hardware ethernet and option vendor-class-identifier

Rafal golem at mtm-info.pl
Fri Oct 16 14:13:04 UTC 2015 

Hello Patrick,

I just posted example to make it more clear.
In working environment there will be STB as dhcp client.
I  cannot control firmware of STB. So I can just make harder to obtain
IP for foreign devices.
STB sends dhcp with model type in vendor-class-identifier field.
So thats reason why I want to add additional check before obtaining IP
address.  Cloning  vendor-class-identifier  field  is  bit harder than
simple mac address clone.


Rafal




Friday, October 16, 2015, 3:51:57 PM, you wrote:

> Just reply to the thread, no need to copy me directly.

> I think Sten's pointed you down the right path. There appears to be
> a syntax issue with your example (as he points out), but, as
> important, from a logical/manageable perspective, you will have an
> easier time if you set up the classes in the way he describes.

> But I think the benefit is marginal. If they are taking the time to
> fake the MAC, what are the odds that they won't be able to pick the correct operating system, too?

> Are you going to have something in place to identify where they
> originate their request so you can accept/deny accordingly? I'm
> using option-82 to get a similar result, but just to assign them to
> the appropriate pools. You could use the same functionality.

> I'm not convinced any of this is where you need to be spending your
> processing cycles for a security benefit.

> ________________________________________
> From: Rafal [golem at mtm-info.pl]
> Sent: Friday, October 16, 2015 8:42 AM
> To: Users of ISC DHCP; Patrick Trapp
> Subject: Re: hardware ethernet and option vendor-class-identifier

> Hello Patrick,

> This is mostly because of security reasons.
> Nowadays there is really easy to clone mac.
> Adding vendor-class identifier check will make it harder.

> I  don't  care about changing IP on network card after lease is active
> because each IP will be bound to different vlan.

> Anyway is there chance to make hardware ethernet and option vendor-class-identifier
> to be checked before dhcp send lease ?






> Friday, October 16, 2015, 3:33:33 PM, you wrote:

>> If you are specifying the fixed-address value based on the
>> "hardware ethernet", why are you bothering with the class
>> identifier. I would just specify that for a given hardware ethernet, assign a specific fixed address.

>> Is there some circumstance when you think a given MAC address will qualify for different classes?

>> ________________________________________
>> From: dhcp-users-bounces at lists.isc.org
>> [dhcp-users-bounces at lists.isc.org] on behalf of Rafal [golem at mtm-info.pl]
>> Sent: Friday, October 16, 2015 7:32 AM
>> To: dhcp-users at lists.isc.org
>> Subject: hardware ethernet and option vendor-class-identifier

>> Hello Dhcp-users,

>> I    want    to    make   my   dhcp   server   verify   hardware   and
>> vendor-class-identifier to send reply.

>> This is how I expected it :


>> (not working example)

>> ##########
>>  subnet 192.168.30.0 netmask 255.255.255.192 {
>>  option routers 192.168.30.1;
>>                                             }

>> class "WINDOWS" {
>> match if substring(option vendor-class-identifier, 0, 8) = "MSFT";

>> }

>> class "LINUX" {
>> match if substring(option vendor-class-identifier, 0, 8) = "udhcp";

>> }

>> host windowspc {hardware ethernet 78:01:02:03:04:05; fixed-address
>> 192.168.30.2; allow members of "WINDOWS";}
>> host linuxpc {hardware ethernet 44:11:02:03:04:05; fixed-address
>> 192.168.30.3; allow members of "LINUX";}


>> #######
>> So  while  dhcp  server receive dhcp request, he checks hardware address and
>> then vendor class identifier. If both match then he send reply.

>> Allow  members  need  to  be defined inside pool however I need static
>> IP configuration based on dhcp.
>> My example doesn't work. Can anyone help me to make it working ?

>> Thanks in advance.


>> --
>> Best regards,
>>  Ozga Rafal                          mailto:golem at mtm-info.pl

>> _______________________________________________
>> dhcp-users mailing list
>> dhcp-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/dhcp-users
>> _______________________________________________
>> dhcp-users mailing list
>> dhcp-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/dhcp-users



> --
> Best regards,
> Ozga Rafal                          mailto:golem at mtm-info.pl

> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users



-- 
Best regards,
Ozga Rafal                          mailto:golem at mtm-info.pl

More information about the dhcp-users mailing list