secure dhcp
David W. Hankins
David_Hankins at isc.org
Tue Apr 25 15:04:41 UTC 2006
On Tue, Apr 25, 2006 at 12:27:58AM -0500, Carl Karsten wrote:
> The gPXE group is talking about wireless pxe booting and how to authenticate the
> bootfile. I am thinking the best thing to do is make sure the DHCP Offer is
> trusted and secure - that way a private key can be included and used to verify
> the boot file.
>
> I found this http://www.dhcp.org/9806-minutes.html and was wondering how much
> further it got.
I'm not aware of any implementations, but it got as far as RFC 3118. A
quick read through that will leave you with the reasons behind Ted's
cryptic missive about impossibility. I think it's more like
improbability: pre-configuring a shared key (or even a trusted public
key) on all your DHCP clients is fairly improbable, but not impossible.
There's also RFC4030 for relay agents to authenticate themselves with
their DHCP servers and vice versa, which isn't interesting unless you
don't care about incursions on the local wire.
Also, I'm not aware of any implementations there either.
> And now for a long shot: Does IPv6 address this?
Not really, no.
Got a URL for gPXE?
--
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
More information about the dhcp-users
mailing list