secure dhcp

David W. Hankins David_Hankins at isc.org
Wed Apr 26 18:46:01 UTC 2006


On Wed, Apr 26, 2006 at 12:29:46AM -0500, Carl Karsten wrote:
> I did just find this: http://wiki.etherboot.org/pmwiki.php/Main/SafeBootMode

That describes a good method I think, but we ISC folk are wary of the
idea of distributing software with a key built-in.  Particularly if it's
going to be burned onto ROMs and possesses no reliable key revocation
method.

In the absence of a better solution, however, it's hard to criticize.


I think DHCP needs to learn from SSH's key distribution model.

But that requires the client have some stable storage, so it can
remember the keys the user has vetted to provide config for the
device.

Fair chicken/egg problem for folks with only ROMs.


> > Got a URL for gPXE?
> 
> gPXE is the next etherboot - about the only evidence I could find:
> http://cvs.sourceforge.net/viewcvs.py/etherboot/etherboot/gpxe-0.5/

I assume the name 'gPXE' though is supposed to imply 'Gnu PXE'?

I also presume then, that it would not be running at a level where
for example gnupg could be invoked.

That's pretty much it for all my random ideas then.

-- 
David W. Hankins		"If you don't do it right the first time,
Software Engineer			you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins


More information about the dhcp-users mailing list