enquiry on validation of dhcp offered addres
Simon Hobson
dhcp1 at thehobsons.co.uk
Tue Apr 24 13:34:22 UTC 2012
ching wrote:
>if internal server's ip is 192.168.2.2/255.255.255.0 and the invalid
>wan address 192.168.2.1/255.255.255.128
>
>if firewall is not blocking, then a faked server may be waiting at
>the WAN interface, ready to receive confidential information.
>if firewall is blocking, then the real server may have a downtime
>(all 192.168.2.2 traffic are routed to WAN interface and then
>dropped), resulting in a denial of service.
Err, no - or rather, it depends.
If there is only the one subnet internal to your network, then
traffic WITHIN THAT NETWORK will not be routed outside of the
gateway. It will be local traffic, not need the use of a router, and
so will never need to go through the gateway at all.
No internal device will have traffic routed to the external device.
Only traffic originating within the gateway device itself will be
routed externally.
You are correct however that if you have multiple subnets, AND
traffic between subnets is routed via the same router that provides
your external connectivity, then traffic from internal subnets
**other than 192.168.1.0/24** to 192.158.1.0/25 would get incorrectly
routed externally.
Some simple egress filtering rules (it's generally considered good
practice to drop RFC1918 traffic on your external interface anyway)
will prevent information leakage. But you are correct that it will
cause a loss of access to certain internal devices to certain other
devices depending on your internal network setup. You could of course
minimise the issue by adding host routes to your gateway - these /32
routes would take precedence over any practical external route.
You would however, no matter what you do, lose all external
connectivity unless the miscreant also took care of providing a NAT
gateway to a real IP address. If someone has that level of skill, and
the level of access to your ISPs network to do that, then you do have
bigger issues to worry about.
I see your point, but I have to question whether it's a significant
risk. You may want to look at the script used by the DHCP client to
configure the system - though from memory I'm not sure whether it is
called at the right times for the checks you want to do.
--
Simon Hobson
Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
More information about the dhcp-users
mailing list