Device and subscriber security can be a serious concern for broadband service providers. In the provisioning space, DHCP relay is a potential entry point for security threats. For instance, if there is no authentication or authorization during an exchange between a DHCP server and DHCP client, the server cannot determine whether the client requesting the address is legitimate. Rogue clients and servers can create a number of problems, including denial of service, installation of unauthorized software, exposure of sensitive information, and hijacking of DNS servers. It’s therefore essential to include DHCP access control in your network security considerations.
Administrators can mitigate security threats by restricting network access to registered subscribers and authorized devices. For this to occur, an administrator or customer service representative with access privileges would need to perform customer-premises equipment (CPE) authentication before allowing a CPE device to connect to the network, which would help safeguard your network.
Extra Security with DHCP Option 82
There are several ways to enforce access control on a network, including username/password authentication and secure sockets layer (SSL). DHCP Option 82 is one alternative that can be used in a distributed DHCP server/relay environment, where relays send additional information to identify the client’s point of attachment. Any device that attempts to connect to DHCP can use this method.
In order to handle a large volume of subscribers requiring service setup or changes, the DHCP server must be able to allocate IP addresses to CPE based on desired service, location, subscriber status, device type, or MAC address. In doing so, the DHCP server applies operator-customized policies and allocates settings based on the unique needs of each device. The DHCP server performs these functions using the DHCP option data in the device’s DHCP discover and request messages.
DHCP Option 82 stores information about a device’s MAC address or circuit-ID, which can be used by various systems for authentication and to stop unauthorized contact with the DHCP server. For instance, in a DSL environment, a relay agent, such as a DSLAM or traffic aggregator, intercepts a DHCP message from a modem and adds an Option 82 record. DHCP Option 82 contains the device’s circuit ID, which identifies the circuit from where a DHCP request was sent. The relay agent then forwards the request to the “real” DHCP server. It later sends the DHCP response from the DHCP server to the modem.
This process allows DHCP to allocate IP addresses and limit the number of IP addresses per subscriber, based on circuit ID. The DHCP server should also be able to receive DHCP lease query messages from the relay agent, allowing the relay agent to collect information, such as the device’s MAC address, to direct messages to the proper location.
DHCP Option 82 in a TR-069 Environment
Incognito Software has developed two products that use DHCP Option 82 to automatically enforce access and minimize subscriber intervention. Broadband Command Center uses DHCP Option 82 relay agent information to automatically control service access and limit the number of CPE per subscriber. This allows you to enforce network access privileges using operator-defined criteria called client classes, rules, and templates.
Access privileges are also necessary in a TR-069 environment. Incognito Auto Configuration Server is an end-to-end TR-069 solution from Incognito Software that is based on the Broadband Forum TR-069 CPE WAN Management Protocol (CWMP). This solution’s DHCP authentication design allows you to block certain devices that try to connect with Incognito Auto Configuration Server. The CWMP will compare the device record with the information stored in the DHCP server. The DHCP discovery process provides extra security by ensuring information matches before allowing a device online.
Option 82 can also be used to temporarily disable a device to fix a problem. This may be useful if a device is not behaving correctly with Incognito Auto Configuration Server, for example.
How it Works
A step-by-step guide to using Option 82 in Incognito Auto Configuration Server:
1. Configure Netpresence or manually configure the DHCP address in CWMP.
2. Create a device in Incognito Auto Configuration Server with specific OUI, product class, serial, and set the Option 82 value of the device.
3. When a device with same OUI, product class, and serial attempts to connect with Incognito Auto Configuration Server, the CWMP will query the Option 82 value from the DHCP service by IP address and compare this value with Auto Configuration Server records.
4. If the value is not same, Incognito Auto Configuration Server will reject the device.
Improve Network Visibility and Subscriber Support
Incognito Auto Configuration Server has been created as an end-to-end TR-069 device provisioning and management solution, which integrates with DHCP. Network administrators, customer service representatives, and other users with access to the solution’s back end should be familiar with the Option 82 authentication process, as it provides security by allowing the user/administrator to control devices that come into contact with Incognito Auto Configuration Server, and by extension, your network. Find out more at http://www.incognito.com/resources/acs/ds_acs.pdf.