Question about dhcp-client-identifier
Simon Hobson
dhcp1 at thehobsons.co.uk
Wed Aug 22 15:22:35 UTC 2007
Darren wrote:
>I understand that this behavior is totally against RFC, however, in the
>USA, this behavior is desirable due to CALEA. So maybe you can call it
>a CALEA option? For further information regarding CALEA:
>http://www.askcalea.net/
Ahh, so the idea is that you need to do the impossible !
The simple fact is that it isn't possible to provide a legally
admissible 'trail' by using the MAC address. No matter what measures
you put in place, it's going to be possible to work around them.
For example, someone observes a target, gets their MAC address and
waits until they pack up and leave. They now set their MAC address,
plug in, and get that users IP - the 'baddie' is now
indistinquishable from their mark and nothing you do at the DHCP
level will change that. Because such a technique is so easy, I doubt
that any court would accept such evidence as admissible, so really
you are wasting your time trying to 'preserve' it.
What you can do is record other information (such as circuit id)
which (given suffiently detailed and secure records) would allow you
to tie down the 'baddie' to a particular wall socket - but again it's
going to be hard to pin that down to a single person to the standards
required for court evidence.
I think that still applies even with the modern government attitude
(both there and here) of "guilty by accusation unless proven
innocent".
The simple response should you be 'demanded' to provide information
is that such information is not technically available and would not
be reliable even if it was. To make it so would require considerably
more than what you are asking for - like recording option 82 (circuit
ID), having solid patching records, and CCTV covering every outlet !
You sound in danger of logging 'evidence' that is no such thing.
I think that to provide the evidence you need would require that all
connections be authenticated - for example by putting all users in a
walled garden and requiring them to use (for example) a VPN before
they can do ANYTHING. Spoofing a MAC address would then not work
because the VPN would simply break and the 'baddie' would gain
nothing. Ethernet does NOT provide anything like that level of
accountability.
Of course. none of this is DHCP specific.
More information about the dhcp-users
mailing list