Periodic assignment of unique IP address

Siraj Shaikh siraj.shaikh at gmail.com
Thu Nov 29 22:32:26 UTC 2007 

On 29/11/2007, Simon Hobson <dhcp1 at thehobsons.co.uk> wrote:
> Siraj Shaikh wrote:
>
> >I wonder if there is a condition which allows us to check whether
> >there are any current/existing TCP connections open on the client -
> >before renewing the lease?
>
> Well you could write a program to check what ports are open, but what
> do you do if there is an open connection ? How long do you wait
> before closing it ?
>
> >  > >2) Following up from the above, is there any way of assigning a random
> >>  >lease to a particular user class? Random in the sense that I would
> >>  >like to pass a range (upper and lower limits) of lease, and then let
> >>  >the DHCP Server assign a number in between randomly?
> >>
> >>  You mean, allocate a range of addresses for a class of client, and
> >>  then the addresses are dynamically allocated from that range ? This
> >>  is the default and is done like :
> >>
> >>  subnet ....
> >>     ....
> >>     pool {
> >>       range a.b.c.10 a.b.c.29 ;
> >>       allow members of "class1" ;
> >>     }
> >>  }
> >>
> >
> >Sorry, my orignal question was I think ambigious. What I meant was the
> >range of lease time, that is to say, if I assign a range of 5 minutes
> >to 3 days, I would like the server to assign a lease for anytime
> >between 5 mins and 3 days - and let it choose it randomly.
>
> No, there isn't any facility for that - not in the server anyway. The
> best you could do is set the server to allow lease times of the range
> you want (min, max, and default lease times) and get the client to
> request different times. Or you simply tell the client to renew at a
> random time.

This is a good point, we can simply let the clients request for
renewal at random intervals.

> >  > >3) My main question: how do I configure a DHCP client that allows it
> >>  >to be assigned a unique IP address everytime it renews its lease? Is
> >>  >it possible to configure the DHCP Server such that it assigns a
> >>  >particular class of clients (or just particular clients; manually
> >>  >assigned) a unique (different to prior) IP address every time their
> >>  >lease is renewed? I am interested to know the answer to both
> >>  >questions, as in from the configuration of a dhcp client and a dhcp
> >>  >server.
> >>
> >>  For both the server and client, this is specifically against the
> >>  requirements of the RFCs which are quite clear that the client should
> >>  retain it's address when it renews. Changing a clients address is bad
> >>  news - it breaks all it's connections and causes all sort of grief !
> >>
> >>  What is the reason for wanting the client address to change ?
> >
> >I should have explained this earlier. As part of my research, I am
> >exploring various aspects of deploying a 'network security monitoring'
> >sensor on a network segment. The reason for acquiring a unique IP
> >address (at every renewal) for this, is to attempt to 'hide' the
> >sensor so that it does not stay on a particular IP for a longer time
> >(as this may allow an intruder to identify the sensor). The need to
> >assign an IP arises because we do want to be able to access some
> >services on the machine as well.
> >
> >May I just add here, we are not interested in assigning a particular
> >unique IP address (at every renewal) - just whatever is available from
> >the pool (which we will set accordingly ofcourse).
>
> Change the client-id when you want a new address - the server will
> then identify it as a new client and give it a different address.
> This is because the client-id is the primary database key, the mac
> address is only used if the client-id is not present.

Thank you for this clarification: I think this solves it. The only
thing we will need to do then is come up with a list/range of
client-ids which can then be mapped onto different ip addresses.

> >Another option would be to have a client utility that reassigns the IP
> >address of the client (it is running on) and perhaps chooses it from a
> >range. Is anyone aware of such an existing utility?
>
> No, but it shouldn't take much to knock up a script to do it.

Yes, following your responses, I will certainly give this a try. I
think it would be better for us to consider some client-side
scripts/configuration to avoid changing too many things at the server
end.

May I just thank everyone who have responded so far. Your comments are helpful.

We are considering various approaches for security monitoring for very
large scale networks, where sensors could be deployed at various
points/segments. But we want to make as much as possible of existing
network services (such DHCP, DNS, NAT, routing etc) to help design
effective/dynamic monitoring for large networks.

With regards to DHCP, we would certainly benefit from using existing
DHCP servers, changing the configuration slightly, but doing more on
the client side, as it makes sense to disrupt as little existing
services/nodes. The one other thing came to my mind was operating
another DHCP server, and dividing the address pool between servers -
but that will be more expensive. Tinkering with monitoring
nodes/clients is the way ahead.

Once again thank you, and if there are any thoughts/comments, please
feel free to email me directly or put them on the list.

>
>
>

More information about the dhcp-users mailing list