This page is a brief look into into DHCP, Dynamic Host Configuration Protocol, as I needed it to get Winroute firewall configured, in particular the rules regarding incoming and outgoing connections, to make sure that DHCP - Dynamic Host Configuration protocol - would still function after I set up the firewall.
To do so, we'll look at the contents of the ethernet frames that pass when DHCP is at work.
DHCP is a protocol for dynamic configuration of network hosts. It stands for Dynamic Host Configuration Protocol. DHCP is used to assign an IP address to a computer and pass other network information to it, such as a subnet mask, and important addresses such as DNS server address, standard gateway address, and so on.
What makes DHCP a bit more difficult to grasp, is the fact that, before a host obtains an IP address, it does not have an IP address. So it must be hard to send information to it. Also, the rest of the network configuration is still incomplete, so the host will probably not even know who to ask for an IP address.
So, there most be other mechanisms to overcome this problem. 'Broadcast' is a message that is send to a group of computers. In an IP address range, the highest address is the broadcast address : if you have a subnet with addresses such as 192.168.1.25 and the subnet mask is 255.255.255.0, then the range goes from 192.168.1.0 to 192.168.1.255. 192.168.1.255 is then the broadcast address.
Under the IP layer, where IP adresses are at play, other protocols are at work to transfer data frames from node to node on the network. Since we're in a situation where we have no IP address yet, it is obvious that these protocols will play an important role.
PPP, point to point protocol, is a datalink protocol (or, in the TCP/IP reference model : a host-to-network protocol) that handles dial-in connections, such as a modem connection to an internet provider. During the exchange of PPP packets, right after the modem has connected to your ISP's modem bank, your login is checked with PAP or CHAP (authentication methods : Pasword Authentication or Challenge Handshake Authentication), and then your computer requests a 'network configuration' and is given an IP address in return. Other network configuration data, such as IP addresses of DNS servers etc, can be provided as well. Once you have this information, IP can work with the IP addresses as if your modem was an ethernet network card.
For network adapters, similar protocols exist. Ethernet has it's own addressing scheme, based on the network adapters MAC address. Each network adapter has it's unique number written in its chips. Cable modems also have MAC addresses. ARP, Address Resolution Protocol, can be used to find the MAC address from a known IP address, while DHCP will assign an IP address to a given MAC address.
To see DHCP at work, you can run a packet capturing program (packet sniffer) while your PC requests an IP address from a DHCP server. You can also use a packet filtering firewall that is set up to allow everything to pass, but log all packets.
What follows is exactly that : a packet capture of a DHCP request and its follow up, in order to see what kind of packets pass back and forth. Tools that were uses to produce this output, were
Understanding DHCP is necessary if you want to configure a packet filtering firewall to connect a network or a computer to the internet. Unless you're paying for a static IP address, your internet service provider will assign a dynamic IP address, i.e an IP address assigned to you by the ISP's DHCP server. If that communication is not allowed to pass through the firewall, you'll never get your network connected to the internet.
So here goes ...
The DHCP client sends out an Ethernet broadcast. It contains no IP source address (obviously there isn't one), and shows 255.255.255.255 as IP destination address : any address. It further contains the following information :
Frame 1 (342 bytes on wire, 342 bytes captured)
Ethernet II, Src: 00:10:5a:48:4a:d0, Dst: ff:ff:ff:ff:ff:ff
Destination: ff:ff:ff:ff:ff:ff (Broadcast)
Source: 00:10:5a:48:4a:d0 (213.119.243.14)
Type: IP (0x0800)
Internet Protocol, Src Addr: 0.0.0.0 (0.0.0.0), Dst Addr: 255.255.255.255 (255.255.255.255)
Destination: 255.255.255.255 (255.255.255.255)
User Datagram Protocol, Src Port: 68 (68), Dst Port: bootp (67)
Source port: 68 (68)
Destination port: bootp (67)
Bootstrap Protocol
Message type: Boot Request (1)
Hardware type: Ethernet
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 0.0.0.0 (0.0.0.0)
Next server IP address: 0.0.0.0 (0.0.0.0)
Relay agent IP address: 0.0.0.0 (0.0.0.0)
Option 55: Parameter Request List
1 = Subnet Mask
15 = Domain Name
3 = Router
6 = Domain Name Server
44 = NetBIOS over TCP/IP Name Server
46 = NetBIOS over TCP/IP Node Type
47 = NetBIOS over TCP/IP Scope
43 = Vendor-Specific Information
77 = User Class Information
End Option
Padding
BOOTP - Boot strap protocol - is a somewhat older protocol, originally used to boot from a remote host. DHCP is kind of an extension to BOOTP.
A DHCP server, listening on port 67; will receive the broadcast and will send back an ethernet frame to the given MAC address. Inside the frame, there's information such as
Frame 2 (345 bytes on wire, 345 bytes captured)
Ethernet II, Src: 02:00:00:00:00:00, Dst: 00:10:5a:48:4a:d0
User Datagram Protocol, Src Port: bootp (67), Dst Port: 68 (68)
Source port: bootp (67)
Destination port: 68 (68)
Length: 311
Checksum: 0x5478 (correct)
Bootstrap Protocol
Message type: Boot Reply (2)
Hardware type: Ethernet
Bootp flags: 0x0000 (Unicast)
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 213.118.253.14
Next server IP address: 0.0.0.0 (0.0.0.0)
Relay agent IP address: 213.119.241.1 (213.119.241.1)
Client hardware address: 00:10:5a:48:4a:d0
Server host name not given
Boot file name not given
Magic cookie: (OK)
Option 53: DHCP Message Type = DHCP Offer
Option 54: Server Identifier = 195.130.132.97
Option 51: IP Address Lease Time = 1 hour, 55 minutes, 47 seconds
Option 1: Subnet Mask = 255.255.255.128
Option 58: Renewal Time Value = 57 minutes, 53 seconds
Option 59: Rebinding Time Value = 1 hour, 41 minutes, 18 seconds
Option 15: Domain Name = "pandora.be"
Option 6: Domain Name Server
IP Address: 195.130.131.2
IP Address: 195.130.130.2
Option 3: Router = 213.118.253.1
End Option
The DHCP client, listening on port 68, now has received enough information to configure the network card. Aparently, this is information is not yet used, because the DHCP request is repeated, by broadcast. The first broadcast was rather to 'discover' a DHCP server, and when a DHCP server sends a reply, the client broadcasts a DHCP request (frame 3). The DHCP server replies (frame 4).
note that at least one packet (frame) has to go out and one has to come in before either the IP address of thge DHCP server or the IP address of the DHCP client are known. An IP packet filter firewall therefore will need to allow
Next, the default router needs to update its routing tables to include the new host IP address. A message 'Who has 213.118.253.14? Tell 213.118.253.1' is sent, and replied to (telling the router the MAC address of 213.118.253.14). Then a ICMP (internet control message) is send to the router.
Next, the DNS servers are informed about the new host on the network so that they can update their records.
To configure a packet filtering firewall that allows DHCP with an external DHCP server, the following rules will need to be considered :