Putting iPads in their own IP pool?
David W. Hankins
dhankins at isc.org
Fri Oct 15 00:09:52 UTC 2010
On Fri, Oct 08, 2010 at 05:36:13PM -0600, Bob Proulx wrote:
> I wanted to mark this "solved" but using the hostname I realize is
> just a works-for-me case but a good enough one for me here. I might
> still go back to chasing ethernet address. If someone else decides to
> try that then let me add the list of vendor bytes that I have seen
> associated with the iPads here so far. (And mirek reported d8:30:62.)
Following ethernet macs still seems fairly brute force to me. Some
time back there were some researchers who did a DHCP-Fingerprinting
paper, you might be able to google to find some current databases of
passive DHCP client 'fingerprints.'
Basically what they do is use the client's PRL as a unique key to
determine the make and model of the client, and infer from there the
OS and version. If you're clever you can step outside of this to
also include vendor-class-identifier.
At IETF 71 for the tech plenary, there was an experiment to shutoff
IPv4 and "see what breaks." What broke is that IPv6 clients did not
have DNS name servers, and so could not actually use any part of the
IPv6 Internet. All this time they had been getting IPv4 addressed
name servers from their DHCPv4 dual-stack brother. Pretty much the
only guys who were still 'on the Internet' were literally manually
typing in the IPv6 name-servers by hand or had a recursive resolver
on their laptops. Hardly the mainstream Internet users.
Anyway.
Alain Durand (who was working at Comcast at the time) offered an
escape for people who couldn't work on IPv6 single-stack; a IPv4
only "4-6-4 NAT" experiment. I was asked to implement the DHCPv4
server on this network and to divide client load among two
4-6-4 NAT competitor products. We wanted graphs on active client
population, and that's easy enough if you can script.
I wound up adding total unique clients later after some comments by
the folks involved and while I was doing that, thought it would also
be fun to fingerprint the clients, to see what makes and models are
using the 4-6-4 NAT experiment.
So I used the following dhcpd.conf syntax;
=== dhcpd.fingerprint.conf
set vclass = option vendor-class-identifier;
class "WindowsIdent" {
match if (substring(option vendor-class-identifier, 0, 4) = "MSFT");
set ident = "Windows";
}
# For others we need to watch the PRL.
if (exists dhcp-parameter-request-list) {
set prl = binary-to-ascii(16, 8, ":",
option dhcp-parameter-request-list);
}
# default to unlisted
if (pick(ident, "X") = "X") {
set ident = "unlisted";
}
class "ParamIdent" {
match if (substring(option vendor-class-identifier, 0, 4) != "MSFT");
match option dhcp-parameter-request-list;
}
# interesting they don't set MSFT...this is Windows mobile something (CE).
subclass "ParamIdent" 1:3:6:f:2c:2e:2f { set ident = "Windows"; }
subclass "ParamIdent" 1:1c:2:3:f:6:c:28:29:2a { set ident = "Linux"; }
subclass "ParamIdent" 1:3:6:c:f:11:1c:28:29:2a { set ident = "Linux"; }
subclass "ParamIdent" 1:3:6:c:f:11:17:1c:1d:1f:21:28:29:2a:9:7:c8:2c { set ident = "Linux"; }
subclass "ParamIdent" 1:3:6:c:f:11:17:1c:1d:1f:21:28:29:2a:77 { set ident = "Linux"; }
subclass "ParamIdent" 3a:3b:1:1c:79:21:3:c:77:f:6:28:29:2a:1a { set ident = "Linux"; }
subclass "ParamIdent" 1:3:6:c:f:11:17:1c:1d:1f:21:28:29:2a { set ident = "Linux"; }
subclass "ParamIdent" 1:3:6:f:1c:c:7:9:2a:30:31 { set ident = "Linux"; }
subclass "ParamIdent" 1:1c:2:3:f:6:c:2c:2f { set ident = "Linux"; }
subclass "ParamIdent" 1:1c:3:f:6:c:11 { set ident = "Linux"; }
subclass "ParamIdent" 1:3:6:c:f:11:17:1c:1d:1f:21:28:29:2a:9:7:2c:2d:2e:2f { set ident = "Linux"; }
subclass "ParamIdent" 1:3:6:c:f:17:1c:1d:1f:21:28:29:2a { set ident = "Linux"; }
subclass "ParamIdent" 1:3:6:c:f:11:17:1c:1d:1f:21:28:29:2a:9:7:2c:2d:2e:2f:77 { set ident = "Linux"; }
subclass "ParamIdent" 1:1c:2:3:f:6:c:28:29 { set ident = "Linux"; }
