Re: Preventing DHCP from allocating IPs

["jon kintner" <jon.kintner () lvcm com>]

I don't know if it's impossibe, but isn't sniffing traffic on a switched
network more difficult?

-jon

----- Original Message -----
From: "Tony Meman" <none () superig com br>
To: <security-basics () securityfocus com>
Sent: Saturday, December 07, 2002 3:29 PM
Subject: Re: Preventing DHCP from allocating IPs


> Someone could just sniff the traffic, collect some valid MAC addresses
> and use one of
> them when some box is down. MAC spoofing is trivial.
>
> Regards,
>
> --
> none
>
> Hasnain Atique wrote:
>
> > My solution was somewhat more elaborate.
> >
> > I'd separated the network into sections, each connecting to a "backbone"
of
> > sorts. Each segment is physically separate with a Linux
> > router/gateway/firewall linking the section to the backbone. Each Linux
box
> > knows which MAC addresses are valid within its segment and only allows
that
> > through to the backbone. DHCP within each segment allocates IP addresses
to
> > known MACs only.
> >
> > Net result is that, unknown MAC addresses firstly don't get a DHCP
> > allocation, and secondly can't make it outside of the local segment. Even
if
> > a smart user were to pick and choose an unused IP and used the right
gateway
> > address, because of MAC filtering they will be limited to the local
segment.
> > The downside is that every single MAC address has to be known before
putting
> > this in place (it's easily done with arpwatch), and there will be
multiple
> > gateways to maintain. But depending on your level of paranoia you'll
> > probably like it.
> >
> > Finally, I certainly wouldn't want to automate the process of learning
MAC
> > addresses and updating DHCP allocation accordingly. Defeats the entire
> > purpose!!