James Harper wrote:
https://en.wikipedia.org/wiki/Preboot_Execution_Environment#Integration So the DHCP client does a DISCOVER, and the DHCP and PXE servers both reply with independent OFFERs, and the client somehow merges them together[ ... YUK.]
That's exactly right, and it's actually really good. Your DHCP server can just focus on assigning addresses, and your PXE server(s) focus on looking things up in databases and assigning the right boot image etc. I can see why you'd be a bit "yuck" about it on a small scale though.
I meant yuk more in the sense of: now the DHCP poisoner doesn't need to race with the legitimate DHCP server. As long as the legitimate DHCP server doesn't offer PXE, he can guarantee his own PXE rules will be used, every time. And the standard answer appears to be something like: if your threat model includes attackers with access to LAN, buy programmable switches and instruct them to discard DHCPOFFERs except from specific ports (and physically secure both the switches and the whitelisted ports).