W. Wimer
Request for Comments: 1542
October 1993

There are many factors which make BOOTP in its current form quite insecure. BOOTP is built directly upon UDP and IP which are as yet inherently insecure themselves. Furthermore, BOOTP is generally intended to make maintenance of remote and/or diskless hosts easier. While perhaps not impossible, configuring such hosts with passwords or keys may be difficult and inconvenient. This makes it difficult to provide any form of reasonable authentication between servers and clients.

Unauthorized BOOTP servers may easily be set up. Such servers can then send false and potentially disruptive information to clients such as incorrect or duplicate IP addresses, incorrect routing information (including spoof routers, etc.), incorrect domain nameserver addresses (such as spoof nameservers), and so on. Clearly, once this "seed" mis-information is planted, an attacker can further compromise the affected systems.

Unauthorized BOOTP relay agents may present some of the same problems as unauthorized BOOTP servers.

Malicious BOOTP clients could masquerade as legitimate clients and retrieve information intended for those legitimate clients. Where dynamic allocation of resources is used, a malicious client could claim all resources for itself, thereby denying resources to legitimate clients.

Copyright (C) The Internet Society (1998). All Rights Reserved.