Re: security of IP address

From: Vernon Schryver (vjs_at_calcite.rhyolite.com)
Date: 05/02/05

• Next message: Luciano: "Re: Bridging an IEEE1394 nic - Troubles"
• Previous message: TW: "Re: comparing sniffer tools (tcpdump, ethereal, etherape, ethercap, drifnet)"
• In reply to: James Carlson: "Re: security of IP address"
• Next in thread: James Carlson: "Re: security of IP address"
• Reply: James Carlson: "Re: security of IP address"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: Mon, 2 May 2005 09:31:53 -0600 (MDT)

In article <xoavvf61ooi5.fsf@sun.com>,
James Carlson <james.d.carlson@sun.com> wrote:

>One of the points of authentication is identification. If I make the
>grossly simplifying assumption that all of my legitimate DHCP clients
>are PC-type devices (computers with humans attached), then an
>authentication exchange in DHCP can simplify my network
>administration.
>
>Instead of keeping a database of MAC addresses around (which may well
>change as users upgrade or repair hardware), I can keep user/password
>data in the usual sorts of repositories. When I see a given MAC
>address presenting a given bit of authentication information, I can
>then make a decision about whether to (a) grant an IP address [and
>perhaps choose an appropriate local network for that address, if I
>have multiple] and (b) add a filter to allow traffic from that node
>through my forwarding process.

I'm not convinced. One thing about MAC addresses is that they are
approximately globally unique, bu PCs with user passwords are not.
You're unlikely to make users type passwords every time their systems
need to renew a DHCP lease. You'll probably instead let the password
be saved on the disk and used as needed. That raises lots of issues,
from someone who uses several desktop systems, all of which can
authenticate themselves simultaneously as the same user, to
misplaced laptops in evil hands.

DHCP authentication is good for preventing some largely innocent
mistakes such as connecting to the wrong network. It's more about
network hygiene than security.

Vernon Schryver vjs@rhyolite.com

---

• Next message: Luciano: "Re: Bridging an IEEE1394 nic - Troubles"
• Previous message: TW: "Re: comparing sniffer tools (tcpdump, ethereal, etherape, ethercap, drifnet)"
• In reply to: James Carlson: "Re: security of IP address"
• Next in thread: James Carlson: "Re: security of IP address"
• Reply: James Carlson: "Re: security of IP address"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages Re: Blocking Access to web-based email ... > authentication page, authenticate, and then get full HTTP access without ... >> PCs on the network, ... you setup DHCP with reservations for their MAC and their IP is ... > But you don't want the NAT device assigning the IP, ... (comp.security.firewalls) Re: IAS & DHCP ... This is not supported by IAS. ... IAS is an authentication piece of the puzzle, ... In the future IAS and DHCP will be integrated more together and this will ... This is part of the NAP (Network access protection) services in the future ... (microsoft.public.internet.radius) I found some info on this ... enabled local area network switches or wireless ... providing greater security for DHCP." ... There is also a 802.1x client for Windows 2000. ... >servers handling the authentication any way. ... (microsoft.public.security) Oh ye of little faith... ... enabled local area network switches or wireless ... providing greater security for DHCP." ... There is also a 802.1x client for Windows 2000. ... >servers handling the authentication any way. ... (microsoft.public.security) RE: Wireless Security Notes and Findings (from this list and other places) ... There are two general areas of wireless security: Authentication and ... authentication standard that works with wireless networks. ... client computer runs a client program to connect to the network with a ... (Security-Basics)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)