Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Fixing DHCP NAC Enforcement

Extreme's ExtremeXOS 11.6, available on the X450 and BlackDiamond switches are getting an uplift that starts to make DHCP NAC enforcement comparable to 802.1X for enforcement. The feature enhancement tracks DHCP leases as they are handed out and applies ACL's on access ports. Extreme has a solid foundation that enhances NAC DHCP enforcement, but needs to work on a few niggling, but critical details with handing mobile computers, before it is truly enterprise ready. DHCP lease awareness is not new. Cisco has a feature in IOS 12 called DHCP Snooping and IP Source Guard that offers similar functionality. Switching software from other infrastructure vendors like Foundry Networks, and Nortel, also have DHCP snooping features.
The problem with DHCP enforcement for any kind of access control or network engineering is a well known problem. Ofir Arkin articulated the problems in a presentation at BlackHats 2006 titled Bypassing Network Access Control (NAC) Systems and shouldn't have been an earth shattering revelation to any one in networking. The easiest way to by-pass DHCP enforcement is to statically assign your host an IP address. In addition, spoofing an authorized DHCP server makes man in the middle attacks child's play.

Extreme's response to the mobility gap that I saw is that the new features are the first iteration of their DHCP control was really aimed at thwarting the casual attempts to defeating DHCP enforcement. Better enforcement is achieved through a defense in depth strategy. I agree that their technology will thwart the casual problems of trying to by-pass DHCP NAC enforcement (think office worker who wants to get on the network but for what ever reason doesn't want to call tech support), but I don't agree that defense in depth???throwing more products at the problem???is the best strategy.

DHCP Enforcement
DHCP is a way to manage IP addresses in a LAN dynamically. An IP address pool is allocated and as hosts join the network, an address is removed from the pool and given out for a period of time. If the host stops using the IP address, the address can be recycled. It's a good way to manage a scarce resource. In addition, DHCP is used to configure the host. There is really no requirement for a host to use DHCP other than ease of use. You can easily bypass DHCP NAC enforcement by configuring your computer's IP address statically, provided you know the IP address range and required parameters like subnet mask and DNS servers for the network you are connecting to.

The only way to defeat DHCP bypassing is to have something in the network that knows what leases have been passed out to hosts and enforce only the authentic leases. Extreme is taking steps towards that goal with ExtremeXOS 11.6. DHCP awareness is configured on a per port basis. The switch monitors the DHCP exchange and extracts the DHCP IP address and host MAC address and binds those items together in an access control list (ACL) on the switch port. If the host tries to change it's IP address manually or attempts to access the network without using DHCP, the packets will be blocked at the switch port. Likewise, if the DHCP lease expires and the host is no longer on that port, the ACL will be removed.

What is compelling about DHCP enforcement coupled with switch knowledge about DHCP leases, is that you can still manage your IP space using DHCP, including managing network access control, without having to make big changes to your IP address management stragegy. Plus switch based DHCP enforcement is probably as granular as 802.1X without having to roll out a whole new infrastructure just for 802.1X. In addition, DHCP awareness is independent of DHCP NAC enforcement.

  • 1