Saturday, June 9, 2012

DHCP Snooping


  • DHCP snooping prevents the damage inflicted by several attacks that use DHCP.
  • DHCP snooping causes a switch to examining DHCP messages & filter the inappropriate.
  • DHCP snooping builds a table of IP address & port mappings
    • this table builds based on the known DHCP messages
    • this table is called the  DHCP snooping binding table.
  • This DHCP snooping binding table can be used by DAI & IP source Guard feature.
  • DHCP snooping defeats certain attacks (man in the middle attack using DHCP) by considering port as untrusted.
  • All DHCP messages on trusted ports are only allowed by DHCP snooping.
  • To this DHCP clients should exist on untrusted ports.
  • As a result, the switch filters incoming DHCP messages that are only sent by servers.
  • From design point of view unused & unsecured user ports would be configured as untrusted to DHCP snooping.
  • DHCP snooping examine the DHCP client messages on untrusted ports because other attacks can be made using DHCP client messages.
  • DHCP servers identify clients based on their client hardware address as listed in the DHCP request.