DHCP snooping and DHCP option 82

In its original form, DHCP has no safeguards to protect from attacks on the assignment of the network configuration. For example, if a client sends a 'DHCP discover' packet on the network in order to retrieve a valid network configuration from a DHCP server, an attacker can send the client fake 'DHCP offer' packets and trick it into using a false default gateway (DHCP spoofing).

With DHCP snooping, the devices that receive and redirect DHCP packets are able to analyze and change these data packets, and to filter them by certain criteria. Additionally inserted information about the origin of the DHCP packets improves a DHCP server's capacity to manage extensive networks. Further, as this additional information is missing from the attacker's DHCP packets, they can no longer be used to interfere with the DHCP negotiations between DHCP servers, DHCP relay agents and the DHCP clients.

The access point supports DHCP snooping on layer 2. This enables it, for example, to add information (such as the SSID) to the DHCP packets received from the client on the WLAN before forwarding them to the LAN. The access point then adds the DHCP relay agent information option (option 82) according to RFC 3046.

In LANconfig you can set up DHCP snooping for each interface under Interfaces > Snooping and a click on DHCP snooping.





After selecting the appropriate interface, you can set the following:





Add DHCP agent info
Here you decide whether the DHCP relay agent appends incoming DHCP packets with the DHCP option "relay agent info" (option 82), or modifies an existing entry, before forwarding the request to a DHCP server. The "relay agent info" is composed of values for the Remote ID and the Circuit ID.
On present agent info
Here you set how the DHCP relay agent handles the "relay agent info" in incoming DHCP packets. The following settings are possible:
  • Keep content: In this setting, the DHCP relay agent forwards a DHCP packet and any existing "relay agent info" unchanged to the DHCP server.
  • Replace content: In this setting, the DHCP relay agent replaces any existing "relay agent info" with the values specified in the fields Remote ID and Circuit ID.
  • Drop packet: In this setting, the DHCP relay agent deletes any DHCP packet containing "relay agent info".
Remote ID
The remote ID is a sub-option of the "Relay agent info" option. It uniquely identifies the client making a DHCP request.
Circuit ID
The circuit ID is a sub-option of the "Relay agent info" option. It uniquely identifies the interface used by the client to make a DHCP request.

You can use the following variables for Remote ID and Circuit ID:

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo