secure dhcp
Carl Karsten
carl at personnelware.com
Wed Apr 26 05:29:46 UTC 2006
David W. Hankins wrote:
> On Tue, Apr 25, 2006 at 12:27:58AM -0500, Carl Karsten wrote:
>> The gPXE group is talking about wireless pxe booting and how to authenticate the
>> bootfile. I am thinking the best thing to do is make sure the DHCP Offer is
>> trusted and secure - that way a private key can be included and used to verify
>> the boot file.
>>
>> I found this http://www.dhcp.org/9806-minutes.html and was wondering how much
>> further it got.
>
> I'm not aware of any implementations, but it got as far as RFC 3118. A
> quick read through that will leave you with the reasons behind Ted's
> cryptic missive about impossibility. I think it's more like
> improbability: pre-configuring a shared key (or even a trusted public
> key) on all your DHCP clients is fairly improbable, but not impossible.
>
> There's also RFC4030 for relay agents to authenticate themselves with
> their DHCP servers and vice versa, which isn't interesting unless you
> don't care about incursions on the local wire.
>
> Also, I'm not aware of any implementations there either.
>
>> And now for a long shot: Does IPv6 address this?
>
> Not really, no.
thanks - I kinda figured that this would either be "yes, of course, it was done
years ago" or "no way".
I did just find this: http://wiki.etherboot.org/pmwiki.php/Main/SafeBootMode
>
>
> Got a URL for gPXE?
>
gPXE is the next etherboot - about the only evidence I could find:
http://cvs.sourceforge.net/viewcvs.py/etherboot/etherboot/gpxe-0.5/
Carl K
More information about the dhcp-users
mailing list