[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Man in the middle attack against RFC3456.
There is a man in the middle attack on the DHCP-relay in RFC3456. This
attack is based on the thread defined in RFC3118 (DHCP-AUTH). In this case
Eve is inside the LAN and able to source DHCPACK packets, if Eve sends a
DHCPACK to a an IRAC via a SGW implementing RFC3456 the DHCP-relay on the
SGW will plumb a new route for whatever address Eve puts in yiaddr.
|-Eve
IRAC ---- SGW -|
|-DHCP Server
excerpt from RFC3456:
To learn the internal IP address of the client in order to route
packets to it, the security gateway will typically snoop the yiaddr
field within the DHCPACK and plumb a corresponding route as part of
DHCP Relay processing.
This attack is not resolved by the implementation of RFC3118 unless the
following changes are made to the DHCP-relay.
1 - It stored a copy of all secret keys contained on the DHCP-server and
used them to authenticate DHCPACKs or it stored a copy of the master key and
used that to generate the client keys as described in RFC3118 Appendix A.
2 - DHCP-relay implements the DHCP-server replay protection.
Darren