Juniper DHCP service security issue

by chen-gi - 12/27/12 7:02 PM

Hi All,
I find out juniper device (M/MX) series(BRAS) have dhcp security problem if you turn on dhcp function.
In juniper device dhcp configure need add unnumber interface apply to sub-interface, I find out my pc can use fixed ip address access this network and also can forward packets. I don't know what happen!!!!
I no configure any static route to sub-interface but router still can forward packets to PC and PC can free use whole subnet ip address(fixed ip).
This security issue occure all juniper device. so if you have turn on dhcp function on juniper device you need watch out this.

sample configure:
lab1@M-re0# show
system {
services {
dhcp-local-server {
group IPv4 {
interface ge-10/2/0.1;
}
}
}
}
logical-systems {
PC-1 {
interfaces {
ge-10/2/1 {
unit 1 {
vlan-id 1;
family inet {
address 120.0.0.1/16;
}

}
}
}
routing-options {

static {
route 0.0.0.0/0 next-hop 120.100.0.254;
}
}
}
}
interfaces {
ge-10/2/0 {
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 1 {
vlan-id 1;
family inet {
rpf-check;
unnumbered-address lo0.0 preferred-source-address 120.100.0.254;
}

}
unit 2 {
vlan-id 2;
family inet {
address 130.1.1.254/30;
}
}
}
ge-10/2/1 {
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
}
lo0 {
unit 0 {
family inet {
address 10.10.10.254/32;
address 120.100.0.254/32;
}

}
}
ge-10/2/2 {
unit 0 {
family inet {
address 192.168.1.1/32;
}
}
}
}
access {
address-assignment {
pool test1 {
family inet {
network 120.100.0.0/24;
range 1 {
low 120.100.0.100;
high 120.100.0.200;
}
}
}
}
}