How can I forbid access to customer that force their IP to static ...

Alex Moen alexm at ndtel.com
Sat Jul 7 12:58:05 UTC 2007 

> -----Original Message-----
> From: dhcp-users-bounce at isc.org 
> [mailto:dhcp-users-bounce at isc.org] On Behalf Of Mark Huth
> Sent: Friday, July 06, 2007 7:25 PM
> To: dhcp-users at isc.org
> Subject: Re: How can I forbid access to customer that force 
> their IP to static ...
> 
> 
> I don't see how you can use DNS to enforce something on a node that 
> doesn't use DNS - seems futile.  There are security devices that will 
> monitor and interfere with packets from bad boys, but it gets 
> interesting to use them with learning bridges (switches).  
> You can also 
> do it with layer 3 switching.
> 
> Mark Huth
> Sébastien CRAMATTE wrote:
> > seems that  deny client-updates is related only dynamic dns updates 
> > ... I  don't search for this ...
> >
> > I mean that our users sometines open their windows network 
> properties 
> > and cut/paste from  a simple "C:\>ipconfig /all"  output ...
> >
> >
> >
> > Migneron Richard escribió:
> >   
> >>
> >> I think you want :  deny client-updates;  (or ignore) !
> >>
> >> There's lot more right in the man page !  Either   
> dhcpd.conf  or =20
> >> dhcp-options   you'll manage to read then about 20 times 
> until you =20
> >> have your configuration setup completely !
> >>
> >> Cheers,
> >>
> >> Richard
> >> _______________________________________________
> >> Richard Migneron
> >> @ : richard at migneron.com
> >> T=E9l. : +33.(0)1.45.45.13.92 - Fbox: +33.(0)9.50.70.23.92 - Fax: 
> >> +33.=20=
> >>
> >>
> >> On 7 juil. 07, at 00:44, S=E9bastien CRAMATTE wrote:
> >>
> >>   
> >>     
> >>> Hello,
> >>>
> >>> How can I forbid access to customer that force their IP to static 
> >>> ... Some customers change their windows property and 
> force the IP as 
> >>> be a static one ...
> >>>
> >>> I would like to prevent this ...
> >>> Does it exists a feature inside dhcpd to do this ?
> >>>
> >>> Regards


Sébastien,

This really is not a function of DHCPd.  Really, DHCPd is just a service
that is being provided, such as a web, mail, or DNS server, and not a
traffic control or network management system.

To answer your question, it really depends on your environment.  You mention
"customer", and the website associated with your e-mail domain tends to make
me believe that you are an ISP/telecom provider.  In this case, look to your
access devices (DSLAM, wireless, etc) for the ability to prevent access
without first obtaining a DHCP lease.  Don't know what you are using (or if
I am even close to your situation here), but Paradyne and Allied Telesis
equipment (the brands we use) both have features for this.  I haven't dug
really deeply into this, but I would tend to believe that IDS/IPS devices
could also be used to monitor and control the access for a rogue customer.

If I am way off here, I apologize.  The important thing to remember is my
first paragraph: DHCPd only assigns and tracks IP addresses within the rules
that you provide, nothing else.  DHCPd does what it does very well, and has
lots of power and versatility, but it is not meant to do anything but that.

Just my $.02...

Alex

More information about the dhcp-users mailing list