Re: security of IP address

From: James Carlson (james.d.carlson_at_sun.com)
Date: 05/03/05 

Date: 03 May 2005 07:53:28 -0400

vjs@calcite.rhyolite.com (Vernon Schryver) writes:
> I'm not convinced. One thing about MAC addresses is that they are
> approximately globally unique, bu PCs with user passwords are not.
> You're unlikely to make users type passwords every time their systems
> need to renew a DHCP lease.

Perhaps.

> You'll probably instead let the password
> be saved on the disk and used as needed.

Or in RAM. I'm no UI designer, but I'd expect that losing password
state when the system is shut down (or is put to sleep) probably isn't
that big a deal. Even if it's lost after acquiring the DHCP lease, it
doesn't seem like that much of a problem to me: you just adjust the
lease to suit the tolerance of the user.

(And given the market success of the really wretched crash-every-few-
minutes and malware-hosting software that's out there, I'd say that
users apparently have great levels of tolerance for pain. ;-})

> That raises lots of issues,
> from someone who uses several desktop systems, all of which can
> authenticate themselves simultaneously as the same user, to
> misplaced laptops in evil hands.

Sure. I don't think you'd want to substitute it for strong
authentication at the application layer.

> DHCP authentication is good for preventing some largely innocent
> mistakes such as connecting to the wrong network. It's more about
> network hygiene than security.

I think the target market is essentially the same as that for PANA: a
minimal level of authentication necessary to connect to a hotel
network and the like. Not guarding the gate at Fort Knox.

(Though we're probably saying essentially the same thing ...) 

-- 
James Carlson, KISS Network                    <james.d.carlson@sun.com>
Sun Microsystems / 1 Network Drive         71.234W   Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757   42.497N   Fax +1 781 442 1677

Relevant Pages

  • Re: Password hashes
    ... Usually you can safely set it to use NTLMV2/refuse lm ... > for network communications, encrypting data, etc. ... > With regards to super-complex passwords, I'm trying to address the fact ... > NTMLv2 and Kerberos authentication protocols. ...
    (microsoft.public.windowsxp.security_admin)
  • Remote disconnected users and Active Directory
    ... They connect to our network ... using a SSL based VPN connection to get mail and access our Intranet. ... authentication again afterthe user logs in and connects to our networkvia ... Ultimately we are concerned about the application of GPOs, passwords ...
    (microsoft.public.windows.server.active_directory)
  • Network account lockout
    ... my Network Passwords". ... >resources that require authentication my network account ... Does XP cache passwords? ...
    (microsoft.public.windowsxp.network_web)
  • Re: XP Home Edition
    ... XP Home is not very network friendly. ... XP Home and setup that same user ID on your domain (with the passwords being ... authentication. ... M/T Box Computers ...
    (microsoft.public.windows.server.sbs)
  • Re: [fw-wiz] Stanford break in
    ... Are network synchronized passwords a bad idea, ... > physical and logical security of accounts (ie: ... > Authenticate with the server, but only allow access to one workstation. ...
    (Firewall-Wizards)