enquiry on validation of dhcp offered addres
ching
lsching17 at gmail.com
Wed Apr 25 00:05:06 UTC 2012
On Tuesday, April 24, 2012 09:50 PM, dhcp-users-request at lists.isc.org wrote:
> Err, no - or rather, it depends.
>
> If there is only the one subnet internal to your network, then
> traffic WITHIN THAT NETWORK will not be routed outside of the
> gateway. It will be local traffic, not need the use of a router, and
> so will never need to go through the gateway at all.
> No internal device will have traffic routed to the external device.
> Only traffic originating within the gateway device itself will be
> routed externally.
>
> You are correct however that if you have multiple subnets, AND
> traffic between subnets is routed via the same router that provides
> your external connectivity, then traffic from internal subnets
> **other than 192.168.1.0/24** to 192.158.1.0/25 would get incorrectly
> routed externally.
>
> Some simple egress filtering rules (it's generally considered good
> practice to drop RFC1918 traffic on your external interface anyway)
> will prevent information leakage. But you are correct that it will
> cause a loss of access to certain internal devices to certain other
> devices depending on your internal network setup. You could of course
> minimise the issue by adding host routes to your gateway - these /32
> routes would take precedence over any practical external route.
>
> You would however, no matter what you do, lose all external
> connectivity unless the miscreant also took care of providing a NAT
> gateway to a real IP address. If someone has that level of skill, and
> the level of access to your ISPs network to do that, then you do have
> bigger issues to worry about.
> I see your point, but I have to question whether it's a significant
> risk. You may want to look at the script used by the DHCP client to
> configure the system - though from memory I'm not sure whether it is
> called at the right times for the checks you want to do.
Current scripts seems no validation at all. They "trust" everything from DHCP.
I have several ideas in mind:
1. dhcp validation on dhclient - reject ipv4 class A,B,C private addresses and ipv6 ULA prefix
- i think it is the most "clean" way
2. validation on network config scripts - reject ipv4 class A,B,C private addresses and ipv6 ULA prefix
- it is quite hard for me, i do not know how to manipulate ipv4 subnet and ipv6 prefix in shell script
3. hard code the topology of internal LAN into a static route table
- the quick and dirty trick
if dhcp validation on dhclient is not possible, i will try to hard code route table.
So back to my question, can dhclient validate offered address at all?
More information about the dhcp-users
mailing list