hardware ethernet and option vendor-class-identifier

Patrick Trapp ptrapp at nex-tech.com
Fri Oct 16 13:51:57 UTC 2015


Just reply to the thread, no need to copy me directly.

I think Sten's pointed you down the right path. There appears to be a syntax issue with your example (as he points out), but, as important, from a logical/manageable perspective, you will have an easier time if you set up the classes in the way he describes.

But I think the benefit is marginal. If they are taking the time to fake the MAC, what are the odds that they won't be able to pick the correct operating system, too?

Are you going to have something in place to identify where they originate their request so you can accept/deny accordingly? I'm using option-82 to get a similar result, but just to assign them to the appropriate pools. You could use the same functionality.

I'm not convinced any of this is where you need to be spending your processing cycles for a security benefit.

________________________________________
From: Rafal [golem at mtm-info.pl]
Sent: Friday, October 16, 2015 8:42 AM
To: Users of ISC DHCP; Patrick Trapp
Subject: Re: hardware ethernet and option vendor-class-identifier

Hello Patrick,

This is mostly because of security reasons.
Nowadays there is really easy to clone mac.
Adding vendor-class identifier check will make it harder.

I  don't  care about changing IP on network card after lease is active
because each IP will be bound to different vlan.

Anyway is there chance to make hardware ethernet and option vendor-class-identifier
to be checked before dhcp send lease ?






Friday, October 16, 2015, 3:33:33 PM, you wrote:

> If you are specifying the fixed-address value based on the
> "hardware ethernet", why are you bothering with the class
> identifier. I would just specify that for a given hardware ethernet, assign a specific fixed address.

> Is there some circumstance when you think a given MAC address will qualify for different classes?

> ________________________________________
> From: dhcp-users-bounces at lists.isc.org
> [dhcp-users-bounces at lists.isc.org] on behalf of Rafal [golem at mtm-info.pl]
> Sent: Friday, October 16, 2015 7:32 AM
> To: dhcp-users at lists.isc.org
> Subject: hardware ethernet and option vendor-class-identifier

> Hello Dhcp-users,

> I    want    to    make   my   dhcp   server   verify   hardware   and
> vendor-class-identifier to send reply.

> This is how I expected it :


> (not working example)

> ##########
>  subnet 192.168.30.0 netmask 255.255.255.192 {
>  option routers 192.168.30.1;
>                                             }

> class "WINDOWS" {
> match if substring(option vendor-class-identifier, 0, 8) = "MSFT";

> }

> class "LINUX" {
> match if substring(option vendor-class-identifier, 0, 8) = "udhcp";

> }

> host windowspc {hardware ethernet 78:01:02:03:04:05; fixed-address
> 192.168.30.2; allow members of "WINDOWS";}
> host linuxpc {hardware ethernet 44:11:02:03:04:05; fixed-address
> 192.168.30.3; allow members of "LINUX";}


> #######
> So  while  dhcp  server receive dhcp request, he checks hardware address and
> then vendor class identifier. If both match then he send reply.

> Allow  members  need  to  be defined inside pool however I need static
> IP configuration based on dhcp.
> My example doesn't work. Can anyone help me to make it working ?

> Thanks in advance.


> --
> Best regards,
>  Ozga Rafal                          mailto:golem at mtm-info.pl

> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users



--
Best regards,
Ozga Rafal                          mailto:golem at mtm-info.pl



More information about the dhcp-users mailing list