Re: Setting specific IP address?
From: Michael Pelletier (mjpelletier_at_mjpelletier.com)
Date: Tue, 10 May 2005 19:30:38 -0700
> Winged <Winged@nofollow.com> wrote in
>> Of course you can allow only registered MACs to gain an address and
>> use DHCP. Is it required, probably not, but it can make life easier
>> especially with geographically dispersed networks. Since you also
>> have to register the host to the domain this information can be easily
>> gathered at the same time you are setting certificates and gathering
>> host, license and inventory information within your netinit script.
>> In a large network it is sometimes fun finding that duplicate IP that
>> someone (I won't pick on our help desk personnel) set erroneously.
>> Especially if the subnet is geographically dispersed across several
>> buildings. Usually requires trapping the IP to trace the IP through
>> the switch and identify the wire and cable box the wire is attached
>> to. Information can be gathered through SMS though with groups moving
>> around frequently static IP's can be a hassle. It can be managed, but
>> DHCP can be used relatively securely an reduces the management
>> overhead and the pain in movement. By relying on MAC management,
>> instead of IP management, it can make certain misbehaviors easier to
>> identify. Aliens on the network issues disappear. While for various
>> reasons certain hosts must have IPs reserved we have never had a
>> serious security issue with DHCP, not saying it couldn't happen....
> Every bit helps. However, it is trivial to spoof MACs.
True both MAC and IP spoofing is quite trivial...and quite lethal if you
know what you are doing...
...the long term solution is 802.1x but vendor support has been slow...
-- "Trusted Computing" is a SCAM http://www.gnu.org/philosophy/can-you-trust.html Protect your rights http://www.eff.org/ http://www.publicknowledge.org/