22.3. Protocols for Booting and Boot-Time ConfigurationThese protocols are used to provide information to machines while they are booting. For instance, these protocols are used to bring up diskless clients, to configure portable machines that move from network to network and need to discover information, and frequently to configure network devices like routers and printers that generally do not have persistent storage to keep complex configuration information locally. TFTP, which is discussed in Chapter 17, "File Transfer, File Sharing, and Printing", is also a critical part of this process in many cases.22.3.1. bootpbootp is a broadcast-based protocol used by clients to get configuration data and other boot-time information, particularly IP addresses. A client that comes up with no configuration data may use link-layer broadcasts and its MAC address to get basic data from a server. Because bootp is broadcast-based at the link layer, it will not cross a router unless the router has been specifically configured to pass it (for instance, using an "IP helper address" on a Cisco). However, most bootp servers will accept unicast packets, so you should not rely on this to protect bootp servers from attack.
22.3.2. Dynamic Host Configuration Protocol (DHCP)DHCP is an extension of bootp (and uses the same network port numbers). bootp supports a one-to-one mapping from MAC addresses to TCP/IP addresses. DHCP is a more complex protocol that allows for multiple servers, dynamic address allocation, automatic name registration, and passing client-specific configuration parameters. Dynamic addresses are "leased" to clients that must periodically request continued ownership. DHCP is used for machines that can boot themselves but still require network configuration information to work on a network. It's particularly useful with mobile machines, since their network configurations change often, but it's also used to make permanent machines easier to configure.Bastion hosts should have permanent addresses that are configured on the machine itself; it is unwise to use DHCP to configure them, and we strongly recommend against doing so. Using DHCP makes bastion hosts dependent on the DHCP server. DHCP requires both broadcast and unicast requests in order to function correctly. Putting a normal router in place will prevent a DHCP server from doing anything useful for clients on the far side of the router without actually protecting the DHCP server from attackers.
22.3.3. Packet Filtering Characteristics of DHCP and bootpbootp is UDP-based; bootp clients use port 68, and bootp servers use port 67. UDP does not use ACK bits. Although it is not specified in the standard, DHCP servers and/or clients frequently also use ICMP echo sent to the address that a client will be offered, or an ARP request to determine whether the address is actually free or is in use.
[154]This address need not be a valid address; the destination machine is assumed not to be fully configured, and the packet will actually be delivered based on lower-level data, not on the apparent destination address. The lower-level data may have a broadcast or unicast address depending on client capabilities. [155]This is now the valid, agreed-upon address. 22.3.4. Proxying Characteristics of bootp and DHCPBecause bootp and DHCP are broadcast-based, they are normally limited to a single LAN segment. In most networks, it is inconvenient to put servers on every LAN segment and then attempt to keep the configuration data synchronized between them. bootp proxies are therefore extremely common (and since DHCP is bootp-based, it proxies it as well). Almost any machine with a bootp or DHCP implementation will also have a proxy. In addition, many routers can be configured to forward some or all broadcast packets to other broadcast or unicast addresses; this can function as a crude proxy.None of these proxy mechanisms is particularly configurable; these are not security-oriented proxies likely to do protocol checking, authorization, or logging.
22.3.5. Network Address Translation Characteristics of Booting and Boot-Time ConfigurationBecause these protocols give out information about network addresses, it's hard to conceive of a configuration where it would be a good idea to run them through a network address translator.
22.3.6. Summary of Recommendations for Booting and Boot-Time Configuration
|
|