DHCP, Part 2

In the first part of this article we looked at the development of DHCP (Dynamic Host Configuration Protocol), the way it handles leases of IP addresses, and some of the issues of using DHCP on a Windows NT server. Now let’s set up a DHCP server. We usually think of Windows NT and Windows 2000 as the server for a DHCP network, but there are other platforms that can act as DHCP servers, too. The most commonly used alternatives are UNIX and Linux. Both have DHCP clients and sometimes a server included as basic components of a distribution, but server software is not always available or included with all distributions. In some cases, you will need to purchase a third-party server package for DHCP. This certainly makes Windows a more attractive platform acting as a server, although there are some performance advantages to UNIX and Linux systems due to their more streamlined kernels.

If you are running the Server version of Windows NT or Windows 2000, you need to install the DHCP Server software using the usual methods. We’ll assume you know how to use Control Panel->Network (Windows NT 4) or Add/Remove Windows Components-> Networking Services (Windows 2000) to add a service. Choose Dynamic Host Configuration Protocol from the list of available services and the CD-ROM will be used to load the service. Microsoft recommends a reboot after loading the DHCP server, and while this is not always necessary it does prevent future conflicts.

The configuration tools provided with the DHCP server package allow you to authorize a server, set up the lease IP addresses, and adjust the lease timers easily. Under Windows 2000 you must specifically authorize the DHCP server in most installations (if a red down-arrow appears next to the server, it is unauthorized; a green up-arrow means it is authorized).

Integrating DHCP clients

When you have a DHCP server set up, either on a Windows NT or Windows 2000 machine or on any other operating system that can act as a server, you can set up clients to query the server anytime they connect to the network. Windows platforms are easy to set up for DHCP client access. Under Control Panel -> Network you need to configure a TCP/IP stack (after setting the network interface card, of course) to dynamically accept an IP address. The IP Address tab of the TCP/IP Properties page lets you do this. Simply choose the “Obtain an IP Address automatically” option and Windows will use DHCP to broadcast over the network to find a DHCP server.

For other operating systems, the process is a little different. Linux has DHCP clients built into all current releases of the kernel, but you still need to specify the DHCP server IP address unless a discover protocol is to be used. The documentation for the operating system will usually show the procedure, which differs considerably from platform to platform.

DHCP and Windows 2000

Windows 2000 adds several enhancements to the DHCP package included with Windows NT 4.0. Probably the most important addition to the DHCP system is automatic client configuration, which allows a Windows 2000 machine to configure its own IP addresses (and subnet) automatically when no DHCP server has been located. A Windows 2000 DHCP client waits until after the first attempt to contact a DHCP server, and if it can’t obtain a response, uses APIPA to set up a private IP address.

APIPA is designed to configure IP addresses based on the Internet Assigned Numbers Authority private network reserved range of 169.254.0.1 through 169.254.255.254. The APIPA routine will sense conflicts with existing machines and reconfigure itself, up to ten times. When Windows 2000 uses APIPA to configure an IP address, it will automatically try to reconnect to a DHCP server every five minutes, and if one is found it receives a valid lease.

Another neat feature of Windows 2000 is rogue DHCP server detection. A rogue DHCP server is a machine configured to allocate unauthorized or conflicting IP address leases (which can be used by hackers for several purposes). Any unauthorized DHCP server is considered a “rogue” server. Windows 2000 prevents the use of rogue servers by requiring an authentication step before a DHCP server can become active on a network. Active Directory takes care of most of this process.

DHCP classes are provided in Windows 2000, allowing administrators to set up different configuration parameters for different classes of machines. Most administrators will use classes to allocate IP addresses based on machine types (laptop, desktop, etc) although several other parameters can be used to establish client identities. The changes allowed for each group tend to reflect the lease timings, DNS settings, and use of WINS.

Finally, media sense has been properly enabled in Windows 2000 (actually, media sense has been part of NDIS 5 for a while). With media sense, a Windows 2000 machine can recognize the protocol stack of any incoming network card connect and disconnect messages. These are used to allow changes in the protocol based on network packets, something that wasn’t possible with Windows NT 4.

The administration tools provided in Windows 2000 have been improved a little over Windows NT 4. An important improvement is the support for SNMP and MIBs, providing a graphical interface of statistical data from clients on the network. A Windows 2000 DHCP server can generate some administrator alerts automatically. For example, administrators can set an alert threshold for notification of a dwindling number of available IP addresses, as well as when the IP pool has been exhausted.

For those interested in clustering Windows 2000 Advanced Server, DHCP can be used for virtual servers. A static virtual IP address is set up for the cluster and failover of a cluster component allows the DHCP server IP address to be passed to a working machine.

When adding a second or higher DHCP server to an existing Windows 2000 DHCP domain, you need to ensure the new DHCP server is in the Active Directory (otherwise the server will be treated as a rogue unit). To authorize a new DHCP server, from the primary DHCP server (or root DHCP server), start Administrative Tools and select DHCP, right-click the DHCP icon at the root of the tree, and click Authorize. Enter the IP address (or name) of the server to be added, and click OK. The new server will then be treated as an authorized unit on the network.

DHCP and network traffic

One of the prevalent myths in the network world is that DHCP contributes a lot of load to a network. This is not true. It is true that when a client becomes active, it broadcasts a request for a DHCP server to reply, and DHCP servers will send a response back to the client, but these are small packets and are hardly ever resent unless either end has not received acknowledgements. Even on a vary busy network, it is rare to get resends of client DHCP requests and server responses.

After the initial setup datagrams have been transferred, client and server don’t communicate about DHCP issues until the timers for rebinding expire. At this point, a couple of small datagrams are exchanged, and the lease is usually reinstated and no communications are performed until that lease timer expires. If the client has to be rebooted or is moved from one network drop to another, the initial DHCP packets are exchanged again, but as mentioned, these are small.

To show the effect of DHCP traffic on a network, a simple experiment was performed in our labs. We set up two Windows NT 4.0 servers as DHCP servers, and connected forty Windows 98 PCs to the network, all of which used DHCP to establish IP addresses. When the PCs were all powered on at the same time, network traffic was monitored using packet filtering software to detect the DHCP packets specifically. On average on our 10Mbps Ethernet network, DHCP traffic spiked at less than one percent of the total network bandwidth, and that only when all 40 clients requested IP addresses within a second of each other (causing several collisions and resends). When the client machines were powered up in sequence, network traffic due to DHCP was negligible. Ongoing traffic from DHCP was also lower than measurement threshold even when the leases started to expire. On much larger networks, some DHCP traffic may arise, but the percentage of DHCP traffic will still be very small.

Another common myth about DHCP has to do with IP addresses and MACs (Media Access Control addresses). The prevalent opinion is that DHCP allows IP addresses to be concealed, hence resulting in machines that cannot be traced through traffic. This is not accurate as IP address leases can always be viewed through DHCP administration software. The software reports not only the assigned IP address, but the computer name and the MAC of the NIC. Articles in the popular press and some hacker newsletters have proposed using DHCP-based networks to launch either hack attacks or access to some Web sites on the assumption the sending machine cannot be traced. As long as the MAC or machine name is within the network, the sending machine can be traced.