topic Hi,DHCP discovery message is in Network Security

dhcp snooping untrusted - only requests

vinciffs1 — Fri, 21 Feb 2020 13:51:35 GMT

Hi,

I would simply like to know why untrusted switch ports do allow dhcp requests at all? What is the logic behind it? Why don't they block dhcp traffic altogether?

Hi, you connect end user

Milos Megis — Thu, 07 Jul 2016 05:58:47 GMT

Hi, you connect end user devices (mostly PC) on untrusted ports.

They should be allowed to request IP address from DHCP.

But on untrusted ports there cannot be DHCP offer packets (packets sent by DHCP server). These packet can appear only on trusted ports. This mechanism protects network before connecting own DHCP server on untrusted ports (attack with DHCP rogue server).

So to be more exactly, do

vinciffs1 — Sun, 10 Jul 2016 11:19:59 GMT

So to be more exactly, do untrusted ports also allow dhcp discovery packets for instance? And any other dhcp packets that might come from a dhcp client, but don't allow packets such as offer and other server-specific packets? In the curriculum, it only briefly talked about these REQ and ACK, as if these were the only ones involved in the dhcp process.

Hi,DHCP discovery message is

Milos Megis — Mon, 11 Jul 2016 08:11:05 GMT

Hi,
DHCP discovery message is first message from client in DHCP process so it will be allowed on untrusted ports.

Also other kinds of messages are discarded:
- all messages from DHCP server received on untrusted port
- messages from DHCP client in which value "client MAC address" doesn´t match with MAC address of sender
- messages RELEASE and DECLINE from DHCP client, which MAC address is in database on different port than from which message arrived
- messages received on untrusted port, in which DHCP relay address is different than 0.0.0.0 or if there is option-82 in it

Message which was not discarded will be sent only via trusted port