Research And Realization Of A Snooping-based Security DHCP System

DHCP (Dynamic Host Configuration Protocol) is widely used in LAN environ- ments for the advantage of the server can dynamically assign IP address to the customer. In the DHCP network, DHCP server is completely passive and its behavior is only stimulated by the customer, the server could not actively control the customer. Therefore, DHCP network has some fatal shortcomings of lacking interaction and security between the server and the customer, which leads to some security problems including rogue DHCP server, exhaustion of IP address and so on. Several kinds of solutions have been proposed at present: MAC address authentication, LANA system, inspection of illegal server and so on, and some data packet authentication methods with high security also have been proposed, but the processing is complex.In this paper we present an illegal data packet filtering method called DHCP snooping based on firewall and MAC address authentication technology, which guarantees network security by filtering untrusty data packets with establishing and maintaining a DHCP snooping binding table. DHCP snooping captures all the DHCP messages received, normally transmits the trusty messages and discards the untrusty messages. DHCP works in the third layer of computer network, while the DHCP snooping works in the second layer, so the DHCP snooping have no effect with the DHCP and its realization. DHCP snooping filters all the DHCP messages when receiving data packets, then sends the messages to the third layer of DHCP module for processing, and then carries them to the second layer of DHCP snooping, finally DHCP snooping module transmits them to other switchers. The network machines can distinguish untrusty interface connected to terminal host or firewall from trusty interface connected to DHCP server or other switcher, which works like a firewall between untrusty host and DHCP server. The proposed method is easy to realize and has high efficiency, in addition, we design an algorithm to meet the IP network security requirements and test it in ZXR10 series switchers.