Dynamic host configuration protocol
First Claim
1. A method at a dynamic host configuration protocol (DHCP) client, comprising:
- sending a DHCP request message comprising at least a first freshness indicator comprising a first nonce to a DHCP server, the DHCP server certified by a certification authority of a communications network, wherein the first nonce is generated by the DHCP client, wherein the sent DHCP request message comprises a DHCPDISCOVER message comprising the first nonce;
receiving, at least in response to the sending, a signed DHCP response message from the DHCP server of the communications network, the signed message comprising at least a second freshness indicator comprising a second nonce, a signature, and a public key issued by the certification authority;
validating that the received second freshness indicator matches the sent first freshness indicator;
checking that the signed message comprises a same nonce value as the DHCPDISCOVER message;
verifying the signature of the signed message using the public key issued by the certification authority; and
when the validation and the verification processes are successful, accessing stored settings for use with the network, wherein the stored network settings have been stored using information from another DHCP server different from the DHCP server, the other DHCP server having been certified and bound into one logical network location with the DHCP server by the certification authority, and that access being made on the basis of information at least about the public key issued by the certification authority.
2 Assignments
0 Petitions
Accused Products
Abstract
Dynamic host configuration protocol (DHCP) is extended in order to assist with secure network location awareness. In an embodiment a DHCP client receives a signed DHCP response message from a DHCP server, the signed message comprising at least a certificate chain having a public key. In that embodiment the DHCP client validates the certificate chain and verifies the signature of the signed message. If this is successful the DHCP client accesses stored settings for use with the server. The stored settings are accessed at least using information about the public key. In some embodiments signed DHCPOFFER messages and signed DHCPACK messages are used. In another embodiment the signed DHCP message comprises a location identifier which is, for example, a domain name system (DNS) suffix of a DHCP server.
-
Citations
17 Claims
-
1. A method at a dynamic host configuration protocol (DHCP) client, comprising:
-
sending a DHCP request message comprising at least a first freshness indicator comprising a first nonce to a DHCP server, the DHCP server certified by a certification authority of a communications network, wherein the first nonce is generated by the DHCP client, wherein the sent DHCP request message comprises a DHCPDISCOVER message comprising the first nonce; receiving, at least in response to the sending, a signed DHCP response message from the DHCP server of the communications network, the signed message comprising at least a second freshness indicator comprising a second nonce, a signature, and a public key issued by the certification authority; validating that the received second freshness indicator matches the sent first freshness indicator; checking that the signed message comprises a same nonce value as the DHCPDISCOVER message; verifying the signature of the signed message using the public key issued by the certification authority; and when the validation and the verification processes are successful, accessing stored settings for use with the network, wherein the stored network settings have been stored using information from another DHCP server different from the DHCP server, the other DHCP server having been certified and bound into one logical network location with the DHCP server by the certification authority, and that access being made on the basis of information at least about the public key issued by the certification authority. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method at a dynamic host configuration protocol (DHCP) server of a communications network comprising:
-
receiving a DHCP request message from a DHCP client requiring a response from the DHCP server, wherein the received DHCP request message comprises at least a first freshness indicator comprising a first nonce generated by the DHCP client; sending a signed DHCP response message to the client, the signed message comprising at least a second freshness indicator comprising a second nonce, a location identifier, a Signature, and a certificate chain comprising one or more certificates, the certificate chain having a public key issued by a certification authority, the certification authority binding the DHCP server to at least another DHCP server different from the DHCP server into one logical network location, wherein the sent second freshness indicator comprising a second nonce matches a value of the received first freshness indicator comprising a first nonce, wherein the sending is arranged such that the signed DHCP response message can be received only in a specified region of the communications network, and wherein the public key is suitable for verifying, by the client, the signature, and the location identifier matches a name in the certificate chain, wherein the location identifier is a DNS suffix advertised by the DHCP server and the other DHCP server; and checking that location identifier is a suffix of a fully-qualified domain name of the server, the fully-qualified domain name being provided in a certificate chain. - View Dependent Claims (13, 14, 15)
-
-
16. One or more computer-readable memory storing computer-readable instructions that, when executed on a processor of a server, configure the processor to perform acts for sending a signed dynamic host configuration protocol (DHCP) response message in a communications network, the acts comprising:
-
sending a signed DHCP response message to a client device in response to receiving a DHCP request from the client device, wherein the DHCP request includes at least a DHCPDISCOVER message comprising a first freshness indicator comprising a first nonce with a value comprising a random number or a pseudo-random number, wherein the first nonce is generated by the client device, wherein the signed DHCP response message will be received by the client only in a specified region of the communications network, and wherein the Signed DHCP response message comprises; a location identifier stored in a network name option, wherein the location identifier is a DNS suffix of a fully-qualified domain name of the server and the DNS suffix is advertised by the server and at least another server different from the server, the fully-qualified domain name being provided in a certificate chain; a second freshness indicator comprising a second nonce with a value comprising a random number or a pseudo-random number that is a copy of the first nonce received in the DHCPDISCOVER message of the DHCP request; and a certificate chain comprising one or more certificates having a public key issued by a certification authority, the certification authority binding the server to at least the other server into one logical network location, wherein the location identifier is present in a certificate of the certificate chain. - View Dependent Claims (17)
-
Specification