These protocols are used to provide information to machines while they are booting. For instance, these protocols are used to bring up diskless clients, to configure portable machines that move from network to network and need to discover information, and frequently to configure network devices like routers and printers that generally do not have persistent storage to keep complex configuration information locally. TFTP, which is discussed in Chapter 17, is also a critical part of this process in many cases.
bootp is a broadcast-based protocol used by clients to get configuration data and other boot-time information, particularly IP addresses. A client that comes up with no configuration data may use link-layer broadcasts and its MAC address to get basic data from a server. Because bootp is broadcast-based at the link layer, it will not cross a router unless the router has been specifically configured to pass it (for instance, using an "IP helper address" on a Cisco). However, most bootp servers will accept unicast packets, so you should not rely on this to protect bootp servers from attack.
DHCP is an extension of bootp (and uses the same network port numbers). bootp supports a one-to-one mapping from MAC addresses to TCP/IP addresses. DHCP is a more complex protocol that allows for multiple servers, dynamic address allocation, automatic name registration, and passing client-specific configuration parameters. Dynamic addresses are "leased" to clients that must periodically request continued ownership. DHCP is used for machines that can boot themselves but still require network configuration information to work on a network. It's particularly useful with mobile machines, since their network configurations change often, but it's also used to make permanent machines easier to configure.
Bastion hosts should have permanent addresses that are configured on the machine itself; it is unwise to use DHCP to configure them, and we strongly recommend against doing so. Using DHCP makes bastion hosts dependent on the DHCP server.
DHCP requires both broadcast and unicast requests in order to function correctly. Putting a normal router in place will prevent a DHCP server from doing anything useful for clients on the far side of the router without actually protecting the DHCP server from attackers.
bootp is UDP-based; bootp clients use port 68, and bootp servers use port 67. UDP does not use ACK bits. Although it is not specified in the standard, DHCP servers and/or clients frequently also use ICMP echo sent to the address that a client will be offered, or an ARP request to determine whether the address is actually free or is in use.
Direction | SourceAddr. | Dest.Addr. | Protocol | SourcePort | Dest.Port | Notes |
|---|---|---|---|---|---|---|
In | Ext[24] | Broadcast | UDP | 68 | 67 | External client request to internal server |
Out | Int | Ext[25] | UDP | 67 | 68 | Internal server positive response to external client |
Out | Int | Broadcast | UDP | 67 | 68 | Internal server negative response to external DHCP client |
In | Ext[25] | Broadcast | UDP | 68 | 67 | External client accepting DHCP offer |
Out | Int | Ext[25] | UDP | 67 | 68 | Internal server acknowledging DHCP lease |
Out | Int[24] | Broadcast | UDP | 68 | 67 | Internal client request to external server |
In | Ext | Int[25] | UDP | 67 | 68 | External server positive response to internal client |
In | Ext | Broadcast | UDP | 67 | 68 | External server negative response to internal DHCP client |
Out | Int[25] | Broadcast | UDP | 68 | 67 | Internal client accepting DHCP offer |
In | Ext | Int[25] | UDP | 67 | 68 | External server acknowledging DHCP lease |
[24] This address need not be a valid address; the destination machine is assumed not to be fully configured, and the packet will actually be delivered based on lower-level data, not on the apparent destination address. The lower-level data may have a broadcast or unicast address depending on client capabilities. [25] This is now the valid, agreed-upon address. | ||||||
Because bootp and DHCP are broadcast-based, they are normally limited to a single LAN segment. In most networks, it is inconvenient to put servers on every LAN segment and then attempt to keep the configuration data synchronized between them. bootp proxies are therefore extremely common (and since DHCP is bootp-based, it proxies it as well). Almost any machine with a bootp or DHCP implementation will also have a proxy. In addition, many routers can be configured to forward some or all broadcast packets to other broadcast or unicast addresses; this can function as a crude proxy.
None of these proxy mechanisms is particularly configurable; these are not security-oriented proxies likely to do protocol checking, authorization, or logging.
Because these protocols give out information about network addresses, it's hard to conceive of a configuration where it would be a good idea to run them through a network address translator.
Do not allow these protocols across your firewall. You should not trust external hosts to provide you with booting information, and you do not want to help external hosts boot with your information.
Do not configure bastion hosts to use DHCP; they should use permanently assigned addresses determined by their configuration files.