FW: Man in the middle attack against RFC3456.

["Darren Dukes" <ddukes@cisco.com>]

Amendment:
Eve sends the DHCPACK to the DHCP-relay (not the IRAC) with a manufactured
DHCP Relay Agent Information Option or one copied from a previous DHCP
message.

> -----Original Message-----
> From: Darren Dukes [mailto:ddukes@cisco.com]
> Sent: Wednesday, February 05, 2003 12:10 PM
> To: ipsec@lists.tislabs.com
> Subject: Man in the middle attack against RFC3456.
>
>
> There is a man in the middle attack on the DHCP-relay in RFC3456.
> This attack is based on the thread defined in RFC3118
> (DHCP-AUTH).  In this case Eve is inside the LAN and able to
> source DHCPACK packets, if Eve sends a DHCPACK to a an IRAC via a
> SGW implementing RFC3456 the DHCP-relay on the SGW will plumb a
> new route for whatever address Eve puts in yiaddr.
>
>                |-Eve
> IRAC ---- SGW -|
>                |-DHCP Server
>
> excerpt from RFC3456:
>    To learn the internal IP address of the client in order to route
>    packets to it, the security gateway will typically snoop the yiaddr
>    field within the DHCPACK and plumb a corresponding route as part of
>    DHCP Relay processing.
>
> This attack is not resolved by the implementation of RFC3118
> unless the following changes are made to the DHCP-relay.
> 1 - It stored a copy of all secret keys contained on the
> DHCP-server and used them to authenticate DHCPACKs or it stored a
> copy of the master key and used that to generate the client keys
> as described in RFC3118 Appendix A.
> 2 - DHCP-relay implements the DHCP-server replay protection.
>
>
> Darren
>