DHCP Server

For Dynamic Host Configuration Protocol (DHCP) server configuration, a couple of configuration settings is required. At least, the server needs to know the range of IP addresses it is allowed to give to clients. Figure 8.11 specifies the main components of the DHCP configuration. The Verinec definition is inspired by the ISC DHCPd [ISC, 2007], which is mostly visible in the names of attributes and elements. However, most of the features are available in any DHCP server implementation. authoritative dhcp−options default−lease−time max−lease−time dhcp−dns−list

Options applicable at many places

dhcp−router−list

List of DNS servers for a client in this scope

Whether hosts in this scope should receive authoritative responses Maximum lease time to accpet if client specifies a preferred length Time to offer a lease if client does not specify a preferred length

List of routers for a client in this scope

name

shared−network dhcp

The container element

Allows to run more than one network on one physical interface Purely descriptive name

pool A pool of addresses

Specific restrictions for a pool range A range, as defined above

host A explicit host statement to define mac addresses and fixed mappings host−hardware

fixed−address Specifies an IP address to assign to the hostSpecifies the host hardware to recognise a client Name of the host

pool−restriction subnet

domain addr

netmask Subnet address

range begin finish

Subnet netmask A subnet (Is a container) Domain name for this subnet

First IP Last IP

A range of IP addresses that can be used Group containers to specify common parameters group

name

Figure 8.11: Elements of the DHCP server configuration.

The configuration is hierarchic, with the possibility to specify parameters on every level of detail. Containers can group other containers, which inherit their parameters. Subnet, group, pool and shared-network are containers. A container can group one or several groups, subnets, pools and hosts. A couple of general options can be configured for each container. The default

84 CHAPTER 8. VERINEC IMPLEMENTATION

and maximum lease times control the time after which clients have to renew their configuration, possibly receiving a changed IP. The lease time is configured in the server, which tells the time to its clients in the DHCP offers. The authoritative attribute tells the server whether it should send DHCPNAK messages to clients asking for renewal of IPs from another network. If the DHCP server is properly configured for a network, it should be set authoritative. Authoritative is off per default, to prevent unconfigured DHCP servers from confusing the DHCP system with DHCPNAK messages. dhcp-dns-list and dhcp-router-list inform the server about the addresses of DNS servers and routers to tell the clients. This allows them to really use the network after automatic configuration. The DNS server should be informed by the DHCP server about the host names and IPs the later issues, to allow other clients to look up the hosts. This is configured with attribute ddns-updates in one of the containers or globally in the dhcp element. Further specification for the update process is given in the attributes ddns-hostname and ddns-domainname. Other settings can be specified using the dhcp-restriction element. It specifies whether to allow or deny clients matching a certain criterion. It applies to the container it is in and is inherited by child containers, unless the same criterion is overwritten there. Each criterion can either be set to allow, deny or ignore. Ignore is the same as deny, except that ignoring produces no entry in the log file. Possible criteria to control are:

unknown-clients: Can be used to place clients not having a matching host declaration onto a separate subnet. To achieve this, two subnets are declared. One is for the known clients (type=”deny” criteria=”unknown-clients”) and one for the unknown clients (type=”allow” criteria=”unknown-clients”).

bootp: Tells the server whether it should respond to bootp requests or not.

booting: Only relevant in the context of a host declaration. If it is denied, this client is not given an IP, allowing to disable single clients.

duplicates: Used to prevent one client from blocking several IP addresses when it uses different DHCP Client Identifiers on one MAC address. This typically happens with dual boot sys- tems. If allowed, the server discards all existing leases for a MAC address when it receives another request from that address.

declines: Controls whether the server processes DHCPDECLINE messages from clients. This message tells the server that the offered address is not valid for some reason. The server does not use that address any more. A malicious client could exploit this behaviour to exhaust the address pool of the DHCP server by always sending declines.

client-updates: Tells the clients whether they are allowed to inform the DNS about their new address. It should be denied if the DHCP server takes care of informing the DNS system. A shared network groups several subnets which are present on the same physical interface. It can only occur directly under the dhcp element. It does not provide additional options in addition to the parameters a container can set. The container group element has no direct implications on a network. It is used to set common parameters to some subnet, pool or host declarations. The subnet is used to specify a part of the network with common information. The addresses available should either be specified in ranges, or using pools to better control what is available. The subnet uses restrictions to select the clients belonging to it. In a pool, IP addresses that are reserved for a particular purpose are grouped. Access to pools is controlled using pool-restriction, which is different from the dhcp-restriction element. Pools can be restricted to unknown or known clients, to clients using bootp or to clients being authenticated or only those not authenticated. The host finally allows to identify clients, typically based on the MAC address they provide. This allows to specify the list of known hosts. If desired, fixed mapping of IP addresses and host names can be defined.

The configuration for a DHCP client is trivial. The interface settings just have to specify whether that interface should be configured using DHCP or not. Section 8.5.6 contains some notes on translating DHCP server configuration.

8.4. ADAPTATION MODULE 85