Preventing from assign fixed address based on class

Thu Jun 27 19:34:36 UTC 2013

On Thu, 2013-06-20 at 13:21 +0200, Paweł Warowny wrote:
...
> host modem1
> {
>        hardware ethernet 22:22:22:22:22:22;
>        fixed-address 10.1.10.1;
> }
> 
> I can catch only modems easily this way:
>  
> class "cablemodem" {
>         match if substring(option vendor-class-identifier,0,6) = "docsis";
> }
> 
> The problem is, that if some customer assigns for his host some other
> customer's  modem MAC address - he will get this address assigned for
> his host. Is there a way to prevent such behaviour?
> 
> I thought about:
>  
> allow members of "cablemodem";
>  
> statement inside host declaration, but it looks, like this is only
> valid inside pool declaration.
> 
> Is there any other way to achieve it?

The client can spoof a vendor-class-identifier along with the MAC
address so security still isn't perfect even with that selection. The
modem and CMTS could theoretically enforce something using option 82.

You might achieve what you describe though, but using a compound class
match statement:

class "modem1" {
  match if hardware = 01:11:11:11:11:11:11 and substring(option vendor-class-identifier,0,6) = "docsis";
}
class "modem2" {
  match if hardware = 01:22:22:22:22:22:22 and substring(option vendor-class-identifier,0,6) = "docsis";
}
subnet 192.168.10.0 netmask 255.255.255.0 {
  # general options
  pool {
    range 192.168.10.50;
    allow members of "modem1";
  }
  pool {
    range 192.168.10.51;
    allow members of "modem2";
  }
  ...
}

Word on the street is that this doesn't scale; if you have more than a
few hundred clients you probably need to rethink this.

You could take at look at this:

http://www.miquels.cistron.nl/isc-dhcpd/

-- 
Peter