[ previous ] [ next ] [ threads ]
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] How to deny a client multiple dhcp addresses
 Date:  Sun, 29 Aug 2004 14:16:21 -0700 (PDT)
On Sun, 29 Aug 2004, Bryan Brayton wrote:

> That might work.  I believe there is a setting in dhcpd.conf that will
> also restrict dhcpd to 1 lease per client.  I guess I'll have to dig
> further into that and hack my image to make it permanent.

I imagine that depends on what you mean by "client". :-) I wouldn't expect
DHCPd to hand out multiple IPs to the same Client ID, but it may not have
any provision to check the ID against the actual source MAC address.  
There's actually a reason why it would be desirable *not* to do so, at
least in some cases.

> A little background on this m0n0:  it is protecting/bandwidth limiting a
> set of college dorms from the internet-at-large. Though given the types
> of traffic found on the internal LAN, perhaps I should be protecting
> everyone else from them!  Let's just say they put a hurting on the 10
> Mbit pipe constantly, both up and down.

If the real issue is bandwidth rather than IP addresses, then why are you
worrying about it at the addressing level?

> Anyway, what I think is going on here is that I have clients with 2
> NICS, and Windows XP is set to bridge the 2, hence the client wants 2
> addresses, but they appear to come from the same MAC. I'm not sure if
> the bridging is intentional or not, but I have seen many XP laptops with
> 2 nics that were bridged and I don't believe the users of these laptops
> even knew what a bridge was. I saw a whitepaper somewhere on the
> e2epi.internet2.edu site describing this exact problem, only the college
> in that instance had so many bridged clients that they exhausted their
> dhcp leases, causing quite a stir.

Well that's an issue with public IPs, or perhaps with large organizations,
but it doesn't sound like address exhaustion is your main concern.  It
also doesn't sound like the clients are sophisticated enough to actually
use both addresses, so it's not clear it has any impact on bandwidth.

The reason I say that the current behavior is useful is for situations
like the current m0n0wall provision for combining 1:1 NAT with Proxy ARP
to achieve transparent routing.  Currently that only works for static WAN
IPs, but if it used the MAC addresses of the LAN targets as DHCP Client
IDs, it could extend the concept to DHCP-based configurations allowing
multiple IPs per customer.  Of course one *would* like to have some means
of limiting the number of IPs per physical client, but I don't know if
DHCPd has that.  Note that this would still not be terribly secure, due to
the possibility of MAC spoofing.

As far as ISP behavior goes, I believe my DSL ISP limits the IPs pe PVC to
the allotted number, though it's simpler given that they're all static.  
As for Comcast, it's not clear you can't just grab an IP by ARP spoofing
and not even worry about DHCP.:-)

					Fred Wright