Question about dhcp-client-identifier
perl-list at network1.net
Wed Aug 22 14:39:03 UTC 2007
> Ok, so let's try and understand this. Joe User with a certain mac
> address is happily working away. A Bad Guy tracks his connection
> somehow and borrows his mac address, then connects to the same network
> but a different subnet. You want him to be denied an IP address by
> dhcp. All that shows up in the logs is that a particular mac address
> turned up on another subnet. Happens a lot if you have roving laptops.
We are aware that this is a problem for roving laptops. We can handle
that on the support/administrative end of things.
> What happens if the Bad Guy manually assigns himself an IP address that
> is valid for the subnet? Instant access...
We have other methods in place for making it impossible for a user to
statically assign himself an IP.
> What about the same scene, but on the same subnet? The new device can
> steal all the connections that Joe User had. This is one way to do ARP
> cache poisoning. There are others that don't require the use of a
> duplicated mac address.
We aren't particularly concerned about a user causing another user
problems, we will deal with that on the administrative/support side. We
ARE concerned about a user being able to "hide".
> As has been said many times on this list, DHCP is not a security
> enforcement service. By its very nature it happily hands out IP
> addresses to unauthenticated devices on the network.
Understood - we would never use it as a security device. We merely
would like to be able to make the data from DHCP more useful.
More information about the dhcp-users