IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
A DHCP area is a group of computers, which execute the DHCP client service
in a subnet. The area is used to define parameters for every subnetwork. Every
area has the following properties:
- A unique sub-network mask is used to establish a subnet which is in turn
assigned to a particular IP address.
- An area name assigned by the administrator when the area was created.
- Values for the length of usage time of dynamic addresses which are
allocated to DHCP clients.
Each subnetwork can only have one single area with a continuous IP address
pool; these addresses must be valid for the subnet. If many address pools areto
be created in one subnetwork, a continuous area should be created which
encompasses all these address pools and the addresses between the desired
pools can be excluded. If more addresses are needed, the area can be extended
at a later stage.
Configuration parameters which a DHCP server assigns to a client will be
defined as DHCP options under the DHCP-Manager. Most options are predefined
on the basis of standard parameters which have been determined in the
Internet standards RFC 1541 or RFC 1542. Such types of options can be
assigned to a configured DHCP area which regulates all configuration
parameters.
Additional to IP address information, further DHCP options which are to be
passed on to DHCP clients must be configured for every area. These options
can be globally defined for all areas, specifically defined for single areas or
defined for single DHCP clients with reserved addresses. Active global
options are valid as long as they are not deactivated by area options or DHCP
client settings. Active types of options for one area are valid for all computers
in this area as long as they are not deactivated for a single DHCP client.
Note: Any change to the preset values should only be made if the effects of
this change are completely known. The values to be used have to be
determined within the guidelines of a specific security analysis.
A particular IP address can be reserved for a client. As a rule, this is necessary
in the following cases:
- for domain controllers, if the network also works with LMHOSTS-files
which define IP addresses for domain controllers,
- for clients working with IP addresses which were assigned for TCP/IP
configuration via a different procedure,
- for allocation by RAS servers to clients that do not use DHCP,
- for DNS servers.
If multiple DHCP servers distribute addresses in the same area, the client
reservations must be identical on every DHCP server otherwise - depending
upon the answering server - the reserved client will receive different IP
addresses.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000