dhcp-users Digest, Vol 42, Issue 29
sthaug at nethelp.no
sthaug at nethelp.no
Sat Apr 21 13:42:04 UTC 2012
> i am trying to tune a general purpose router (OpenWRT), which provide
> WAN access to VLANs.
>
> In the point of view of a router, ISP's DHCP server cannot be full-trusted.
>
> If those servers get compromised, they may assign some non-routable IP
> to the WAN interface, and my route table may be "polluted" by those IPs.
If you don't trust the server you shouldn't run a DHCP service on the
server.
DHCPv4 is by nature a service which depends on the DHCP server and
the router (usually DHCP relay agent) trusting each other. DHCPv6 is
slightly different in that the DHCP server cannot assign a default
gateway, it has to come from RA. However, it is still the case that
a compromised server can do a lot of damage.
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
More information about the dhcp-users
mailing list