[agwa]

Ignoring or blocking these options is trivial but ineffective since the DHCP server can still send a malicious subnet mask.

(Edited to replace "default gateway" with "subnet mask")

[peddling-brink]

Forgive my ignorance, but what could a malicious gateway do in this instance?

[agwa]

Whoops, I posted too early in the morning, I meant to say "malicious subnet mask" :-)

Basically, the DHCP server sends a subnet mask for an absolutely huge subnet (e.g. a /2), and the route for that subnet takes precedence over the VPN route. The attacker can only intercept 25% of the IPv4 address space with a /2 but that's still pretty bad.

[peddling-brink]

Clever, thanks!