There could be modifications to the DHCP Protocol, such as having it work with WEP/WPA verification, and even having the system have a blanket control over all switching operations, so that rogue DHCP servers are kept from accessing the network. This could be done with a Layer 4 switch, by blocking DHCP services if they don’t originate from the trusted DHCP server. The switch, whether it control a Wireless Access Point, and/or multiple WAPs, and/or wired ports, could prevent someone from plugging in another router into the network to create an internal network that is mapped via IP (Layer 3) – Network Address Translation (NAT) and TCP (Layer 4) – Port Address Translation (PAT) – which could theoretically be used to re-route traffic away from the services that are defined by the authorized DHCP server, and pass them through a proxy-type of high-level intelligent routing that could steal logins and passwords, not to mention financial information, social security numbers, and any other information transmitted over the network.
There should be modifications to the way that DHCP works for client systems as well, such as specifying the DHCP server from a local DNS server (Layer 7) that operates with Layer 3 (Routing) to completely change how a client must access DHCP services. It could basically require that the client register in the Layer 3 table with a temporary IP address, while its security is checked – and as it negotiates its connection with the actual DHCP server, through a Layer 7 verification method, it is not allowed to communicate with other devices on the network. The systems could take on a rather forensic analysis of the network interface of the client, to determine if it is spoofing its MAC address – such as requesting a security key from the device that is verified by a third party such as Verisign – even a company like Dyn could implement this type of Layer 7 security negotiation. And the connection to the Internet could be limited so much, that only the security parameters can be communicated, in the case that the network isn’t attached to the outside world – such as an internal Financial Services company.
There could be other methods similar, or dissimilar to this, that could also be used. Obviously it’s going to take a major organization, such as IEEE and/or ICAAN, to implement changes like this.