Re: Preventing DHCP from allocating IPs

From: jon kintner (
Date: 12/09/02

  • Next message: Johannes Ullrich: "Re: unexpected log entries"
    From: "jon kintner" <>
    To: "Tony Meman" <>, <>
    Date: Mon, 9 Dec 2002 11:10:01 -0800

    I don't know if it's impossibe, but isn't sniffing traffic on a switched
    network more difficult?


    ----- Original Message -----
    From: "Tony Meman" <>
    To: <>
    Sent: Saturday, December 07, 2002 3:29 PM
    Subject: Re: Preventing DHCP from allocating IPs

    > Someone could just sniff the traffic, collect some valid MAC addresses
    > and use one of
    > them when some box is down. MAC spoofing is trivial.
    > Regards,
    > --
    > none
    > Hasnain Atique wrote:
    > >My solution was somewhat more elaborate.
    > >
    > >I'd separated the network into sections, each connecting to a "backbone"
    > >sorts. Each segment is physically separate with a Linux
    > >router/gateway/firewall linking the section to the backbone. Each Linux
    > >knows which MAC addresses are valid within its segment and only allows
    > >through to the backbone. DHCP within each segment allocates IP addresses
    > >known MACs only.
    > >
    > >Net result is that, unknown MAC addresses firstly don't get a DHCP
    > >allocation, and secondly can't make it outside of the local segment. Even
    > >a smart user were to pick and choose an unused IP and used the right
    > >address, because of MAC filtering they will be limited to the local
    > >
    > >The downside is that every single MAC address has to be known before
    > >this in place (it's easily done with arpwatch), and there will be
    > >gateways to maintain. But depending on your level of paranoia you'll
    > >probably like it.
    > >
    > >Finally, I certainly wouldn't want to automate the process of learning
    > >addresses and updating DHCP allocation accordingly. Defeats the entire
    > >purpose!!
    > >
    > >