enquiry on validation of dhcp offered addres

Simon Hobson dhcp1 at thehobsons.co.uk
Wed Apr 25 07:07:33 UTC 2012 

ching wrote:

>I have several ideas in mind:
>1. dhcp validation on dhclient - reject ipv4 class A,B,C private 
>addresses and ipv6 ULA prefix
>       - i think it is the most "clean" way
>2. validation on network config scripts - reject ipv4 class A,B,C 
>private addresses and ipv6 ULA prefix
>        - it is quite hard for me, i do not know how to manipulate 
>ipv4 subnet and ipv6 prefix in shell script
>3. hard code the topology of internal LAN into a static route table
>        - the quick and dirty trick

There si another way. Simply arrange your network so that intranet 
traffic does not traverse your outside gateway. I've no idea what 
your current topology is as you've given no clues, but if internal 
traffic doesn't go through your external gateway, then the problem 
disappears. There is probably stuff you can do to split the routing 
tables - so the internal traffic uses a table the external DHCP 
cannot influence - but I've no idea where you'd start with that.

>So back to my question, can dhclient validate offered address at all?

Dunno, you'll have to study the code/scripts and see what happens when.




Gerald Vogt wrote:

>set up firewalls on all clients to filter DHCP requests except from/to
>the MAC addresses of your own DHCP servers.
>
>Another solution would be in the switches: get managed switches (unless
>you have it already) and filter DHCP requests on all switch ports except
>the server ports.

I'm not sure you've got the essence of the problem here. It's not 
internal DHCP that's an issue. The problem the OP is looking at is 
that if the IP/subnet assigned to his outside interface clashes with 
his internal network, then that will affect the routing table - and 
may result in the gateway sending "internal" traffic through the 
outside interface. This would result in some internal devices being 
unable to communicate with some other devices - only where the 
traffic goes through the gateway to get between internal 
networks/subnets, and only where one of the devices is within the 
subnet falsely allocated to the outside interface, and only where the 
outside subnet is more specific (longer subnet mask) (or possibly the 
same) as an internal subnet.

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

More information about the dhcp-users mailing list