enquiry on validation of dhcp offered addres
sthaug at nethelp.no
sthaug at nethelp.no
Wed Apr 25 06:35:29 UTC 2012
> Current scripts seems no validation at all. They "trust" everything from DHCP.
This is indeed how DHCP is designed to work. If your DHCP server is
untrustworthy, it can do a *lot* of damage. And the client cannot
protect against all such damage, because it cannot (in general) know
whether a DHCP lease is correct or not - it has to trust the server.
> I have several ideas in mind:
> 1. dhcp validation on dhclient - reject ipv4 class A,B,C private addresses and ipv6 ULA prefix
> - i think it is the most "clean" way
> 2. validation on network config scripts - reject ipv4 class A,B,C private addresses and ipv6 ULA prefix
> - it is quite hard for me, i do not know how to manipulate ipv4 subnet and ipv6 prefix in shell script
Rejecting IPv4 private addresses and IPv6 ULA addresses may be correct
in *your* configuration - and should be correct in general for Internet
connected hosts. It will obviously not be correct in all configurations
and therefore cannot be a standard part of dhclient.
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
More information about the dhcp-users
mailing list