DHCPAuth — A DHCP message authentication module

Abstract

DHCP is one of the most used network protocols, despite the security issues it has. Our work is motivated by the numerous attacks that can be launched against DHCP and the impact that they can have. Firstly, we formulate the constraints and design principles for a DHCP message authentication module that is flexible and easy to integrate with current DHCP implementations, while providing the necessary level of security. Then we present DHCPAuth, a module for authenticating DHCP messages. The module uses the RFC 3118 authentication option format and is able to authenticate DHCP client and server messages using two trust models: PKI and PGP. The proposed module is evaluated using different public key pairs in the considered trust models to determine the overhead introduced and the impact on DHCP operation. Results show the additional time required to process the DHCP messages, either when signing or verifying the signatures, as well as the authentication option length and the DHCP packet length. We also provide an analysis of worse case time for verifying the authentication option when more certificates or public keys are available on certificate store or public key ring. These information can help network administrators in selecting the trust model, the key types and sizes to use.