Understanding DHCP Option 82 for Protecting Switching Devices Against Attacks
You can use DHCP option 82, also known as the DHCP relay agent information option,
to help protect Juniper Networks EX Series Ethernet Switches and MX Series 3D Universal
Edge Routers against attacks such as spoofing (forging) of IP addresses and MAC
addresses, and DHCP IP address starvation. Hosts on untrusted access interfaces on an
Ethernet LAN switching device send requests for IP addresses to access the Internet. The
switching device forwards or relays these requests to DHCP servers, and the servers send
offers for IP address leases in response. Attackers can use these messages to penetrate
the network by address spoofing.
Option 82 provides information about the network location of a DHCP client, and the
DHCP server uses this information to implement IP addresses or other parameters for
the client. The Junos OS implementation of DHCP option 82 supports RFC 3046, DHCP
Relay Agent Information Option, at http://tools.ietf.org/html/rfc3046.
This topic covers:
•
DHCP Option 82 Overview on page 392
•
Suboption Components of Option 82 on page 393
•
Switching Device Configurations That Support Option 82 on page 394
•
DHCPv6 Options on page 395
DHCP Option 82 Overview
If DHCP option 82 is enabled on a VLAN or bridge domain, then when a network device—a
DHCP client—that is connected to the VLAN or bridge domain on an untrusted interface
sends a DHCP request, the switching device inserts information about the client's network
location into the packet header of that request. The switching device then sends the
request to the DHCP server. The DHCP server reads the option 82 information in the
packet header and uses it to implement the IP address or another parameter for the
client. See “Suboption Components of Option 82” on page 393 for more information about
option 82.
NOTE: On EX4300 switches, DHCP option 82 information is added to DHCP
packets received on trusted interfaces as well as untrusted interfaces.
If option 82 is enabled on a VLAN or bridge domain, the following sequence of events
occurs when a DHCP client sends a DHCP request:
1. The switching device receives the request and inserts the option 82 information in the
packet header.
2. The switching device forwards (or relays) the request to the DHCP server.
3. The server uses the DHCP option 82 information to formulate its reply and sends a
response to the switching device. It does not alter the option 82 information.
Copyright © 2017, Juniper Networks, Inc.392
ACX Series Universal Access Router Configuration Guide
To Next Page
Loading...
Need help?
General
