Dynamic Host Configuration Protocol (DHCP)

In the Internet Engineering Task Force (IETF), several authentication methods for Dynamic Host Configuration Protocol (DHCP) messages have been proposed. These were published and circulated as the IETF Internet Drafts. However, they have several drawbacks. One is that users can reuse addresses illegally by using an expired address that was allocated to a host. This may cause serious security problems. We propose a new access control method to be used as the DHCP message authentication mechanism.

We designed and developed the DAG (DHCP Access Control Gateway) as an example of the proposed method. The DAG is a gateway program that passes network accesses only by clients with addresses formally allocated from the DHCP server. In order to determine the address allocation formally, the DAG observes DHCP interactions between servers and clients and gathers information on address allocations made by the observed servers. The DAG can authenticate the DHCP server based on the message authentication code (MAC), which is included in the DHCP message. When the new address is allocated to the client, the DAG resets the gateway filters.

The gateway made by this method can be used even with DHCP servers lacking authentication mechanisms. Even if a regular DHCP server and the DAG are combined, network security can be improved. By combining a DHCP server and a DHCP client that supports authentication schemes such as IETF Internet Draft, the DAG can offer a mechanism whereby only a specific client may access the network.