[ previous ] [ next ] [ threads ]
 From:  "Bryan Brayton" <bryan at sonicburst dot net>
 To:  "Fred Wright" <fw at well dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] How to deny a client multiple dhcp addresses
 Date:  Sun, 29 Aug 2004 19:08:59 -0400
Actually, I'm not worried about the bandwidth at all.  I just put that
in there as mostly an (apparently) lame attempt at some humor :)  The
bandwidth is fully controlled through m0n0 and I can get my hands on a
separate packetshaper, should the need arise.

As of yet, the clients have not been using both IPs.  My only concern
there would be that the client is using 2 (or more) IPs to get more than
their fair share of bandwidth.  Our switches can also throttle bandwidth
to an arbitrary level on an individual port level...I could always go
that route, but that would also needlessly limit LAN communication
speeds.  Of course, none of them are using the LAN for legit reasons
anyway, but that's another topic.  On a side note, anyone need a copy of
spiderman2.divx j/k :)

I am a little bit worried about the IP address exhaustion, but only a
very little.  My biggest reason to stop this is mostly of the "I don't
like seeing that in the logs" variety.  Also, it would be good to stop
just in case one of the clients somehow gets smarter and tries to use
multiple IPs.

So, researching dhcpd.conf turns up this option:

one-lease-per-client on;

I have not researched on exactly what criteria it determines a client

From the dhcpd.conf man page:

one-lease-per-client flag;

If this flag is enabled, whenever a client sends a DHCPREQUEST for a
particular lease, the server will automatically free any other leases
the client holds. This presumes that when the client sends a
DHCPREQUEST, it has forgotten any lease not mentioned in the DHCPREQUEST
- i.e., the client has only a single network interface and it does not
remember leases it's holding on networks to which it is not currently
attached. Neither of these assumptions are guaranteed or provable, so we
urge caution in the use of this statement.


So basically it's just dumping the other leases, regardless.  That
doesn't mean the client has actually released the IP, but it's a start
in the right direction.

Perhaps this could be a simple checkbox option in the next m0n0 beta?


-----Original Message-----
From: Fred Wright [mailto:fw at well dot com]
Sent: Sunday, August 29, 2004 5:16 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] How to deny a client multiple dhcp addresses

On Sun, 29 Aug 2004, Bryan Brayton wrote:

> That might work.  I believe there is a setting in dhcpd.conf that will
> also restrict dhcpd to 1 lease per client.  I guess I'll have to dig
> further into that and hack my image to make it permanent.

I imagine that depends on what you mean by "client". :-) I wouldn't
DHCPd to hand out multiple IPs to the same Client ID, but it may not
any provision to check the ID against the actual source MAC address. 
There's actually a reason why it would be desirable *not* to do so, at
least in some cases.

> A little background on this m0n0:  it is protecting/bandwidth limiting
> set of college dorms from the internet-at-large. Though given the
> of traffic found on the internal LAN, perhaps I should be protecting
> everyone else from them!  Let's just say they put a hurting on the 10
> Mbit pipe constantly, both up and down.

If the real issue is bandwidth rather than IP addresses, then why are
worrying about it at the addressing level?

> Anyway, what I think is going on here is that I have clients with 2
> NICS, and Windows XP is set to bridge the 2, hence the client wants 2
> addresses, but they appear to come from the same MAC. I'm not sure if
> the bridging is intentional or not, but I have seen many XP laptops
> 2 nics that were bridged and I don't believe the users of these
> even knew what a bridge was. I saw a whitepaper somewhere on the
> e2epi.internet2.edu site describing this exact problem, only the
> in that instance had so many bridged clients that they exhausted their
> dhcp leases, causing quite a stir.

Well that's an issue with public IPs, or perhaps with large
but it doesn't sound like address exhaustion is your main concern.  It
also doesn't sound like the clients are sophisticated enough to actually
use both addresses, so it's not clear it has any impact on bandwidth.

The reason I say that the current behavior is useful is for situations
like the current m0n0wall provision for combining 1:1 NAT with Proxy ARP
to achieve transparent routing.  Currently that only works for static
IPs, but if it used the MAC addresses of the LAN targets as DHCP Client
IDs, it could extend the concept to DHCP-based configurations allowing
multiple IPs per customer.  Of course one *would* like to have some
of limiting the number of IPs per physical client, but I don't know if
DHCPd has that.  Note that this would still not be terribly secure, due
the possibility of MAC spoofing.

As far as ISP behavior goes, I believe my DSL ISP limits the IPs pe PVC
the allotted number, though it's simpler given that they're all static. 
As for Comcast, it's not clear you can't just grab an IP by ARP spoofing
and not even worry about DHCP.:-)

                                        Fred Wright

To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


avast! Antivirus <http://www.avast.com> : Outbound message clean. 

Virus Database (VPS): 0435-2, 08/28/2004
Tested on: 8/29/2004 7:08:59 PM
avast! - copyright (c) 2000-2004 ALWIL Software.