DHCP defined and how it works

Dynamic host configuration protocol simplifies and improves the accuracy of IP addressing but can raise security concerns

abstract digital network mapping
MF3d / Getty Images

If Dynamic Host Configuration Protocol (DHCP) didn’t exist, network administrators would have to manually parcel out IP addresses from the available pool, which would be prohibitively time consuming, inefficient, and error prone. Fortunately, DHCP does exist.

What is DHCP and how does it work?

DHCP is an under-the-covers mechanism that automates the assignment of IP addresses to fixed and mobile hosts that are connected wired or wirelessly.

When a device wants access to a network that’s using DHCP, it sends a request for an IP address that is picked up by a DHCP server. The server responds be delivering an IP address to the device, then monitors the use of the address and takes it back after a specified time or when the device shuts down. The IP address is then returned to the pool of addresses managed by the DHCP server to be reassigned to another device as it seeks access to the network.

While the delegation of IP addresses is the central function of the protocol, DHCP also assigns a variety of related networking parameters including subnet mask, default gateway address, and domain name server (DNS). DHCP is an IEEE standard built on top of the older BOOTP (bootstrap protocol), which has become obsolete because it only works on IPv4 networks.

Benefits of DHCP

DHCP provides a range of benefits to network administrators:

Reliable IP address configuration

You can’t have two users with the same IP address because it would create a conflict where one or both devices could not connect to the network. DHCP eliminates human error so that address conflicts, configuration errors, or simple typos are minimized.

Reduced network administration

DHCP provides centralized and automated TCP/IP configuration. By deploying a DHCP relay agent, a DHCP server is not needed on every subnet.

Mobility

DHCP efficiently handles IP address changes for users on portable devices who move to different locations on wired or wireless networks.

IP address optimization

DHCP not only assigns addresses, it automatically takes them back and returns them to the pool when they are no longer being used.

Efficient change management

DHCP makes it simple for an organization to change its IP address scheme from one range of addresses to another. DHCP enables network administrators to make those changes without disrupting end users.

DHCP components

When working with DHCP, it’s important to understand all of its components.  Below is a list of them and what they do:

DHCP server

This is a networked device running the DCHP service that holds IP addresses and related configuration information. This is most typically a server or a router but could be anything that acts as a host, such as an SD-WAN appliance.

DHCP client

This endpoint endpoint software requests and receives configuration information from a DHCP server. This can be installed on a computer, mobile device, IoT endpoint or anything else that requires connectivity to the network. Most are configured to receive DHCP information by default.

IP address pool

The range of IP addresses that are available to DHCP clients is the IP address. Addresses are typically handed out sequentially from lowest to highest.

Subnet

IP networks can be partitioned into segments known as subnets. Subnets help keep networks manageable.

Lease

The length of time for which a DHCP client holds the IP address information is known as the lease. When a lease expires, the client must renew it.

DHCP relay

A router or host that listens for client messages being broadcast on that network and then forwards them to a configured server is the DHCP relay. The server then sends responses back to the relay agent that passes them along to the client. This can be used to centralize DHCP servers instead of having a server on each subnet.

Assigning IP addresses

The existential question associated with DHCP is how does an end user connect to the network in the first place without having an IP address?

The answer is that there’s a complex system of back-and-forth requests and acknowledgments. First, all modern device operating systems include a DHCP client, which is typically enabled by default. In order to request an IP address, the client device sends out a broadcast message—DHCPDISCOVER. The network directs that request to the appropriate DHCP server.

DHCP server functionality is typically assigned to a physical server plus a backup. Other devices can also act as DHCP servers, such as SD-WAN appliances or wireless access points.

The server then determines the appropriate IP address and sends an OFFER packet to the client, which responds with a REQUEST packet. In the final step in the process, the server sends an ACK packet confirming that the client has been given an IP address.

This is all done quickly and automatically and without the need for the end user to take any action. The catch is that the IP address isn’t permanent. It’s only good for a specified period of time, known as the lease time.

Controlling lease time

If all DHCP did was assign IP addresses permanently, it wouldn’t be dynamic, it would be static. Static addresses are appropriate for some devices, such as network printers. However, under the DHCP protocol, every time the DHCP server assigns an address there is an associated lease time. When the lease expires, the client can no longer use the IP address and is essentially kicked off the network.

The protocol is designed so active clients automatically contact the DHCP server halfway through the lease period to renew the lease. If the server doesn’t respond immediately, the client continues to ask the DHCP server for a lease renewal until it is approved.

Typically, when a host shuts down, the lease is automatically terminated, in order to free up its IP address so it can be used by another client on the network.

DHCP networking functionality

In addition to providing the client with the ability to connect to network and internet resources through the IP address, the DHCP server assigns additional networking parameters that provide efficiency and security. These include:

Default gateway

This gateway is responsible for transferring data back and forth between the local network and Internet, or between local subnets.

Subnet mask

IP networking uses a subnet mask for separate the host address and the network address portions of an IP address.

DNS server

Translates domain names (networkworld.com) into IP addresses, which are represented by long strings of numbers.

Scopes and user classes of IP addresses

DHCP assigns addresses dynamically, but not randomly. Since DHCP connects hosts to the network and also assigns networking parameters, there are scenarios in which a network administrator might want to assign certain sets of subnet parameters to specific groups of users.

A scope is a consecutive range of IP addresses that a DHCP server can draw on to fulfill an IP address request from a DHCP client. By defining one or more scopes on the DHCP server, the server can manage the distribution and assignment of IP addresses to DHCP clients. Under the DHCP protocol, network admins can set unlimited numbers of scopes, as needed.

A class is a subset of a scope. Classes are useful if the network administrator wants to separate groups of devices to one segment of a larger scope. For example, SD-WAN clients for employees working remotely.

DHCP security concerns

With DHCP, the initial assignment of an IP address is designed to be fast and efficient. The tradeoff is that the DHCP protocol doesn’t require authentication. Of course, enterprises have set up strong authentication requirements for users to access resources once they are on the network, but that still leaves the DHCP server itself as a weak link in the security chain.

An attacker could take over or spoof the DHCP server and hand out bad information to legitimate end users, sending them to a fake site. Or it could hand out legitimate IP addresses to unauthorized users. This could lead to man-in-the-middle attacks and denial of service attacks.

The DHCP specification does address some of these issues. There is a relay-agent information option that enables network engineers to tag DHCP messages as they arrive. This tag can be used to control network access. In addition, network administrators can use 802.1x authentication (network access control) to help secure DHCP.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2022 IDG Communications, Inc.