DHCP :

Dynamic Host Configuration Protocol (DHCP) is a protocol used by networked

devices (clients) to obtain various parameters necessary for the clients to operate in an
Internet Protocol (IP) network. By using this protocol, system administration workload
greatly decreases, and devices can be added to the network with minimal or no manual
configurations.

Dynamic Host Configuration Protocol is a way to administer network parameter

assignment at a single DHCP server, or a group of such servers arranged in a fault-
tolerant manner. Even in a network which has a few machines, Dynamic Host
Configuration Protocol is useful, because a machine can be added to the local network
with little effort.

Even for servers whose addresses rarely change, DHCP is recommended for setting their
addresses, so if the servers need to be readdressed (RFC2071), the changes need to be
made in as few places as possible. For devices, such as routers and firewalls, that should
not use DHCP, it can be useful to put Trivial File Transfer Protocol (TFTP) or SSH
servers on the same machine that runs DHCP, again to centralize administration.

DHCP is also useful for directly assigning addresses to servers and desktop machines,
and, through a Point-to-Point Protocol (PPP) proxy, for dialup and broadband on-demand
hosts, as well as for residential Network address translation (NAT) gateways and routers.
DHCP is usually not appropriate for infrastructure such as non-edge routers and DNS
servers.

Basic Protocol Operation

The Dynamic Host Configuration Protocol (DHCP) automates the assignment of IP

addresses, subnet masks, default gateway, and other IP parameters. [1]

When a DHCP-configured client (be it a computer or any other network aware device)
connects to a network, the DHCP client sends a broadcast query requesting necessary
information from a DHCP server. The DHCP server manages a pool of IP addresses and
information about client configuration parameters such as the default gateway, the
domain name, the DNS servers, other servers such as time servers, and so forth. Upon
receipt of a valid request the server will assign the computer an IP address, a lease (the
length of time for which the allocation is valid), and other TCP/IP configuration
parameters, such as the subnet mask and the default gateway. The query is typically
initiated immediately after booting and must be completed before the client can initiate
IP-based communication with other hosts.

DHCP provides three modes for allocating IP addresses. The best-known mode is
dynamic, in which the client is provided a "lease" on an IP address for a period of time.
Depending on the stability of the network, this could range from hours (a wireless
network at an airport) to months (for desktops in a wired lab). At any time before the
lease expires, the DHCP client can request renewal of the lease on the current IP address.
A properly-functioning client will use the renewal mechanism to maintain the same IP
address throughout its connection to a single network, otherwise it may risk losing its
lease while still connected, thus disrupting network connectivity while it renegotiates
with the server for its original or a new IP address.

The two other modes for allocation of IP addresses are automatic (also known as DHCP
Reservation), in which the address is permanently assigned to a client, and manual, in
which the address is selected by the client (manually by the user or any other means) and
the DHCP protocol messages are used to inform the server that the address has been
allocated.

The automatic and manual methods are generally used when finer-grained control over IP
address is required (typical of tight firewall setups), although typically a firewall will
allow access to the range of IP addresses that can be dynamically allocated by the DHCP
server.

Security

Due to its standardization before Internet security became an issue, the basic DHCP
protocol does not include any security provisions, potentially exposing it to two types of
attacks:[2]

• Unauthorized DHCP Servers: as you can not specify the server you want, an
unauthorized server can respond to client requests, sending the client network
configuration values that are beneficial to a hijacker. As an example, a hacker can
configure the DHCP server to configure clients to a DNS server which has been
poisoned.

• Unauthorized DHCP Clients: By masquerading as a legitimate client, an

unauthorized client can gain access to network configuration and an IP address on
a network it should otherwise not be allowed to utilize. Also, by flooding the
DHCP server with requests for IP addresses, it is possible for an attacker to
exhaust the pool of available IP addresses, disrupting normal network activity (a
denial of service attack).

To combat these threats RFC 3118 ("Authentication for DHCP Messages") introduced
authentication information into DHCP messages allowing clients and servers to reject
information from invalid sources. Although support for this protocol is widespread, a
large number of clients and servers still do not fully support authentication, thus forcing
servers to support clients that do not support this feature. As a result, other security
measures are usually implemented around the DHCP server (such as IPsec) to ensure that
only authenticated clients and servers are granted access to the network.

Wherever possible, DHCP-assigned addresses should be dynamically linked to a secure

DNS server, to allow troubleshooting by name rather than by a potentially unknown
address. Effective DHCP-DNS linkage requires having a file of either MAC addresses or
local names that will be sent to DNS that uniquely identifies physical hosts, IP addresses,
and other parameters such as the default gateway, subnet mask, and IP addresses of DNS
servers from a DHCP server. The DHCP server ensures that all IP addresses are unique,
i.e., no IP address is assigned to a second client while the first client's assignment is valid
(its lease has not expired). Thus IP address pool management is done by the server and
not by a network administrator.

IP address allocation

Depending on implementation, the DHCP server has three methods of allocating IP-
addresses (WARNING--the terminolgy below contradicts the terminolgy above in
#Basic_Protocol_Operation):

• dynamic allocation: A network administrator assigns a range of IP addresses to

DHCP, and each client computer on the LAN has its IP software configured to
request an IP address from the DHCP server during network initialization. The
request-and-grant process uses a lease concept with a controllable time period,
allowing the DHCP server to reclaim (and then reallocate) IP addresses that are
not renewed (dynamic re-use of IP addresses).
• automatic allocation: The DHCP server permanently assigns a free IP address to
a requesting client from the range defined by the administrator.
• manual allocation: The DHCP server allocates an IP address based on a table
with MAC address - IP address pairs manually filled in by the server
administrator. Only requesting clients with a MAC address listed in this table will
be allocated an IP address.

Some DHCP server software can manage hosts by more than one of the above methods.
For example, the known hosts on the network can be assigned an IP address based on
their MAC address (manual allocation) whereas "guest" computers (such as laptops via
WiFi) are allocated a temporary address out of a pool compatible with the network to
which they're attached (dynamic allocation).