OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1996: Re: BOOTP/DHCP security

Re: BOOTP/DHCP security

Alan Cox (alanlxorguk.ukuu.org.uk)
Wed, 27 Nov 1996 20:07:38 +0000 

> So what solutions have other people thought about/implemented to cope with
> the possibility of rogue address discovery servers being set up?  Since
> the requests are broadcast, and OS+daemon can fit on a floppy disk in some
> cases and is just a free add-on in others, it is very easy to offer back

It is worse than this. Just 'borrow' the address of a Windows95 box and
ping it. There are also some very interesting other tricks. A dhcp response
to all the macs I've tried with a 0 second lifetime locks the mac solid.

The concept is old though. The first every Linux appletalk application was
a program that stopped macintoys booting anywhere on the lan by owning
every appletalk address.

> This is particularly relevant to the relatively small number of sites that
> do a lot of remoteboot for security reasons (see

Some of those are very very hard. Assuming you have IPv6 and a router key
in your own persistent storage you are ok (and IPv6 will have a lot of
dynamic config). However if you have no key the problem of finding who
to talk to in order to kick things off appears insoluble as their is no
way to build a trusted path.

Another incredibly vulnerable area given this lan access is bridges. They
all talk 802.1 spanning tree to remove loops. It lets you do stuff like
turn ports off. 802.1 has no security, no crypto nothing, no logging
nothing at all. Many tools like SNMP tools and packet sniffers dont
even understand 802.1.

Alan