1Option 15: Domain Name = "prova.it"End OptionPadding
Giuseppe Bianchi
OptionsOptions� First 4 bytes of the optionfield:
� Reserved for “magic cookie”�dotted decimal: 99.130.83.99
�Hexadecimal: 63.82.53.63
� fixed length options:
� Just 1 byte tag (code)
� Only two cases: �0 (0x00, pad)
�255 (0xFF, end options)
� variable length option
� 1 byte TAG (code)�uniquely identifies option
� 1 byte LEN�size of data field, bytes
� LEN bytes DATA Tag
1 byte
Len
1 byteParameter exchanged
00000000
1 byte
11111111
1 bytePAD: END:
31
Giuseppe Bianchi
A taste of BOOTP/DHCP A taste of BOOTP/DHCP optionsoptionscomplete list: RFC 2132complete list: RFC 2132
1 4 Subnet mask
12 n Host Name
35 4 ARP cache timeout (s)
36 1 0/1 (0 = use ethernet II encapsulation; 1= use 802.3 encapsulation)
Many other for setting IP and TCP parameters. Some examples:
- TTL to use in IP
- settings for PATH MTU Discovery (aging time; plateau table)
- static routes (IPaddr – Gateway) to add in local routing table
Giuseppe Bianchi
BOOTP/DHCP BOOTP/DHCP optionsoptions forfor
variousvarious server server selectionsselections
6 n address #1 address #2 ……
� Network administrator may offer a number of services
� based on network servers (or gateways)
� Options 3-11 (and many other) list server IP addresses
� In order of preference
� Examples:
� 3= gateways (routers) on client subnet
� 4= time servers
� 6= DNS name servers
� 7= log servers
� 8= RFC 865 cookie servers
� 9= RFC 1179 line printer servers
� …
n multiple of 4
� 41= Network Information Servers
� 42= Network Time Protocol Servers
� 45= NetBIOS Datagram Distribution Servers (NBDD - RFC 1000-1001)
� 48= X-windows system font servers
� 49= X Window System Display Manager
� 68= Mobile IP home agent
� 69= SMTP servers
� 70= POP3 servers
e.g.
32
Giuseppe Bianchi
VendorVendor--specificspecific optionoption
�Allows DHCP to support any proprietaryconfiguration
�Vendor-specific
�Not intelligible to non-vendor clients and DHCP servers
43 n Vendor-specific information
T1 n1 data1 Tk nk Data k… … … …
�Vendor identification:
�Option 60: vendor class identifier option
�String of n octets
Giuseppe Bianchi
Subset of Subset of DHCPDHCP--specificspecific optionsoptions
((notnot BOOTP)BOOTP)
50: Requested IP Address 50 4 IP address
51: IP Address Lease Time 51 4 Lease time (s)
52: option overload 52 1 1/2/31= 'file' field used to hold options
2= 'sname' field used to hold options
3= both fields used to hold options
53: DHCP Message Type 53 1 1-81=DHCPDISCOVER 2=DHCPOFFER
3=DHCPREQUEST 4=DHCPDECLINE
5=DHCPACK 6=DHCPNAK
7=DHCPRELEASE 8=DHCPINFORM
54: Server Identifier 54 4 IP address
57: DHCP Max msg size 57 2 L1 L2≥ than IP=576 (DHCP=548)
Which is the minimum legal value
33
Giuseppe Bianchi
ParameterParameter requestrequest
� Selective request of configuration parameters
� not all clients need all possible parameters (a lot!)
� Some default configurations may be OK
� Via the “parameter request list” option (#55)
� N bytes
� Each byte is a code tag �#code = requested parameter
�Server will respond with option #code
55: Parameter Request List 55 n c1 c2 … cn
� Parameter suggestion possible
� For network address�Via 'requested IP address' option
� For lease time�Via 'IP address lease time‘
� Other (minor) suggestions possible
Giuseppe Bianchi
ClientClient IdentifierIdentifier
�Unique client name
�May differ from MAC address
�Very important extension/generalization!!
