enquiry on validation of dhcp offered addres
dhcp1 at thehobsons.co.uk
Wed Apr 25 07:07:33 UTC 2012
>I have several ideas in mind:
>1. dhcp validation on dhclient - reject ipv4 class A,B,C private
>addresses and ipv6 ULA prefix
> - i think it is the most "clean" way
>2. validation on network config scripts - reject ipv4 class A,B,C
>private addresses and ipv6 ULA prefix
> - it is quite hard for me, i do not know how to manipulate
>ipv4 subnet and ipv6 prefix in shell script
>3. hard code the topology of internal LAN into a static route table
> - the quick and dirty trick
There si another way. Simply arrange your network so that intranet
traffic does not traverse your outside gateway. I've no idea what
your current topology is as you've given no clues, but if internal
traffic doesn't go through your external gateway, then the problem
disappears. There is probably stuff you can do to split the routing
tables - so the internal traffic uses a table the external DHCP
cannot influence - but I've no idea where you'd start with that.
>So back to my question, can dhclient validate offered address at all?
Dunno, you'll have to study the code/scripts and see what happens when.
Gerald Vogt wrote:
>set up firewalls on all clients to filter DHCP requests except from/to
>the MAC addresses of your own DHCP servers.
>Another solution would be in the switches: get managed switches (unless
>you have it already) and filter DHCP requests on all switch ports except
>the server ports.
I'm not sure you've got the essence of the problem here. It's not
internal DHCP that's an issue. The problem the OP is looking at is
that if the IP/subnet assigned to his outside interface clashes with
his internal network, then that will affect the routing table - and
may result in the gateway sending "internal" traffic through the
outside interface. This would result in some internal devices being
unable to communicate with some other devices - only where the
traffic goes through the gateway to get between internal
networks/subnets, and only where one of the devices is within the
subnet falsely allocated to the outside interface, and only where the
outside subnet is more specific (longer subnet mask) (or possibly the
same) as an internal subnet.
Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
More information about the dhcp-users