subclass "ParamIdent" 1:3:6:c:f:11:17:1c:1d:1f:21:28:29:2a:9:7:c8 { set ident = "Linux"; }
subclass "ParamIdent" 1:1c:2:3:f:6:c:2c:2f:1a { set ident = "Linux"; }
subclass "ParamIdent" 1:1c:2:3:f:6:c:2c:2f:1a { set ident = "Linux"; }
subclass "ParamIdent" 1:1c:3:f:6:c:21 { set ident = "Linux"; }
subclass "ParamIdent" 1:3:6:f:70:71:4e:4f:5f:fc { set ident = "Apple"; }
subclass "ParamIdent" 1:3:6:f { set ident = "Apple"; }
subclass "ParamIdent" 1:3:6:f:77:5f:fc:2c:2e:2f { set ident = "Apple"; }
subclass "ParamIdent" 1:3:6:f:70:71:4e:4f:5f { set ident = "Apple"; }
subclass "ParamIdent" 1:3:6:f:70:71:4e:4f:5f:fc:2c:2f { set ident = "Apple"; }
subclass "ParamIdent" 1:3:6:f:21:2a:2c:2d:2e:2f:45:46:47:4a:4e:4f { set ident = "Apple"; }
subclass "ParamIdent" 1:3:6:f:70:71:4e:4f { set ident = "Apple"; }
subclass "ParamIdent" 1:3:6:c:f:1c:2b { set ident = "Solaris"; }
subclass "ParamIdent" 1:3:c:2b:f:6 { set ident = "Solaris"; }
subclass "ParamIdent" 1:3:c:2b { set ident = "Solaris"; }
subclass "ParamIdent" 1:2:3:4:5:6:b:c:d:f:10:11:12:16:17:1c:28:29:2a:2b:32:33:36:3a:3b:3c:42:43:80:81:82:83:84:85:86:87 { set ident = "PXE"; }
subclass "ParamIdent" 1:2:3:5:6:b:c:d:f:10:11:12:2b:36:3c:43:80:81:82:83:84:85:86:87 { set ident = "PXE"; }
subclass "ParamIdent" 1:3:3:5:6:b:c:d:f:10:11:12:2b:36:3c:43:80:81:82:83:84:85:8"Apple"; }
subclass "ParamIdent" 1:3:6:f:70:71:4e:4f { set ident = "Apple"; }
subclass "ParamIdent" 1:3:6:c:f:1c:2b { set ident = "Solaris"; }
subclass "ParamIdent" 1:3:c:2b:f:6 { set ident = "Solaris"; }
subclass "ParamIdent" 1:3:c:2b { set ident = "Solaris"; }
subclass "ParamIdent" 1:2:3:4:5:6:b:c:d:f:10:11:12:16:17:1c:28:29:2a:2b:32:33:36:3a:3b:3c:42:43:80:81:82:83:84:85:86:87 { set ident = "PXE"; }
subclass "ParamIdent" 1:2:3:5:6:b:c:d:f:10:11:12:2b:36:3c:43:80:81:82:83:84:85:86:87 { set ident = "PXE"; }
subclass "ParamIdent" 1:3:3:5:6:b:c:d:f:10:11:12:2b:36:3c:43:80:81:82:83:84:85:86:87 { set ident = "PXE"; }
subclass "ParamIdent" 1:3:3c:2b:43:80:81:82:83:84:85:86:87 { set ident = "PXE"; }
subclass "ParamIdent" 1:3:2b:36:3c:43:80:81:82:83:84:85:86:87 { set ident = "PXE"; }
subclass "ParamIdent" 1:3:2:4:6:c:f:3c:2b { set ident = "PXE"; }
subclass "ParamIdent" 1:1c:2:3:f:6:c { set ident = "ISC"; }
subclass "ParamIdent" 1:3:6:f:1c:21 { set ident = "OS2"; }
=== end dhcpd.fingerprint.conf
One thing you notice is that PRL fingerprinting is more approximately
a fingerprint of the DHCP client software than the host OS (the "ISC"
entry is our default dhclient PRL). They often track together in
unique combinations, but it isn't foolproof.
Anyway, this allowed me to poll the currently active makes and models,
and produce a sexy graph;
http://www.ietf.org/proceedings/71/slides/plenaryw-16/sld1.htm
Although I wish since I knew I'd only have a day for it I'd thought
to use a shorter timespan on the second graph, you can guess when the
4-6-4 NAT was advertised on the plenary mic. :)
One trouble is for my dhcpd.fingerprint.conf, I summarized a lot of
the sub-makes. You'll notice there are lots of entries for Windows
and Apple and Linux. In the original database I was reading the PRL
fingerprints from, these corresponded nicely to particular versions
of software or particular products. As products develop along, they
start to ask for new options, and every product seems to put that
option in a different spot in the (priority-sorted) PRL they issue.
In some cases you can tell the difference between makes of Windows
that have, or haven't, received a recent service pack.
Anyway, the moral of the story is, I'd see how unique the iPad's
PRL is. It's likely that if it's similar to anything, it'll be
similar to other Apple products (iPod touch, iPhone, etc) which you
may not mind having in the same group.
--
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20101014/c1b3b364/attachment.bin>
More information about the dhcp-users
mailing list