Bug#329939: dhcp3-client: please expand security-related options (such as reject) to accept networks
David W. Hankins
David_Hankins at isc.org
Thu Oct 6 19:59:51 UTC 2005
On Thu, Oct 06, 2005 at 09:35:21PM +1000, Andrew Pollock wrote:
> > It would be *very* handy to be able to:
> >
> > reject 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 169.254.0.0/16;
There is a 'reject subnet' patch on the dhcp-suggest queue already for
3.1.0 consideration which basically does this.
> > to at least reject all rogue DHCP servers caused by morons in the local
> > cable/ADSL network (which IS quite common), and fucked up cable modems that
> > are non-configurable and try to give you broken addresses when the cable is
> > down (which is even more common than morons with DHCP servers, at least here
> > in Brazil). It won't get real attacks, but these are very very rare.
> >
> > Obviously there is absolutely no acceptable way to do this on dhclient3
> > currently. Packet filter rules must be used on the prerouting chain...
> > which is ugly at best.
And still doesn't solve the problem, since server addresses are easily
spoofable (give out a giant lease time and you don't have to worry about
renewals, the client digests your bad options forever).
Server/client authentication and authorization need to become commonplace,
somehow.
--
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
More information about the dhcp-hackers
mailing list