DHCP security and accounting features have been designed and implemented to address the security concerns in PWLANs but also can be used in other network implementations.
DHCP accounting provides authentication, authorization, and accounting (AAA) and RADIUS support for DHCP. The AAA and RADIUS support improves security by sending secure START and STOP accounting messages. The configuration of DHCP accounting adds a layer of security that allows DHCP lease assignment and termination to be triggered for the appropriate RADIUS START and STOP accounting records so that the session state is properly maintained by upstream devices, such as an SSG. This additional security can help to prevent hackers or unauthorized clients from gaining illegal entry to the network by spoofing authorized DHCP leases.
Three other features have been designed and implemented to address the security concerns in PWLANs. The first feature secures ARP table entries to DHCP leases in the DHCP database. The secure ARP functionality prevents IP spoofing by synchronizing the database of the DHCP server with the ARP table to avoid address hijacking. Secure ARP adds an entry to the ARP table for a client when an address is allocated that can be deleted by the DHCP server only when a binding expires.
The second feature is DHCP authorized ARP. This functionality provides a complete solution by addressing the need for DHCP to explicitly know when a user logs out. Before the introduction of DHCP authorized ARP, there was no mechanism to inform the DHCP server if a user had left the system ungracefully, which could result in excessive billing for a customer that had logged out but without the system detecting it. To prevent this problem, DHCP authorized ARP sends periodic ARP messages on a per-minute basis to determine if a user is still logged in. Only authorized users can respond to the ARP request. ARP responses from unauthorized users are blocked at the DHCP server, providing an extra level of security.
In addition, DHCP authorized ARP disables dynamic ARP learning on an interface. The address mapping can be installed only by the authorized component specified by the arp authorized interface configuration command. DHCP is the only authorized component allowed to install ARP entries.
The third feature is ARP Auto-logoff, which adds finer control for probing when authorized users log out. The arp probe interval command specifies when to start a probe (the timeout), how frequently a peer is probed (the interval), and the maximum number of retries (the count).