enquiry on validation of dhcp offered addres

Gerald Vogt vogt at spamcop.net
Wed Apr 25 04:39:37 UTC 2012 

On 25.04.12 02:05, ching wrote:
> Current scripts seems no validation at all. They "trust" everything
> from DHCP.

That's the design of DHCP. There is no authentication of the server nor
the client.

> I have several ideas in mind: 1. dhcp validation on dhclient - reject
> ipv4 class A,B,C private addresses and ipv6 ULA prefix - i think it
> is the most "clean" way

That breaks DHCP. If you implement that you have to do it yourself. DHCP
has no requirement on the client to be able to filter something. And for
instance for all mobile clients you don't want that anyway because there
are a lot of networks out there with private addresses.

> 2. validation on network config scripts - reject ipv4 class A,B,C
> private addresses and ipv6 ULA prefix - it is quite hard for me, i do
> not know how to manipulate ipv4 subnet and ipv6 prefix in shell
> script

Again this goes beyond standard implementations of DHCP clients. You
have to write that script yourself and make sure it works the way you
intend it to.

> 3. hard code the topology of internal LAN into a static route table -
> the quick and dirty trick

That's one way.

Other way:

set up firewalls on all clients to filter DHCP requests except from/to
the MAC addresses of your own DHCP servers.

Another solution would be in the switches: get managed switches (unless
you have it already) and filter DHCP requests on all switch ports except
the server ports. Filter DHCP, DHCPv6 and ICMPv6 RA (router
announcements). I think that's the best solution as it doesn't require
any changes on the client nor the server.

> if dhcp validation on dhclient is not possible, i will try to hard
> code route table.
> 
> So back to my question, can dhclient validate offered address at
> all?

man dhclient-script

>From dhclient.conf: "The script statement is used to specify the
pathname of the dhcp client configuration script. This script is used by
the dhcp client to set each interface’s initial configuration prior to
requesting an address, to test the address once it has been offered, and
to set the interface’s final configuration once a lease has been
acquired. If no lease is acquired, the script is used to test predefined
leases, if any, and also called once if no valid lease can be
identified. For more information, see dhclient-script(8)."

Gerald

More information about the dhcp-users mailing list