DHCP Authentication
Marco Amadori
amadorim at vdavda.com
Tue Jul 1 13:55:09 UTC 2008
On Tuesday 01 July 2008, 13:27:21, Simon Hobson wrote:
> Anders Rosendal wrote:
> >If the network owner starts to implement features like dhcp-snooping
> >with "ip source guard" and "ip arp inspection" in the switches to
> >achive much greater security in the network your solution with dhcp
> >on non default ports will probebly fail totally. This since
> >dhcp-snooping in the switches probebly won't recognice your modified
> >dhcp communication.
>
> Which brings up another point I'd missed. If you run DHCP on
> non-standard ports then you'll also need to run DHCP relay agents on
> non standard ports as well. This will effectively require an
> additional box on each subnet in this case to run the relay agent
> since the OP doesn't have administrative access to the routers.
Yes, this is could be a big problem in changeing the default port, this is one
of the reason I asked about authentication and DHCP on this list.
If the foreign switches will cut our non standard DHCP traffic we need other
ideas to identify servers.
Does dhclient with a custom option like "dhcp-server-identifier" specified on
the server could distinguish between DHCP offers? It should if I understood
well the manpages.
--
ESC:wq
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the dhcp-users
mailing list