DHCP Spoofing -- Dynamic Host Configuration Protocol (DHCP), described in RFC 1541, is an extension of the Bootstrap Protocol (BOOTP).

DHCP allows hosts on a TCP/IP network to dynamically obtain basic configuration information.

When a DHCP client starts up, it broadcasts a DHCP discovery packet looking for DHCP servers. DHCP servers respond to this packet with a DHCP offer packet. The client then chooses a server to obtain TCP/IP configuration information (such as an IP address). The configuration information is allocated (leased) to the client for a short period of time (such as seconds or minutes); the client must periodically renew its lease in order to continue to use the configuration.

SecurID and DHCP Spoofing -- If a DHCP client needs to connect to a remote DHCP server through a Pipeline, using a security card and the Ascend Password Protocol (APP) for Windows, the client needs to be given a temporary address by the Pipeline. This is because Ascend Password Protocol (APP) authentication must occur before the call to the remote network can be made. APP authentication requires an IP address, but will accept a temporary address supplied by the Pipeline.

The Pipeline can be configured to temporarily act as a DHCP server for its local clients by "spoofing" a DHCP-supplied IP address if there in no active connection to a remote network and a DHCP server. When the Pipeline receives a DHCP discover packet from a client it supplies the client an IP address with a short lease time so the client can successfully pass APP authentication (that is, enter the PIN from the SecurID card). After the client is authenticated via APP and it attempts to renew its lease on the address, the Pipeline refuses the request and establishes the call to the remote network and the real DHCP server. The client then receives the address from the DHCP server and the spoofed address can be used for the next client.