 Thank you for getting into the spirit with some good yelling just then. So everyone who started, who opened up their laptop or turned on their phone and connected to the guest Wi-Fi network here in this room used DHCP at least once today. So this might be the talk in this block that resonates most with your computer or you. And it will certainly have the, it will have some cool stuff that you can use to find out more about these things your computers are always doing behind your back. So when do we use DHCP? We use it when we first start up on a new network and we're trying to figure out how we can participate in the network ourselves. So how do we send traffic? Like when we try to send network traffic, we usually want to address it to some remote host. So we have some destination that we know. And we also need to include some information on how that host should reply to us. So we need to know an address for ourselves that we can include as a source address in that traffic. When we start up on a new network, we don't know that yet. We don't know anything about the addressing scheme. We don't know who else is on the network. We need to find out some stuff. So as I mentioned, we need to set a unit, we need to find a source address, a Unicast IP address, so that we can get replies to any traffic that we send out. There's some more information that we need as well. We're going to need to know who can take our traffic out of the local network into the next hop. So for example, if I want to contact some computer that happens to live in the cloud, I can get away from my cloud and to the cloud via what we normally call a default gateway, so some machine that's happy to take your packets and send them off to where they really need to go. And we probably also need to know which set of numbers correspond to addresses and computers that are on our local network, our cloud, and which numbers correspond to computers that are in the cloud and need to get forwarded out to that default gateway. So how can we even find out this information? As I mentioned, we don't know what our source address is, so it's going to be really hard for us to ask anyone else who's on this local network, but the only people who know are on this local network. And we don't want to go and fill out a whole bunch of punch cards and try to file them into our computer to figure out how to get configuration information into it. So how are we going to ask the people who are on the local network with us for this information without an IP ourselves? So the solution, as you may have guessed from the talk title, is yelling! So there are special addresses that you can use in IP packets to deal with this situation. So the first thing that we're going to need to know is how to address an IP packet to everybody who can hear me. If we set the destination IP on an IPv4 network to all of the bits to one, which corresponds to 255.255.255.255 in the way that we normally write IPv4 addresses, this is specified as limited broadcast in the IPv4 RFC. And what that means is, okay, spray this packet to everyone who's listening, but don't forward it anywhere else. Just keep it here. So that sorts us out for our destination IP. The next thing that we need to know is, okay, what are we going to set our source to? And it turns out that setting all of the bits in an IPv4 address to zeroes when it's in the source field also has a special meaning. And that means, me, but I don't know who I am. If you want to reply to me, just send it to everybody and I'll hear it. I'm going to yell, you can yell back at me. And there's one more thing that we need, because when we're making packets that we want to send out on most networks, we need another layer of addressing below IPv4. So we need to also be able to address these packets on the Ethernet level. And in Ethernet, our source is always known. Each piece of Ethernet hardware that we get has a number associated that's baked into it. So we can say, okay, my network card, what's your source address? Okay, I'll use that. And Ethernet also has a broadcast address where if you set all the bits to ones, in this case it's six bytes, that says, okay, send it to everyone and Ethernet won't forward it, it'll just keep it on the local network. So that's great. So the way that we're going to yell is we're going to address our packet with an Ethernet header that says from my address, which I know what it is, to everybody, and on the IPv4 layer, just me, just yell back, okay, holla back. So we can use this to bootstrap a process by which we can discover how not to yell so much. And the process by which we discover how not to yell so much and be better network citizens is called DHCP. It's for dynamic host configuration protocol. And we usually call the configurations that we get through DHCP leases because they're time limited. And the basic idea is yell loud enough and somebody will help you. So DHCP works over UDP, which is a datagram protocol that's not connection-based. So we're going to just send individual packets and if someone hears them, they'll reply. Our client broadcast will go out on one port, broadcast from something that hears our traffic and wants to respond will go out on another port and then the client will hear it. There are a couple more considerations that we need to have for these conversations where everyone is yelling and there's no real conception baked into the addressing on the IP level or the Ethernet level of who's involved in this conversation. So we need to tag each message with a transaction ID so that we know if a whole bunch of people are yelling, which bits of conversation correspond with one another. And we also need to tag every message with a message type so that we know where we are in the process of trying to figure out how to stop yelling so much. I'll walk you through the usual message exchange. It's two pairs of messages. So it's important for us to keep track of where we are in that exchange so that we don't reply inappropriately and then have to keep yelling. So if I'm a client and I just came up on a network, the first thing I'm going to send is what's called a DHCP Discover message. And I've summarized it in plain English here. So we're going to pick a random transaction ID. That one doesn't look very random. It's random enough. It's good. It's fine. So what we're going to say is, hi, I'm XID 12345678. I'm discovering, please help me. Please give me an IP. And I also need a default gateway. And I need some DNS servers. And hopefully, someone hears me. And what they're going to say is, OK. Hi, this message is for XID 12345678. I'm a DHCP server. Here's my IP. I'm going to give you this IP address. Here's the network subnet. Here's the default gateway. Here's some DNS servers. You can use this for some number of seconds if you like it. And the client receives that. And it says, it looks at it and goes, OK. Hi, this is XID 12345678. I really like this IP address. It came from this server with this IP. Thanks. I'd like to request that I use it. And also the subnet that you told me, and the gateway, and the DNS servers. And the server hears that. And this hopefully corresponds with what it gave the client originally. And there hasn't been any additional traffic