Re: Preventing DHCP from allocating IPs

[Tony Meman <none () superig com br>]

Someone could just sniff the traffic, collect some valid MAC addresses 
and use one of
them when some box is down. MAC spoofing is trivial.

Regards,

--
none

Hasnain Atique wrote:

> My solution was somewhat more elaborate.
>
> I'd separated the network into sections, each connecting to a "backbone" of
> sorts. Each segment is physically separate with a Linux
> router/gateway/firewall linking the section to the backbone. Each Linux box
> knows which MAC addresses are valid within its segment and only allows that
> through to the backbone. DHCP within each segment allocates IP addresses to
> known MACs only.
>
> Net result is that, unknown MAC addresses firstly don't get a DHCP
> allocation, and secondly can't make it outside of the local segment. Even if
> a smart user were to pick and choose an unused IP and used the right gateway
> address, because of MAC filtering they will be limited to the local segment.
>
> The downside is that every single MAC address has to be known before putting
> this in place (it's easily done with arpwatch), and there will be multiple
> gateways to maintain. But depending on your level of paranoia you'll
> probably like it.
>
> Finally, I certainly wouldn't want to automate the process of learning MAC
> addresses and updating DHCP allocation accordingly. Defeats the entire
> purpose!!
>