DHCP (Dynamic Host Configuration Protocol) is designed to allow you to administer a large IP network more efficiently. A central network server distributes configuration information such as DNS servers, subnet mask, gateways and most importantly, IP address, to individual machines.
CIT offers a campus-wide DHCP service for departmental non-student subnets at no charge.
What can DHCP do for me?
Essentially, DHCP reduces the amount of time you spend on paperwork while increasing your control over your subnet. DHCP can:
- Automate some subnet record-keeping, such as tracking which IP numbers are in use, and who is using them.
- Document visitors on the LAN.
- Centralize network configuration.
- Facilitate major changes in the IP protocol configuration. This means changes such as campus DNS or the local subnet's gateway can be made without an administrator visiting each machine.
- Enforce IP address distribution restrictions for your subnet.
- Make it easier for users to move between home and office.
For more general technical information on DHCP, read the excellent DHCP FAQ at http://www.dhcp-handbook.com/dhcp_faq.html.
If you are interested in setting up your subnet to work with DHCP at Cornell, the NOC will assist you. Contact the NOC at 255-9900 or send e-mail to hostmaster@cornell.edu with your requests and questions.
Brief overview of DHCP
- When a computer needs an IP address (typically at boot-up, or when the computer's DHCP lease has expired), the computer sends out a broadcast request for DHCP to a server on the subnet. Normally a broadcast request will not go beyond the local subnet, however, if your LAN is set up to use the CIT DHCP server, the router is configured to send these broadcast requests on to the appropriate systems.
- The DHCP server checks the MAC address of the machine against its list of known hosts, and proceeds as shown in the flow chart.
- Other network configuration parameters such as DNS servers and gateway will be passed to that computer.
Hostnames
CIT strongly recommends using a static host pool containing registered machines. This will make it easier to find the owner of a machine in case of a virus infection, denial-of-service attack or other security compromise.
Unregistered machines cannot be easily located; this poses particular problems in instances, for example, where machines are flooding the network with traffic. Although CIT can eventually locate these machines via port traffic, it often takes a week or more to locate the individual responsible for the machine. Additionally, if you scan your networks for a particular vulnerability or virus and discover a machine that is affected, it is much more difficult to identify the machine if it is unregistered or using dynamic DHCP.
Hostname registration also offers the following benefits:
- Some web or ftp servers will not allow a connection unless they can reverse-map the IP address to a registered hostname.
- Naming the machines on your subnet makes administration much simpler: giving each machine a meaningful label allows for easy tracking and inventory of IP addresses as well as easier problem tracking and resolution when network problems occur.
- Host registration is also the only way to give your machines a name on the Internet, allowing your users the ability to connect to their office systems from elsewhere.
- Knowing that a particular IP address is associated with a particular node can help with security, network management, and even identifying resources, such as printers and servers. Dynamic configuration of the IP numbers undercuts such methods. For this reason, some sites try to keep the continued use of dynamically allocated IP numbers to a minimum.
Other reasons include these pending policies:
- Cornell Policies: Systems and Network Infrastructure Security Guidelines for Cornell Information Technologies (CIT)
- Machines connected to CIT staff networks should be registered via user and IP address in the DNS database.
- The Chronicle of Higher Education Information Technology 3/15/2002 "The Growing Vulnerability of Campus Networks" by Florence Olsen.
- Michael A. McRobbie, vice president for information technology at the Indiana University System, says "In a time of increased national-security concerns pressure is mounting on colleges to gain better control of their computer networks, or risk losing federal grant money for research."
- Pending Federal Policies: Safe Computing Environment Requirements (Grants) Appendix C to Part 85-Certification Regarding Safe Computing Environment Requirements
- Specific computing environments, for grantees other than individuals, need not be identified on the certification. If known, they may be identified in the grant application. If the grantee does not identify the environment at the time of application, or upon award, if there is no application, the grantee must keep the identity of the environment(s) on file in its office and make the information available for Federal inspection. Failure to identify all known computing environments constitutes a violation of the grantee's safe computing environment requirements.
- Computing environment identifications must include the actual IP address of each system or other network connected device used in support of the grant. Categorical descriptions may be used (e.g., all systems of a university department, State systems in each local unemployment office, systems used to support concert halls or radio studios).
Find out more:
