DHCP Option 82 from customer

This test checks that DHCPv4 requests are correctly marked with customer identification (Option 82) and that DHCP Discover with Option 82 set by the customer is replaced or dropped in the access switch. The ISP Test Agent serves as a DHCPv4 server receiving the DHCP request in this test.

Note: Option 82 (DHCP Information) is commonly used in metro or large enterprise deployments to provide additional information on the "physical attachment" of the client. Using the option correctly ensures traceability, the possibility of tracing the exact port from which traffic is coming (in combination with IP source guard).

Impact: Abuse

Test process

  • Malicious sends a standard DHCP Discover packet.
  • Malicious sends a DHCP Discover packet with Option 82 set.

Fail criteria

  • The standard DHCP packet is not marked with Option 82 at the ISP.
  • The already marked DHCP packet arrives with the same Option 82 value as set by Malicious.

References

This test conforms to SEC Access Certification IDs "SEC-V4-DHCP-1" and "SEC-V4-DHCP-2".

Parameters

General

  • Malicious Customer: A customer interface performing malicious actions.
  • ISP: A central node on a trusted port. The test requires that the ISP reside in the same Layer 2 network as customers.
Have more questions? Submit a request

Comments

Powered by Zendesk