DHCP protocol is widely used in the state of the art for configuring equipments that are connected through a communications network. This protocol defines mechanisms for supplying configuration information to hosts in a communications network (for example, a TCP/IP, Transmission Control Protocol/Internet Protocol, network). The DHCP can be said to have two main functions: supplying specific configuration parameters to each equipment (host) and supplying and assigning network addresses to the network equipment. The DHCP uses a client-server model, such that a designated DHCP server assigns network addresses and supplies network configuration parameters to pieces of network equipment (devices) that would be the client equipment.
In the IT field, the term host is used to refer to pieces of electronic equipment (devices) connected to a network which provide and/or use services of said network; and which are used by the network users to have access (in and/or out) in the network. The hosts can be computers, tablets, PCs, mobile telephones, smartphones, laptops and generally any electronic device or equipment that can be connected to a communications network. Generally, a host is any piece of electronic equipment connected to a network and which requires an identification thereof (this identification is usually a network layer address, for example, IP). The host is interconnected with one or more equipments, such that it works as a data transfer start and end point, among other functions. The host can, for example, store a web site and usually has, in addition to a network address (a unique network address in the local network), a unique domain name or host name.
In other words, the DHCP is a set of rules used by communication equipment connected to a communications network (hosts), which allow the equipment to request and obtain a network address (normally an IP address) and other network configuration parameters that it needs to operate from a server in a dynamic manner, i.e., without particular intervention. For example, the DHCP server can offer and provide, among others, the following identification or service parameters to those clients making requests within the same network area:
IP address
Subnetwork mask
Predetermined gateway
Broadcast address
Maximum waiting time for address resolution or ARP (address resolution protocol)
Maximum transfer unit or MTU
Domain name server or DNS address
Network time protocol or NTP servers
Simple mail transfer protocol or SMTP server
Post office protocol 3 or POP3 server
Trivial file transfer protocol or TFTP server
Network information service or NIS server
NIS domains
Windows internet naming service or WINS server name
The DHCP can usually be implemented in local area networks (LAN), wide area networks (WAN) although it can be used in any other type of communications networks.
The DHCP protocol allows automatically distributing IP addresses in a network and these addresses are therefore assigned in a network environment (a local network, LAN, a wide network, WAN or other types of network). Taking the reference models of network levels or layers such as the OSI stack or TCP/IP stack as example, the protocol in question would act on the network level, level 3 or logic level. The basic communication system is BOOTP (with UDP frame). The BOOTP (Bootstrap Protocol) is a transport protocol for obtaining configuration information. Equipment usually does not have any information concerning its network configuration during start-up and the user must enter the necessary network data to be able to connect to the network, if the user does not have said information the DHCP protocol automatically assigns an IP address to said user, subsequently offering the IP address to him so that it is accepted and finally configured in client network device. On the other hand, the DHCP server will usually be organized based on two databases: a static database for the use of BOOTP (containing the IP addresses assigned by the network administrator, by means of manual configuration, for assigning a specific IP address) and another database with a stack of available addresses, which will be responsible for facilitating the data in an automatic or dynamic assignment.
Today there are three assignment mechanisms whereby the DHCP protocol could assign IP addresses to network devices to which it offers service. A network can use one or more of these mechanisms:
Manual (static) assignment: The network administrator manually configures the IP addresses of the client in the DHCP server. When the client device requests an IP address, the server verifies a parameter identifying the client, for example, the media access control or MAC address of the client device and proceeds to assign the IP address configured by the administrator for said client. The DHCP only supplies the IP address previously assigned by the network administrator (when configuring the DHCP server) to each piece of client equipment and the DHCP server cannot deny a client of an IP address.
Automatic (unlimited) assignment: An IP address is assigned to the DHCP client when it connects for the first time with the DHCP server. In this method, the IP is randomly assigned and not configured in advance. The assignment is permanently performed to the client requesting it, until the client frees it up.
Dynamic (limited) assignment: The DHCP server assigns an IP address to a client device (also referred to as equipment) during a given maximum time. When this time lapses (if the equipment has not previously freed the IP address up and/or network access has concluded), the IP address is revoked and the device cannot work until the DHCP server gives it another IP address. The IP address which is assigned to the device can be different every time the device requests an address (i.e., there is no permanent assignment between the device and IP address). Dynamic assignment is the only one of these three mechanisms which allows reusing the addresses (i.e., one and the same address can be used by different client equipment at different times). Therefore, dynamic assignment is particularly useful for assigning addresses to clients that are only temporarily connected to the network or for sharing a limited set of IP addresses between a group of clients (since IP addresses tend to be scarce).
Ultimately, the DHCP (as defined for example in RFC2131 of Network Working Group) is a protocol designed primarily for saving time, managing IP addresses and automatically configuring all the devices with an IP address (and other parameters) without needing human intervention. Despite all the useful functions offered by the DHCP protocol, there are various very negative aspects when using this system. These negative aspects are mainly security aspects, since there are security drawbacks today that can cause undesired operation of the clients of a network and the DHCP protocol does not avoid and they therefore constitute the vulnerabilities of the DHCP protocol. Some of these security problems are:
Malicious server: The automation of the DHCP protocol is a great security risk if a malicious DHCP server is introduced into a network, if it is not under the control of the company staff (or the network area administrators) and can therefore offer IP addresses to the devices that are connected thereto. If a user connects to the malicious DHCP, the information sent through this connection can be intercepted violating the privacy of the user, the network and the company.
Universalization of the DHCP protocol: Today most routers and switches on the market have the DHCP protocol implemented therein. This means that any user who wishes to access a network (through wired connection, WIFI or any other means) could easily access same if he uses said protocol.
Multiple subnetworks or network segments: There are environments where a single DHCP server is insufficient and each network segment may need its own DHCP server, or a DHCP relay agent (which requires additional configuration, entailing additional time and highly increased costs). If no option is viable, all the network elements (routers, switches . . . ) must be configured as emitters of the BOOTP protocol, which is an older and less advanced protocol than the DHCP protocol (with the resulting problems) and furthermore not all the systems can support said protocol.
Control of information flows: The DHCP server often uses ports 67 and 68 through UDP for receiving and sending data to the clients. Said flows can be controlled by a firewall, but this does not prevent those network intruders that can capture the packets related to said sensitive information from using same for passing oneself off as a client. Currently, the only mechanism offering control for this type of intrusion would be the integration of an IDS or intruder detector, with the subsequent cost and which in some cases is not worthwhile due to the size and shape of the network.
There is therefore the need to provide a solution which allows an optimum network address and parameter distribution, solving (and ultimately improving) the problems of conventional DHCP mechanism.