�Very general coding allowed through option 61
61 n type addr
Type/addr = ARP coding (hardware type / hardware address – full list in RFC 1700)
If type=0, addr = any string (typically, fully qualified domain name)
34
Giuseppe Bianchi
ReusingReusing a a permanentpermanent IP IP addressaddresse.g. e.g. reconfigurereconfigure after system after system rebootreboot
Client
DHCPREQUEST DHCPREQUEST
DHCPACK
DHCPACK
� Client does not have an IP address available
� Hence broadcast request and broadcast response
� But has a requested IP address known from history (to suggest), And a client identifier (unique)
� A configuration is already pre-stored in the DHCP server(s)
� If in multiple servers, this is consistent
� Only servers with KNOWLEDGE of previous configuration will respond� Hence multiple response is consistent
� No need for 4-way handshake
� This is how BOOTP worked in the past
� Special failure case: host moved to another subnet
� Servers return DHCPNAK � at this point 4-way handshake is restarted
Giuseppe Bianchi
RenewingRenewing a a leaselease
� Dynamically allocated client - possible states:
� BOUND�Lease has been obtained
� RENEWING�T1=50% of the lease time has expired (+/- small rand)
�Client attempts to contact THE SERVER that has originally issuedthe address
�Unicast DHCPREQUEST
� REBINDING�T2=87.5% of the lease time has expired (+/- small rand)
�Client attempts to contact ALL SERVERS
�Broadcast DHCPREQUEST
� T1, T2 can be set to other values
� Via options
68: Renewal (T1) Time Value 68 4 T1 setting (s)
69: Rebinding (T2) Time Value 69 4 T2 setting (s)
35
Giuseppe Bianchi
DHCPREQUESTDHCPREQUEST
in in renewingrenewing state (T1=60sec)state (T1=60sec)
Frame 11 (590 bytes on wire, 590 bytes captured)Arrival Time: Mar 10, 2004 16:26:23.016035000Time delta from previous packet: 60.007015000 secondsIP Source: 192.168.100.18 (192.168.100.18)IP Destination: 192.168.100.1 (192.168.100.1)Source port: bootpc (68)Destination port: bootps (67)
Bootstrap ProtocolMessage type: Boot Request (1)Hardware type: EthernetHardware address length: 6Hops: 0Transaction ID: 0xd2e0ab07Seconds elapsed: 10Bootp flags: 0x0000 (Unicast)
0... .... .... .... = Broadcast flag: Unicast.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 192.168.100.18 (192.168.100.18)Your (client) IP address: 0.0.0.0 (0.0.0.0)Next server IP address: 0.0.0.0 (0.0.0.0)Relay agent IP address: 0.0.0.0 (0.0.0.0)Client hardware address: 00:0c:6e:0e:f1:60....Option 53: DHCP Message Type = DHCP Request....
Giuseppe Bianchi
DHCPACKDHCPACKasas responseresponse toto renewingrenewing requestrequest
Frame 12 (342 bytes on wire, 342 bytes captured)Arrival Time: Mar 10, 2004 16:26:23.017271000Time delta from previous packet: 0.001236000 secondsIP Source: 192.168.100.1 (192.168.100.1)IP Destination: 192.168.100.18 (192.168.100.18)Source port: bootps (67)Destination port: bootpc (68)
Bootstrap ProtocolMessage type: Boot Reply (2)Hardware type: EthernetHardware address length: 6Hops: 0Transaction ID: 0xd2e0ab07Seconds elapsed: 10Bootp flags: 0x0000 (Unicast)
0... .... .... .... = Broadcast flag: Unicast.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 192.168.100.18 (192.168.100.18)Your (client) IP address: 192.168.100.18 (192.168.100.18)Next server IP address: 192.168.100.1 (192.168.100.1)Relay agent IP address: 0.0.0.0 (0.0.0.0)Client hardware address: 00:0c:6e:0e:f1:60....Option 53: DHCP Message Type = DHCP ACKOption 54: Server Identifier = 192.168.100.1Option 51: IP Address Lease Time = 2 minutes....
36
Giuseppe Bianchi
SummarySummary of DHCP of DHCP messagesmessages(basic (basic messagesmessages))
� DHCPDISCOVER (C����S, broadcast)
� Goal: locate available servers.
