enquiry on validation of dhcp offered addres

Simon Hobson dhcp1 at thehobsons.co.uk
Tue Apr 24 13:34:22 UTC 2012 

ching wrote:

>if internal server's ip is 192.168.2.2/255.255.255.0 and the invalid 
>wan address 192.168.2.1/255.255.255.128
>
>if firewall is not blocking, then a faked server may be waiting at 
>the WAN interface, ready to receive confidential information.
>if firewall is blocking, then the real server may have a downtime 
>(all 192.168.2.2 traffic are routed to WAN interface and then 
>dropped), resulting in a denial of service.

Err, no - or rather, it depends.

If there is only the one subnet internal to your network, then 
traffic WITHIN THAT NETWORK will not be routed outside of the 
gateway. It will be local traffic, not need the use of a router, and 
so will never need to go through the gateway at all.
No internal device will have traffic routed to the external device. 
Only traffic originating within the gateway device itself will be 
routed externally.

You are correct however that if you have multiple subnets, AND 
traffic between subnets is routed via the same router that provides 
your external connectivity, then traffic from internal subnets 
**other than 192.168.1.0/24** to 192.158.1.0/25 would get incorrectly 
routed externally.

Some simple egress filtering rules (it's generally considered good 
practice to drop RFC1918 traffic on your external interface anyway) 
will prevent information leakage. But you are correct that it will 
cause a loss of access to certain internal devices to certain other 
devices depending on your internal network setup. You could of course 
minimise the issue by adding host routes to your gateway - these /32 
routes would take precedence over any practical external route.

You would however, no matter what you do, lose all external 
connectivity unless the miscreant also took care of providing a NAT 
gateway to a real IP address. If someone has that level of skill, and 
the level of access to your ISPs network to do that, then you do have 
bigger issues to worry about.
I see your point, but I have to question whether it's a significant 
risk. You may want to look at the script used by the DHCP client to 
configure the system - though from memory I'm not sure whether it is 
called at the right times for the checks you want to do.

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

More information about the dhcp-users mailing list