DHCP Support at Fermilab

 

The Laboratory provides Dynamic Host Configuration Protocol (DHCP) support as a general network service.  Most subnets that support end user systems are configured for DHCP support.  Historically, DHCP service was provided transparently to any system configured to request a DHCP address.  However, computer security concerns have grown about who is accessing the facility network, and how they can be contacted or identified in the event of a computer security problem or issue.  As a result, the Laboratory’s DHCP service is migrating to a model based on requiring node registration information in order to obtain a usable DHCP address on the facility network.

 

Classes of DHCP addresses:

 

Three classes of DHCP addresses will be available, resident, transient, and captive:

 

1. Resident DHCP addresses are the type of DHCP addresses that the Laboratory has historically supported.  They have the following characteristics:

 

• They are issued transparently, as soon as a system connects to the network
• They are renewable indefinitely, as long as the system remains connected
• They provide full access to the general facility network, and offsite. 

 

As the Laboratory migrates to required registration for DHCP addresses, it will be necessary for a system to be properly registered in the MISCOMP database in order to obtain a normal DHCP address.

 

2. Transient DHCP addresses will be available for systems that are not registered in MISCOMP.  They are intended to provide network access for visitors and casual users who infrequently visit the Laboratory.  Transient DHCP addresses have the following characteristics:

 

• They are issued only after completion of a temporary registration process
• They are only good for the remainder of the current day
• They provide full access to the general facility network, and offsite. 

 

In order to obtain a transient DHCP address, the user will have to complete a temporary registration page that requires a minimal amount of information on who they are and how they can be contacted.  Transient DHCP addresses are only usable for the remainder of the day.  After 12:00 midnight, the user will have to re-register to obtain a new transient DHCP address.  There is a limit (currently 5) to the number of times a user can receive a transient address within a 30 day period.  Users who visit the Laboratory more than infrequently should register their system in MISCOMP so they would receive resident DHCP addresses.

 

3. Captive DHCP addresses are issued to systems that are neither registered permanently in MISCOMP, nor have been registered for the day via the temporary registration page.   The captive DHCP addresses are only used to complete the temporary registration process needed to obtain a transient DHCP address.  Captive DHCP addresses have the following characteristics:

 

• They are issued when a non-registered system connects to the network
• They are only good for the duration of the temporary registration process
• They are restricted to accessing only the temporary registration web page 

 

The user need only bring up a browser to any URL in order to be connected to the temporary registration page.  Once the user has successfully worked through the temporary registration process, he/she will be able to obtain a transient DHCP address.  It should be noted that if the system’s TCPIP configuration includes a specified DNS server, the captive system will not be able to access the temporary registration page.  The user will need to disable the specified DNS server to reach the temporary registration page.