� DHCPOFFER (S����C, unicast or broadcast)
� in response to DHCPDISCOVER
� offer of configuration parameters.
� DHCPREQUEST (C����S, broadcast – unicast on renew)
� May come for: 1. Client responding to offer: requests offered parameters from one
server and implicitly declines offers from all others- Contains server identifier option (54)
2. Client verifying a previously allocated address (e.g. after system reboot)
3. Client extending a lease1. Contains valid ciaddr
� DHCPACK (S����C, unicast or broadcast)
� commits configuration parameters
Giuseppe Bianchi
SummarySummary of DHCP of DHCP messagesmessages((failurefailure + + additionaladditional messagesmessages))
� DHCPNAK (S����C, unicast or broadcast)
1. Incorrect address request (e.g. client has moved to another subnet)
2. client's lease has expired
� DHCPDECLINE (C����S, broadcast)
� Client has discovered (via external means) that address is already in use
� Notifies to server
� DHCPRELEASE (C����S, unicast)
� Not necessary for correct DHCP operation
� release of allocated network address (cancels remaining lease)�E.g. upon graceful shut-down
� DHCPINFORM (C����S, broadcast)
� New command (first time in rfc 2131)
� client already has a VALID IP �i.e. is NOT checking or renewing a binding
� Just asks for additional (local) configuration
37
Giuseppe Bianchi
State State diagramdiagram ((simplifiedsimplified))
SELECTING
REQUESTING
BOUND
RENEWING REBINDING
INIT
DHCPACK
87.5% expired:
Send broadcast
DHCPREQUEST
DHCPACK DHCPACK
50% expired
Send unicast
DHCPREQUEST
Lease cancelled
DHCPRELEASE
Send DHCPDISCOVER
collect
DHCPOFFER
and select
Send DHCPREQUEST
Lease expired
or any network halt
DHCPNACK
Giuseppe Bianchi
DHCP operation across routers
38
Giuseppe Bianchi
Public
Internet
Public
Internet
DeMilitarized
Zone (DMZ)
DHCP
Server
Firewall
Home
Agent
Call
Server
DMZ
router
External
WWW/FTP
Server
External
DNS
Server
Forwarder
Server
Server Farm
Employees
Subnet 1
DHCP
Server
Other
Subnets
DHCP DHCP serversservers maymay bebe placedplaced
behind behind routersrouters
Giuseppe Bianchi
Client of different subnetClient of different subnetissuesissues
� 1 DHCP server per each subnet: not reasonable
� Consider the case of a department with several subnets
� Issue 1: broadcast does not cross subnet scope
� Broadcast is limited to a single subnet
� How to allow DHCP requests/replies cross routers?
� Issue 2: client address needs to be consistent with client subnet
� Assress assigned to a client MUST be consistent with client subnet
39
Giuseppe Bianchi
BOOTP (DHCP) BOOTP (DHCP) relayrelay agentagent� Solution proposed for BOOTP
� And fully inherited by DHCP
� Typically a router
� But not necessarily – can be a host
� One relay agent per each subnet
� Must be reached via broadcast request
� Relay agent contacts selectedDHCP server(s)
� Relay policy (which servers and why): sysadmin decision�based on address range
�Based on chaddr
�Load balancing (requires care with DHCP!)
� Relay addressing: �may be unicast, multicast or
broadcast (on selected routerinterfaces)
Subnet ASubnet A
Subnet CSubnet CSubnet BSubnet B
Relay agent
Relay agent
Giuseppe Bianchi
RelayRelay agentagent
�Acts as a proxy
�Intercepts C�S request (port 67)
�Modify DHCP request�Sets giaddr with the IP address of the interface that has
received the DHCP request» Since this interface is on the same subnet of the client, the
DHCP server will be able to find out which subnet the client isattached to
�Updates hops counter
�Recomputes UDP checksum (of course…)
�Forwards request to DHCP server(s)�Unicast, multicast or broadcast addressing
�S����C: relays only to end clients
�no multi-hop allowed
�server must use relay agent address in replies