MAC randomisation and DHCP pools
Mike Richardson
mike.richardson at manchester.ac.uk
Wed Jul 29 10:00:16 UTC 2020
On Mon, Jul 27, 2020 at 07:36:36PM +0200, Sten Carlsen wrote:
> From reading the links provided by Matt, I see a somewhat better
> situation. Thanks Matt for providing this information.
>
> I may not have read all the information correctly, so no guarantee.
One of the articles I posted states that the MAC will change every 24 hours,
which means that things could change mid-lease, between renewals, if
correct. The Apple site mentions 'periodically', which could mean anything
really.
Thanks,
Mike
> Inline below:
> --
> Best regards
> Sten Carlsen
> For every problem, there is a solution that
> is simple, elegant, and wrong.
> HL Mencken
>
> On 27 Jul 2020, at 15.08, [1]glenn.satchell at uniq.com.au wrote:
>
> Hi Mike,
> Going back to the original question where you have a pool of 100 leases
> and 50 clients with a 7 day lease time. Here is what I think might
> happen.
> On day 1 the 50 clients each take one lease. 50 in use, 50 free.
> On day 2 the 50 clients all have a new MAC address, now we assume that
> once the new MAC switches over the next time the client tries to renew
> it will not match the old lease but will get a new lease. With a 7 day
> lease the usual renewal time is half way through the lease, so none of
> these 50 clients try to renew until 3.5 days after initially getting
> the lease. So no problems for days 2 or 3 until later in the day.
>
> For IOS the MAC stays constant until it detaches from that network, so
> renewal is not an issue. Going away and returning later might be but
> then the old lease should be free - for each network the user can chose
> to keep a constant MAC, some will, most will not is my guess.
>
> So now we have 50 old leases and 50 new leases. Of course some systems
> may have been shutdown and released their lease, so maybe less than 50
> leases in use initially so <50 old leases and 50 new leases.
> On day 4 the first few clients to renew with a new MAC address use up
> the previous few free leases. Other clients get "no free leases". The
> dhcp server can't revoke a lease it has already legitimately given to a
> client. I would expect this behaviour to continue until the first of
> the 7 day leases expire.
> Now the question is, for a client with a new MAC address, but possibly
> the same dhcp-identifier, will it match the existing lease? If it does
> match,then no problem. Behaviour will be much the same as previously.
>
> AFAIK in the RFC, the ClientID is to main ID, MAC is not used by
> default, only as a second option, so fixed ID should be fine.
>
> The other thing with this is that if the client gets a new IP address,
> all existing sessions break, so apps and webpages may have to reload or
> may not pass authentication. So there could be a noticeable
> interruption.
>
> Since at least IOS seems to keep the MAC while connected, this is not a
> problem, The new address comes with the next discover in dhcpd
>
> The above is what I think will happen based on my understanding of ISC
> dhcpd. I don't really know exactly how the new IOS version will behave.
> I would suggest setting up a trial and testing with one of these new
> devices and see what actually happens. There are too many variables to
> predict what will happen exactly.
>
> It seems that IOS would change addresses between networks but not
> across renewals. That will reduce the traceability quite much with
> little harm. If needed the IOS can be told to not change the MAC for
> any particular network.
>
> regards,
> -glenn
> On 2020-07-27 19:34, Mike Richardson wrote:
>
> On Sun, Jul 26, 2020 at 03:13:16PM -0400, Bill Shirley wrote:
>
> Did you see my reply [2]about:?
> adaptive-lease-time-threshold 75; # use min-lease-time
> when
> pool is above this percent
>
> I did and thanks for the information, that sounds very useful in the
> circumstances but I'm not after a solution to a problem, I'm just
> trying to
> understand the behaviour of the server in a given configuration. I
> have to
> write up a 'these are the implications' type summary to be sent to a
> large
> number of different organisations and knowing what happens when
> using longer
> leases will help. I don't know their configurations and can't
> dictate to
> them. All I can do is say "if you're doing X then Y happens".
> Thanks,
> Mike
>
> _______________________________________________
> ISC funds the development of this software with paid support
> subscriptions. Contact us at [3]https://www.isc.org/contact/ for more
> information.
> dhcp-users mailing list
> [4]dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>
> References
>
> 1. mailto:glenn.satchell at uniq.com.au
> 2. about:?
> 3. https://www.isc.org/contact/
> 4. mailto:dhcp-users at lists.isc.org
> _______________________________________________
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
--
Mike Richardson
** This email address will no longer work after 30th September 2018 **
** Please use doctor at perpetual.name instead for personal email **
** For work related communication use mike.richardson at jisc.ac.uk **
More information about the dhcp-users
mailing list