Re: DHCP and Security

[r4sc4l () HUSHMAIL COM (r4sc4l () HUSHMAIL COM)]

DHCP discover packets typically contain the last known IP address
of the client for the given interface being used to broadcast the
request.    If this IP address is still available, the server will try
to re-use it, (assuming an rfc compliant implementation.)  This is both
a security feature and a security problem, depending on how you look
at it.

A proper server implementation will also let you specify the bind
retention time for the address after the lease expires, to ensure an
IP is still available when a user returns from travelling in a week or two.

This process, coupled with lease durations set to a few
days instead of a few hours,  provides a fairly reliable mapping
and keeps the addresses fairly constant even for frequent travellers.
Still, you don't want to use dhcp for servers where high availability
is a requirement.

Kiddies: for a really fun and interesting exercise, set your bind and lease
durations to less than the time it takes to do the spanning tree calculation
on your ethernet switch.

rascal

IMPORTANT NOTICE:  If you are not using HushMail, this message could have been read easily by the many people who have 
access to your open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.