securing failover
David Zych
dmrz at illinois.edu
Fri Oct 30 16:30:49 UTC 2009
Hi,
I'm putting together a DHCP deployment with two servers using the
failover protocol. My test setup seems to be functioning properly
(leases can still be issued and renewed when one or the other server is
taken down), but I am concerned about security... as far as I can tell,
the usual configuration pattern laid out in tutorials like this one
(http://www.madboa.com/geek/dhcp-failover/) means that anyone capable of
spoofing an ip address can impersonate one failover peer to the other
one and confuse it with bogus BNDUPD messages. While I realize that
DHCP itself is inherently insecure and vulnerable to other kinds of DoS
attacks, it seems to me that this particular additional attack vector
could potentially cause bigger headaches than the traditional ones (by
being trickier to detect and recover from).
http://tools.ietf.org/html/draft-ietf-dhc-failover-07 discusses two
possible approaches for authenticating failover peers to each other:
message digests using a simple shared secret, and TLS, either of which
would most likely serve my purposes admirably. However, I cannot find
any information on how to configure ISC DHCP to use either of these -- I
don't see any promising-looking directives listed in the dhcpd.conf
manpage, and thus far Google has not availed me either. Have I missed
something, or is this not supported by ISC DHCP? (and if the latter,
how do people using the failover protocol mitigate the risk?)
Thanks,
David
More information about the dhcp-users
mailing list