Question about dhcp-client-identifier

Simon Hobson dhcp1 at thehobsons.co.uk
Wed Aug 22 15:22:35 UTC 2007


Darren wrote:

>I understand that this behavior is totally against RFC, however, in the
>USA, this behavior is desirable due to CALEA.  So maybe you can call it
>a CALEA option?  For further information regarding CALEA:
>http://www.askcalea.net/

Ahh, so the idea is that you need to do the impossible !

The simple fact is that it isn't possible to provide a legally 
admissible 'trail' by using the MAC address. No matter what measures 
you put in place, it's going to be possible to work around them.

For example, someone observes a target, gets their MAC address and 
waits until they pack up and leave. They now set their MAC address, 
plug in, and get that users IP - the 'baddie' is now 
indistinquishable from their mark and nothing you do at the DHCP 
level will change that. Because such a technique is so easy, I doubt 
that any court would accept such evidence as admissible, so really 
you are wasting your time trying to 'preserve' it.

What you can do is record other information (such as circuit id) 
which (given suffiently detailed and secure records) would allow you 
to tie down the 'baddie' to a particular wall socket - but again it's 
going to be hard to pin that down to a single person to the standards 
required for court evidence.

I think that still applies even with the modern government attitude 
(both there and here) of "guilty by accusation unless proven 
innocent".


The simple response should you be 'demanded' to provide information 
is that such information is not technically available and would not 
be reliable even if it was. To make it so would require considerably 
more than what you are asking for - like recording option 82 (circuit 
ID), having solid patching records, and CCTV covering every outlet ! 
You sound in danger of logging 'evidence' that is no such thing.


I think that to provide the evidence you need would require that all 
connections be authenticated - for example by putting all users in a 
walled garden and requiring them to use (for example) a VPN before 
they can do ANYTHING. Spoofing a MAC address would then not work 
because the VPN would simply break and the 'baddie' would gain 
nothing. Ethernet does NOT provide anything like that level of 
accountability.

Of course. none of this is DHCP specific.


More information about the dhcp-users mailing list