between that. And so it says, it looks at it and it's like, all right. That seems very reasonable. Hi, this message is for XID 12345678. I'm a DHCP server. Here's my IP. I acknowledge that you have that IP address. You can have it for only so long. Oh, and please use the subnet and the gateway and the DNS servers that I mentioned to you before. And then we don't need to yell anymore. So our computers are yelling right now. And if you know how to listen, you can hear them. And the trick to listening is a program that you might have heard of called TCP dump. So if I run TCP dump and I say, please give me a nice ASCII summary of all of the traffic that you see. I want it to be moderately verbose. Show me the ethernet headers. Don't reverse resolve any numbers into names. And I want to listen on my wireless interface. And please give me all of the traffic on UDP port 67 or UDP port 68. So if someone asks for a DHCP lease right now, I'll hear it. But since I didn't warn you that there would be audience participation, I'll have my laptop do it itself. So when I run that command, I can see the output of all of my yelling. And you can tell that I wasn't lying to you. Here's my ethernet source address in the first packet that I send out, which is going to the ethernet broadcast address. My source IP of all zeros, my destination IP of all ones. My message type, which is DHCP discover right here. And this list of parameter requests, which I kind of glossed over in the English explanation, but there's a way in DHCP where you can say, these are the things that I want you to tell me about where I am and how I should operate on this network. So in this case, the DHCP server that happens to be operating on app Nexus guest is giving us some useful information. Some of the stuff was in the summary that I gave you, like the subnet mask. There's some more stuff like, here's the time zone that you're in, which if you, like me, came from a different time zone, your computer might find to be useful. Or you might want your computer not to honor that at all. You might want to say, I want to know what time it is back home. I don't care what time it is here. Which gets at an issue with DHCP that I'll talk a little bit more about later. It's also giving us some useful things like the default gateway, as I mentioned before. And some other options that TCP don't think that we think are interesting. I would argue that all DHCP options are interesting. All 255 of them. Although I will admit that some are more interesting than others. If we follow the state space, if we follow the packets we see the message exchange, just as I described it, with some interleaved packets from other people, actually. Because it's yelling. So if someone else happens to be yelling while I'm yelling, I get both my traffic in theirs. And they're distinguished only by the different transaction IDs that are included in the messages. So you can see that this one right here is different from this one right here, which is why we don't get confused. So OK, Mindy, that's cool. You showed TCP dump, whatever. I can buy a zine and learn to be a wizard, too. Some DHCP options that I think are particularly interesting. Of course, one of them is NTP servers. So Joel gave a really great talk yesterday on NTP and why it's important. And why you might not want to just trust any arbitrary NTP server that some random person who's yelling in a public place tells you to use. One of the sort of threat models that Joel discussed is important in the context of the next DHCP option on this slide, which is Web Proxy Autodiscovery. That's DHCP option 252, and it's the best one. So Web Proxy Autodiscovery is a method by which a browser can try to figure out, OK, maybe I should be using a proxy on this network. Like maybe I should forward all of my web traffic through somewhere. But how can I find out where? What's really complicated? What should I do? I know. I'll include it in this public message that I broadcast to everyone to tell me how I should operate on the network. And they'll give me a link to somewhere that I can go and download a proxy definition. And then I'll treat that as if it's an explicit proxy that I put into my web browser. A fun thing about that threat model is that is actually a really nice way to break TLS, along with a bad NTP server, which can cause you to not know what time it is. This is basically a really good way to completely break the entire security model of the browser. So be careful out there. There are some other things that can go wrong. So in the example that I gave you, everything went really well. Everybody was really happy with all the messages that they got. There were no problems. But there is another bit of yelling that you can get, which often happens after the first exchange of messages where the client says, give me some information. And the server says, here's some information. The client says, OK, can I use this information? And the server says, no. Because it may have already given that IP away to someone else. So what we can do in that case is just restart. The client will usually restart the whole process. There's another thing that can go wrong when nobody's listening. When you yell and there's just nobody there, like you're all alone on the network. Yeah, right? It's really sad. And the way that you usually find out that this has happened is you're like, oh man, why don't I have any internet, like the Wi-Fi connected, but like nothing's happening? And you go to look at your IP. And you have like this fake bad IP, like this IP that isn't really on a network anywhere. It looks like this. And it means that you're going to be sad. And you can actually cause everyone else's laptop to do this by just yelling, no, as odd as you want to, and pretending to be a server. This is in addition to broadcasting an emoji in an MDNS request, this is a really good way to have the Starbucks network to yourself. So in DHCP, yelling is common, but shushing is rare. Most networks, DHCP is unbelievably common, like you'll connect to it everywhere. And most of the networks that we connect to that use DHCP don't have someone who's assigned to monitor them or make sure that no one's yelling random garbage in them. So if you go to any random public network and decide that you want to serve your own DHCP leases, nobody's going to stop you. In corporate environments where there's actually some kind of access control and people who get paid to monitor these kinds of things and deal with false positives, the situation is different. But most of the situations that I personally deal with aren't like that. I think the last time I was on a controlled corporate network of any kind was like three years ago. So I have a little bit of time, I think, for, OK. All right. So if you want to run your own DHCP server, there's a great program called DNSmask. I was going to give you a quick demo. But it's probably not a great idea because you probably don't want to get a DHCP lease from me. Simone gave me this badge that said, playfully evil. And that's a warning. If you want a cool DHCP lease, come up to me later. I'll give you one. We can deal with it privately, and you can get mad at me and punch me if you want to. Thanks for your attention.