enquiry on validation of dhcp offered addres

ching lsching17 at gmail.com
Wed Apr 25 00:05:06 UTC 2012 

On Tuesday, April 24, 2012 09:50 PM, dhcp-users-request at lists.isc.org wrote:
> Err, no - or rather, it depends.
>
> If there is only the one subnet internal to your network, then 
> traffic WITHIN THAT NETWORK will not be routed outside of the 
> gateway. It will be local traffic, not need the use of a router, and 
> so will never need to go through the gateway at all.
> No internal device will have traffic routed to the external device. 
> Only traffic originating within the gateway device itself will be 
> routed externally.
>
> You are correct however that if you have multiple subnets, AND 
> traffic between subnets is routed via the same router that provides 
> your external connectivity, then traffic from internal subnets 
> **other than 192.168.1.0/24** to 192.158.1.0/25 would get incorrectly 
> routed externally.
>
> Some simple egress filtering rules (it's generally considered good 
> practice to drop RFC1918 traffic on your external interface anyway) 
> will prevent information leakage. But you are correct that it will 
> cause a loss of access to certain internal devices to certain other 
> devices depending on your internal network setup. You could of course 
> minimise the issue by adding host routes to your gateway - these /32 
> routes would take precedence over any practical external route.
>
> You would however, no matter what you do, lose all external 
> connectivity unless the miscreant also took care of providing a NAT 
> gateway to a real IP address. If someone has that level of skill, and 
> the level of access to your ISPs network to do that, then you do have 
> bigger issues to worry about.
> I see your point, but I have to question whether it's a significant 
> risk. You may want to look at the script used by the DHCP client to 
> configure the system - though from memory I'm not sure whether it is 
> called at the right times for the checks you want to do.

Current scripts seems no validation at all. They "trust" everything from DHCP.

I have several ideas in mind:
1. dhcp validation on dhclient - reject ipv4 class A,B,C private addresses and ipv6 ULA prefix
      - i think it is the most "clean" way
2. validation on network config scripts - reject ipv4 class A,B,C private addresses and ipv6 ULA prefix
       - it is quite hard for me, i do not know how to manipulate ipv4 subnet and ipv6 prefix in shell script
3. hard code the topology of internal LAN into a static route table
       - the quick and dirty trick

if dhcp validation on dhclient is not possible, i will try to hard code route table.

So back to my question, can dhclient validate offered address at all?

More information about the dhcp-users mailing list