Question about dhcp-client-identifier

Darren perl-list at
Wed Aug 22 14:39:03 UTC 2007

> Ok, so let's try and understand this. Joe User with a certain mac
> address is happily working away. A Bad Guy tracks his connection
> somehow and borrows his mac address, then connects to the same network
> but a different subnet. You want him to be denied an IP address by
> dhcp. All that shows up in the logs is that a particular mac address
> turned up on another subnet. Happens a lot if you have roving laptops.
We are aware that this is a problem for roving laptops.  We can handle 
that on the support/administrative end of things.
> What happens if the Bad Guy manually assigns himself an IP address that
> is valid for the subnet? Instant access...
We have other methods in place for making it impossible for a user to 
statically assign himself an IP.

> What about the same scene, but on the same subnet? The new device can
> steal all the connections that Joe User had. This is one way to do ARP
> cache poisoning. There are others that don't require the use of a
> duplicated mac address.
We aren't particularly concerned about a user causing another user 
problems, we will deal with that on the administrative/support side.  We 
ARE concerned about a user being able to "hide".

> As has been said many times on this list, DHCP is not a security
> enforcement service. By its very nature it happily hands out IP
> addresses to unauthenticated devices on the network.
Understood - we would never use it as a security device.  We merely 
would like to be able to make the data from DHCP more useful.

> regards,
> -glenn

More information about the dhcp-users mailing list