Re: Duplicate MAC problems
- From: Jeroen Geilman <not@xxxxxxx>
- Date: Fri, 23 Nov 2007 20:04:17 +0100
Sonny wrote:
On Nov 23, 2:25 pm, Dave Uhring <daveuhr...@xxxxxxxxx> wrote:On Thu, 22 Nov 2007 21:15:25 -0800, Sonny wrote:We are in an ISP company.
No, you're not.
Hackers know how the DHCP works,
*Everybody* knows how DHCP works; everybody, that is, besides you.
and using
this knowledge they copy MAC addresses of legitimate clients
Erm.. how would they do this, exactly ?
Do you routinely allow hackers access to your DHCP servers' network ?
to have
Internet connections. We want to know how to configure the DHCP to
assign IP addresses not just based only on MAC so only legitimate
clients can have access.
DHCP is *not* an access mechanism.
It's not.
Then your clients also use some kind of modem between their Ethernet NICs
and your DHCP server, right? Do those modems not have unique addresses
which can be queried before forwarding the DHCPREQUEST to the server?
Actually, as an ISP, we do not use a DSL Modem, but rather we used a
certain technology, if equated, its similar to a Large LAN
environment.
Describe the technology, or at least, specify the layer 2 protocol it uses.
Do
you not also maintain a registry of such modem identifiers used by your
clients?
We are using a proprietary device to connect to the dhcp server,
-- which is "converted to intelligible TCP/IP *somewhere* before it hits the actual DHCP server.
but
unfortunately, its not translating its identifier (i. e. MAC) because
its connected to the server like a bridge.
"Like a bridge" ?
Ooh sell me some more of that snake oil, please?
So an abusive user (user A) do is copy the mac
Again - how do you think they are going to do this ?
of an authenticated
user (user B) then using dhcp, user A gets the ip that is assigned to
user B and gets authenticated.
No.
Again, DHCP is not designed for, nor capable of, any kind of authentication.
Also user A doesn't mind having
conflicting IP's because most of the time user B is offline anyway.
And user A is a hacker, or did you forget about that during the previous 3 sentences ?
We are aware that dhcp uses the machine's MAC to determine the ip to
give you (via leases or statically assigned in .conf)
....which would also be leases.
So the main problem I'm facing right now is if there is a way dhcp
could identify a machine's IP
No, it *provides* the client with an IP.
(from the leases or .conf) using an machine id other than the mac address.
The MAC *is* the machine ID.
It's the only one that has any chance of succeeding at it.
I'm looking at an MAC-HOSTNAME identifier, but is this reliable?
There's no such thing.
Barring such hardware solutions you could implement RADIUS to
authenticate your legitimate users. Many Linux distros have FreeRADIUS
available in package form.
We don't use RADIUS, we design a more simpler authentication system
using IP and MAC.
WHAHAHAHAHAHAHHA
<plonk>
J.
.
- References:
- Duplicate MAC problems
- From: Sonny
- Re: Duplicate MAC problems
- From: Dave Uhring
- Re: Duplicate MAC problems
- From: Sonny
- Re: Duplicate MAC problems
- From: Dave Uhring
- Re: Duplicate MAC problems
- From: Sonny
- Duplicate MAC problems
- Prev by Date: Re: dnsmasq
- Next by Date: Re: disable short route via localhost on dual network interface
- Previous by thread: Re: Duplicate MAC problems
- Next by thread: Re: Duplicate MAC problems
- Index(es):
Relevant Pages
|
