DHCP Authentication

[Marco Amadori]

On Monday 30 June 2008, 16:53:56, Simon Hobson wrote:

> Marco Amadori wrote:
> >Even if it seemed I wasn't talking about wireless network but a wired
> > network where we cannot touch switches. Imagine a medium sized network
> > (2000 nodes) where a lot of clients needs some kind of dhcp services from
> > only from our server; other nodes exists which are not in our control
> > (which could be either DHCP clients or servers) but which we should not
> > interfere with.
>
> In that case you do not have control of your network<period>

Yes, I know. .

> >So our clients needs to accept only dhcp anwers from the "right" server
> > and our DHCP server needs to serve only the "good" clients.

> Since you won't have control over many of your clients (eg embedded
> clients in devices you don't have the source to) this isn't something
> you can do at the client.

I thought that since clients receive differents DHCP answers they could choose 
(like by requiring a particular VENDOR ID, or a DHCP variable like that, to 
match a string) which one to listen.

> The best you can do in your case is to run 
> a program to listen for DHCP traffic from rogue servers and alert
> you.

This could be done, then filter it via iptables on clients, but I need to 
discriminate good and bad DHCP servers someway... maybe just changeing the 
default UDP port for servers and client could suffice.


-- 
ESC:wq

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.