The DHCP server that assigns IP addresses to client PCs is the cornerstone of the corporate network. The rule is that DHCP servers should be constructed and managed centrally by administrators, and it is not allowed to construct DHCP servers on a department-by-department basis. So what happens when you break this rule, and is there a way to prevent it?
Broadband router turned into a rogue DHCP server
I had an experience that a client PC was assigned a random IP address by a "rogue DHCP server" that appeared illegally, causing chaos in my company's network. There will be many administrators. Broadband routers are often identified as stray DHCP servers.
Sometimes people use broadband routers that are no longer needed at home as wireless LAN access points or switches in the office. Unlike regular switches, broadband routers have a built-in DHCP server. The moment you connect to the company network without thinking about it, a stray DHCP server will be born in the company network.
How IP Address Assignment Works
How do rogue DHCP servers compete with legitimate DHCP servers? In the first place, how are IP addresses assigned in a network with multiple DHCP servers? Before we start experimenting, let's take a look at how a DHCP server works.
Hosts assigned IP addresses by DHCP (DHCP clients) use broadcasts to search for DHCP servers (Figure 1-1). The message at this time is "DHCPDISCOVER". The DHCP server returns "configuration information" such as its own IP address to DHCPDISCOVER (Figure 1-2). This is "DHCPOFFER". At this point, the client does not have an IP address, so DHCPOFFER is sent specifying the client's MAC address.
Figure 1 DHCP mechanism
The client waits for a response (DHCPOFFER transmission) from the server for a certain period of time (Figure 1-3). If DHCPOFFER comes from multiple servers, select one server from among them and return the information (configuration information) to be assigned as "DHCPREQUEST" (Figure 1-4). This reply is also broadcast, but contains information within the message specifying which DHCP server it is addressed to. Finally, the DHCP server that receives the DHCPREQUEST prepares the contents of the configuration information such as the IP address (Fig. 1-5), and replies to the client PC as "DHCPACK" (Fig. 1-6). That's how DHCP works.
Experiment with Multiple DHCP Servers
Now it's time to experiment with multiple DHCP servers. Connect the LAN ports of three broadband routers/VPN routers (Table 1) to a separately prepared switch, and similarly connect a PC with Windows XP Professional to the switch. In this state, I restarted the PC 10 times and checked the IP address assignment status. The result is very simple, the Yamaha "RTV700" assigned an IP address each time.
Table 1 Products used in the experiment
In order to investigate the reason, I took a packet capture with the protocol analyzer "Wireshark (a derivative of Ethereal)". Screen 1 is the result.
Screen 1 Test results with 3 routers
Looking at this, the client PC sent "DHCPDISCOVER" at 1.042818 seconds after packet capture started (screen 1-1). Then, "DHCPOFFER" was received from RTV700 at 1.145368 seconds, DHCPOFFER was sent to the server at 1.145704 seconds, and DHCPACK was returned at 1.147840 seconds (screen 1-2).
The DHCPOFFER from the other two routers arrived at the client PC after 2.525978 seconds (screen 1-3). From DHCPOFFER of RTV700, it is about 1.4 seconds late.
From the description in Figure 1-3, you would expect the DHCP client to wait for DHCPOFFERs from other routers as well, but that didn't happen. The reason for this could be that the latency is exceeded as the difference of 1.4 seconds is large. Therefore, I removed the RTV700 and experimented with a two-unit configuration of Corega "CG-WLBARGS" and Buffalo "WZR-G108". However, that expectation was not met (Screen 2).
Screen 2 Result of re-experiment with two low-speed machines
The time difference between the CG-WLBARGS which received the first DHCPOFFER and the second DHCPOFFER of WZR-G108 is only 0.009 seconds. However, the CG-WLBARGS that arrived earlier in the meantime completed the assignment of the IP address. It seems that Windows XP does not wait for the second DHCPOFFER.
In screen 2 and above, I explained that DHCPOFFER of CG-WLBARGS is faster than WZR-G10. However, this ranking was not stable, and the results varied from experiment to experiment.
The reason why the RTV700 responds quickly may be the type of LAN cable or the port of the switch. So I tried switching to CGWLBARGS, but the result was the same. In addition, I replaced the RTV700 and the switch with a long LAN cable of 50m and tried sandwiching another switch, but the superiority of the RTV700 did not change. For this reason, the speed of response can be considered purely as a difference in hardware performance.
Stray DHCP server measures are faster
To summarize the above results, in a network with multiple DHCP servers, the IP address is assigned from the server that sends DHCPOFFER the fastest. . If you set up a DHCP server arbitrarily and the DHCP server is fast, it will arbitrarily assign an IP address.
Conversely, if you install a DHCP server that responds quickly, you can reduce the damage caused by stray DHCP servers. As a matter of fact, in this experiment as well, there was an accidental connection between the internal network and the experimental network. However, the DHCP server on the corporate network sent DHCPOFFERs even faster than the RTV700, so it didn't cause any trouble.
By the way, when the WAN port of the broadband router is connected to the company network, the DHCP server of the broadband router always assigns an IP address to the PC connected to the LAN port. However, in this case, since it does not act as a DHCP server to the internal network side, there should be few problems.
This article is a re-edited version of the January 2007 issue of Network Magazine. In principle, the content is as of the time of posting, and may differ from the present. |