No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of DHCP Snooping

Overview of DHCP Snooping

Definition

Dynamic Host Configuration Protocol (DHCP) snooping is a DHCP security feature that functions in a similar way to a firewall between DHCP clients and servers. A DHCP-snooping-capable device intercepts DHCP packets and uses information carried in the packets to create a DHCP snooping binding table. This table records hosts' media access control (MAC) addresses, IP addresses, IP address lease time, virtual local area network (VLAN) IDs, and interface information. The device uses this table to check the validity of received DHCP packets. If a DHCP reply packet is received from an untrusted interface, the device discards the packet. In addition, DHCP snooping can associate with IP source guard or dynamic ARP inspection (DAI) to filter out IP and Address Resolution Protocol (ARP) packets from unauthorized clients.

Purpose

DHCP, which is widely used on networks, dynamically assigns IP addresses to clients and manages configuration information in a centralized manner. However, the following attacks may occur during DHCP packet forwarding.
  • Bogus DHCP server attack: Bogus DHCP servers disguise as legitimate DHCP servers to assign IP addresses to DHCP clients. As a result, DHCP clients obtain incorrect IP addresses and cannot go online.
  • Man-in-the-middle attack and IP/MAC spoofing attack: Attackers disguise as middlemen to communicate with DHCP clients and servers. Attackers can also forge DHCP packets by modifying the IP/MAC addresses carried in packets. As a result, services for authorized clients are affected.
  • DHCP exhaustion attack: Attackers disguise as authorized clients to send DHCP request packets for extending the IP address lease. As a result, DHCP servers cannot withdraw IP addresses assigned to clients.
  • DHCP starvation attack: Attackers apply to DHCP servers for IP addresses by sending a large number of DHCP request packets with varied MAC addresses in frame headers. As a result, IP addresses in the address pool are exhausted, and authorized clients cannot obtain IP addresses.
  • DHCP denial of service (DoS) attack: Attackers apply to DHCP servers for IP addresses by sending a large number of DHCP request packets with varied MAC addresses in client hardware address (CHADDR) fields. As a result, IP addresses in the address pool are exhausted, and authorized clients cannot obtain IP addresses.
To protect against these attacks, DHCP snooping offers the following attack defense policies.
Table 5-1 DHCP snooping attack defense policies
Attack Defense Type Description Protection Target
Defense against bogus DHCP server attacks The device defends against attacks from bogus DHCP servers based on trusted and untrusted interfaces. The device allows you to configure network-side interfaces as trusted and user-side interfaces as untrusted. All DHCP reply packets received from untrusted interfaces are discarded.

You can also configure the whitelist function for DHCP snooping so that only DHCP packets listed in the whitelist are sent to the CPU and have binding entries generated. Packets not listed in the whitelist are simply forwarded using hardware.

These attack defense policies protect network communication against attacks from forged DHCP packets.
Defense against man-in-the-middle and IP/MAC spoofing attacks After receiving a DHCP request packet, the device checks whether the source IP address, source MAC address, VLAN ID, and interface information carried in the packet match an entry in the DHCP snooping binding table. If a matching entry exists, the device considers the packet valid and forwards it. If no matching entry exists, the device considers the packet an attack packet and discards it.
Defense against DHCP exhaustion attacks After receiving a DHCP request packet, the device checks whether the source IP address, source MAC address, VLAN ID, and interface information carried in the packet match an entry in the DHCP snooping binding table. If a matching entry exists, the device considers the packet valid and forwards it. If no matching entry exists, the device considers the packet an attack packet and discards it.
Defense against DHCP starvation attacks The device limits the number of MAC addresses that an interface can learn to defend against attacks by sending a large number of DHCP request packets with varied MAC addresses. The attack defense policies prevent network communication against DHCP flood attacks.
Defense against DHCP DoS attacks After receiving a DHCP request packet, the device checks whether the source MAC address in the CHADDR field matches that in the frame header. If they match, the device considers the packet valid and forwards it. If they do not match, the device considers the packet an attack packet and discards it.

Benefits

DHCP snooping offers the following benefits:
  • Protects devices against DHCP attacks to enhance device reliability and ensure stable network operating.
  • Offers clients service stability on a more secure network.
  • Whitelist-based filtering can be implemented for DHCP packets to be sent to the CPU on the AC and network sides of the UPE.
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12580

Downloads: 29

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next