DHCP Authentication

Simon Hobson dhcp1 at thehobsons.co.uk
Tue Jul 1 08:28:52 UTC 2008

Marco Amadori wrote:

>  > >So our clients needs to accept only dhcp anwers from the "right" server
>>  > and our DHCP server needs to serve only the "good" clients.
>>  Since you won't have control over many of your clients (eg embedded
>>  clients in devices you don't have the source to) this isn't something
>>  you can do at the client.
>I thought that since clients receive differents DHCP answers they could choose
>(like by requiring a particular VENDOR ID, or a DHCP variable like that, to
>match a string) which one to listen.

But you miss the point - you do NOT have that level of control over 
your clients !

>  > The best you can do in your case is to run
>>  a program to listen for DHCP traffic from rogue servers and alert
>>  you.
>This could be done, then filter it via iptables on clients, but I need to
>discriminate good and bad DHCP servers someway... maybe just changeing the
>default UDP port for servers and client could suffice.

If you change the port then unmodified clients won't work. Since in 
most networks the majority of clients won't have that degree of 
control, then your network simply won't work.

The idea of monitoring isn't so you can reconfigure your clients*, 
it's so that you as the network admin can track down the rogue server 
and 'explain' to the person responsible why they shouldn't be running 
it (apply piece of "clue by four" ?)

* The point of DHCP is to avoid having to configure clients manually 
- other than setting hostname (or if they supported auth, the server 
key), then you don't really want to be manually messing with their 

More information about the dhcp-users mailing list