DHCP Authentication

Simon Hobson dhcp1 at thehobsons.co.uk
Tue Jul 1 10:23:58 UTC 2008

Marco Amadori wrote:

>  > But you miss the point - you do NOT have that level of control over
>>  your clients !
>MMM, yes. We prepare all our clients ( a linux embedded with busybox udhcpc,
>but we can install ISC dhclient if this enable more server
>identification). "good" clients are known, only it is unpractical to track
>MACs or to differentiate them.
>The solution I come to cope to this issue is to use a different UDP port on
>both DHCP server and clients.
>>  If you change the port then unmodified clients won't work. Since in
>>  most networks the majority of clients won't have that degree of
>>  control, then your network simply won't work.
>The clients are under our control, the switches not.
>>  The idea of monitoring isn't so you can reconfigure your clients*,
>>  it's so that you as the network admin can track down the rogue server
>>  and 'explain' to the person responsible why they shouldn't be running
>>  it (apply piece of "clue by four" ?)
>We cannot do that and we should "respect" rogue dhcp:
>We have our embedded linux clients on a foreing network, we cannot configure
>switches, and we cannot even blame non malicious rougue dhcp users (and
>probably even malicious). We can add our servers and clients to the network.
>We have control on which software runs on all our clients and servers.
>I know it is a strange network setup.

It would have helped if you'd explained this in the first place ! 
Your problem isn't really anything like your query indicated, it is 
in fact much more complicated !

In effect, you want to run a DHCP server for your own clients AT THE 
SAME TIME as another DHCP server may be running to service everything 
else. This is non-trivial to do, though you are in a position to make 
it easier.

Probably, just running the DHCP protocol on non-standard ports should 
do the trick for you. In the general case (where you need to use the 
standard ports) you need to configure both servers to be 
authoritative for only 'their' clients and totally ignore any other 
clients - this requires admin access to BOTH servers and cannot be 
achieved without.

More information about the dhcp-users mailing list