Most active commenters
  • cbs(3)

←back to thread

Rapid DHCP: Or, how do Macs get on the network so fast?

(cafbit.com)
354 points timdoug | 11 comments | 12 Jul 11 17:04 UTC | HN request time: 1.442s | source | bottom
1. kenjackson ◴[12 Jul 11 17:38 UTC] No.2755611[source]
This implementation by the Mac feels wrong. I mean it appears to work, but it seems like a violation of the protocol and can result in problems on the network. Maybe security issues (?). I'm not an expert in any of these things, but I'd love to hear a network protocol/security experts take on this.
replies(4): >>2755747 #>>2755748 #>>2755926 #>>2756388 #
2. aaronblohowiak ◴[12 Jul 11 18:09 UTC] No.2755747[source]
Not security. You usually rely upon security for network layers 1-4 as being actual security. Adding additional controls can be useful in slowing down would-be attackers, or "casual" intruders, but they are not "real" security measures.
replies(1): >>2756024 #
3. cbs ◴[12 Jul 11 18:46 UTC] No.2755926[source]
This certainly smells fishy, the client is relying on ARP to assume its OK to reclaim that IP address before it actually gets the authoritative answer from the DHCP server. IP networking does not require that computers submit to dhcp, so depending on how you look at it, it probably doesn't run afoul of the spec.

I'd have to get a more detailed packet capture and reference some RFCs, but given DHCP isn't manditory, I don't think it would be harmful to the mac or network as long as the client's DHCP lease was still valid when it pulled this stunt, otherwise you could get multiple clients claiming the same IP address.

From a security standpoint rather than only revealing just your most recently DHCP-assigned address, you're revealing both the mac address of the nearest layer 2 device and gateway ip of (some nonzero number of) networks you've recently connected to. If a hostile network were to monitor the arp requests to successfully emulate a network the connecting mac had recently been connected to, the IP traffic prior to DHCP ACK that was abridged in the article would probably be sent again. Not knowing what it contained, I can't speculate as to if it would be any different than the network communication that would be done if connecting to a new network.

(Even if everything else was application traffic, I don't anything about the udp/192 protocol for airports, but it may be spoken with assumptions made about the connected network and a vector worth exploring).

replies(1): >>2756245 #
4. cbs ◴[12 Jul 11 19:07 UTC] No.2756024[source]
The lower level networking protocols do rely on some levels of peer trust, but carefully controlling that trust has come a long way in the last decade. If I'm correct in assuming by "actual security" you mean "physical security" you're making some pretty broad and faulty statements (even about layer 1).

There are many networking devices and techniques for hardening hostile networks at layer 2. Layer 3 is IP; to say level 3 (or 4) measures are not "real" is throwing HUGE swaths of security out the window.

replies(1): >>2756304 #
5. tomlogic ◴[12 Jul 11 19:54 UTC] No.2756245[source]
Regarding your security statement, I didn't get that from the packet capture. The Mac is sending an ARP request for the IP addresses of the DHCP servers of networks it's been on recently. An attacker would need to know the correct MAC address to respond with -- the Mac is not sending that out in the request.

If the ARP comes back with the cached MAC address for that network, the Mac continues using the valid DHCP lease it was given. It sends a DHCP request to renew that lease, and I assume would reconfigure the interface if the request fails and discovery has to start over.

From my recollection of the DHCP RFC, if a server hands you a lease for one week, you're allowed to use that address for a week, even if you go offline for 3 days in the middle. In practice, this may not be the case.

replies(1): >>2756437 #
6. aaronblohowiak ◴[12 Jul 11 20:08 UTC] No.2756304{3}[source]
Sorry, I double-posted accidentally and it looks like I deleted the wrong one. I meant that layers 1-4 should not be relied upon to provide your application security. You are right that there are cool advances that can be worthwhile to slow down attackers, but I think that in most circumstances, you will want to make your guarantees higher up the stack*

*I am not a security expert

replies(2): >>2757954 #>>2757955 #
7. bradleyland ◴[12 Jul 11 20:25 UTC] No.2756388[source]
It's not a violation of the DHCP protocol, because the requests being made aren't specifically DHCP requests. It might be a violation of network policy though, but that depends on your perspective, not an RFC.

Think of it like this. Your iOS device assumes that if it's on the same network, and it has a valid/current DHCP lease, it will use that address while it goes about the business of negotiating a proper DHCP address. The assumption is made outside the scope of negotiating an actual DHCP address.

A violation of the protocol would involve tricking the DHCP server or sending false information to the DHCP server. Neither happens here.

It's up to the network owner to decide whether or not this is acceptable. With a properly functioning network equipment, you should never encounter a failure of this assumption. If you have an unhealthy network, the assumption may fail more frequently, but then again, you're just compounding an existing issue that should probably be resolved.

In the end, we're talking about saving 10s every time you wake your device up. Ten seconds. That's significant. I use my iPad/iPhone very casually. I don't think about "grouping" my usage, because it works instantly when I pick it up. My network works properly, so I'm happy it's making these assumptions.

8. cbs ◴[12 Jul 11 20:36 UTC] No.2756437{3}[source]
the Mac is not sending that out in the request.

I could be wrong about this, as I haven't analyzed actual arp requests in ages, but from the article it appears the arp requests are unicast to the (at least in the example) cached MAC for the gateway.

replies(1): >>2757225 #
9. tomlogic ◴[13 Jul 11 00:18 UTC] No.2757225{4}[source]
Ah, after a closer look at the original article, I see that now. Curious that Apple would choose to unicast those requests.
replies(1): >>2757942 #
10. caf ◴[13 Jul 11 05:49 UTC] No.2757942{5}[source]
It does this to verify that the DHCP server has the same MAC address as the one that it remembers. If the server that it remembers isn't present on the current network, the unicast packet should be ignored.
11. ◴[13 Jul 11 05:53 UTC] No.2757954{4}[source]