2

I configured a DHCP server that runs on a Linux machine using the 'isc-dhcp-server' package.

I would like to add some kind of authentication step. Both the clients and the server will keep some kind of token and when the client will ask for a new IP, the DHCP server will check if both sides have the same token. If so, the client will receive the new IP from the DHCP server.

Is something like that even possible? (With isc-dhcp-server or with other tool)?

If not, Is there other way to check which dhcp server I'm connecting before receiving a new IP after using the dhclient request?

Thanks.

Liran
  • 21
  • 1
  • 2

1 Answers1

1

what you are after is 802.1X

There is a rfc 3118 which, if implemented, would achieve what you are after, but it is not there yet. The wikipedia page on dhcp says about that:

Another extension, Authentication for DHCP Messages (RFC 3118), provides a mechanism for authenticating DHCP messages. Unfortunately RFC 3118 has not seen (as of 2002) widespread adoption because of the problems of managing keys for large numbers of DHCP clients. A 2007 book about DSL technologies remarked that "there were numerous security vulnerabilities identified against the security measures proposed by RFC 3118. This fact, combined with the introduction of 802.1x, slowed the deployment and take-rate of authenticated DHCP, and it has never been widely deployed." A 2010 book notes that "[t]here have been very few implementations of DHCP Authentication. The challenges of key management and processing delays due to hash computation have been deemed too heavy a price to pay for the perceived benefits."

Community
  • 1
natxo asenjo
  • 5,641
  • 2
  • 25
  • 27