[unisog] Tracking usage of dynamic IP

Peter John Hill pjhill at u.washington.edu
Mon Nov 12 14:11:32 GMT 2007 

I used to work at Carnegie Mellon. They developed a whole suite of  
network and security management tools. The main one is:
http://www.net.cmu.edu/netreg/

The basic idea is that when someone dhcp's on a network with an  
"unregistered" mac address, they get directed to a registration page.  
I believe they used short dhcp leases of rfc-1918 addresses that were  
configured as secondary addresses on the routers. This ip range had  
ACLs that only let them do DNS to a "special" dns server that returned  
the ip address of the registration machine for any dns query, NTP, and  
port 80 and 443 to get to the registration server.

The user would need to open a web page and try to go anywhere. The  
system used webiso to authenticate the users. You might want to use  
shibboleth now.
http://middleware.internet2.edu/webiso
http://shibboleth.internet2.edu/

Since the dhcp server and the web server were part of a system that  
talked to each other, the webserver, being able to see the  
unregistered machines mac address was able to query the dhcp server  
for a mac address. I can think of many ways to do this, I forget what  
CMU uses... an SQL query? a DNS query (where the mac addr has been  
loaded into one of the records that supports text) use your  
imagination here.

So, anyway, we now have a userid and a mac address. Now you stuff  
those into a database. CMU goes one step further, it allows the user  
to pick their machines hostname and subdomain (from a list of eligible  
subdomains based on their LDAP group membership). The CMU system is  
actually authoritative for the entire DHCP and DNS server config  
files. (ISC and BIND). It allows anyone with a CMU login to go to the  
systems webserver and look at all the machines registered to them.  
Change their hostnames. Change some DHCP options and DNS options.  
Delete machines. "Administrators" are able to go one step further and  
modify records that are in groups they administer. So, each department  
on campus has an admin, for example, physics.cmu.edu. That group of  
people would be able to register machines by hand and and assign them  
to certain people (like professors) or have webservers that were  
registered to the group and not specific people. Again, use your  
imagination here on what you could do with the rich data you have and  
can get through exisiting services, webauth, ldap, dhcp

Once the machine is registered, the next time they dhcp, they will get  
a dynamic ip address. The dhcp server will then send a secure dynamic  
dns update to the dns server (using TSIG). So, if I register  
"hogwarts.net.cmu.edu" (an old hostname of mine), within a minute of  
connecting my machine to the network, both A and PTR records will be  
updated.

Now, there are ways around the system. The easiest would be manually  
setting your ip address and getting lucky. When this would happen, we  
would invariably get a complaint about multiple ips on a subnet. We  
could easily track down the user via arp and switch mac-addr tables.  
This was mostly a problem in the dorms and offenders would be punished  
for violating campus computing policy.

Wireless used a different system. We actually did mac based filtering  
of registered and unregister macs.
http://www.net.cmu.edu/authbridge/

This was more complex. Made a bit easier because the entire campus  
wireless network was a /20. It might be bigger by now. They wanted to  
make sure robots could wander around campus and continue to work  
without having to re-dhcp. So, on wireless, users would get a real ip  
address, but before they would get to the router, their packets would  
be redirected by a linux box with multiple ethernet interfaces.  
Registered macs would come in from a port connected to the wireless  
aps and go out to the real router. Unregistered macs would go out to a  
different router that had the same mac address as the real router.  
Then we would do the magic above to register the user. When the user  
was registered, the mac address was added to a kernel based hack that  
then redirected traffic to the real router. Since the gateway mac addr  
did not change, the user just started working...

There are other ways to solve this problem, but I find it quite useful  
to see how other people solve problems like this and see what parts I  
like I don't like.

Okay, have a good day, and good luck.

Peter Hill
www.peterjhill.net


On Nov 11, 2007, at 2:46 PM, Russell Fulton wrote:

> Hi Folks
>
> We have largely static IP address allocations with some meaningful  
> (for
> varying values of meaningful) information in PTR records indicating  
> who
> is using it or in some cases where the machine physically is.
>
> With wireless networks and a small but increasing increasing mobile
> population (people with laptops who genuinely need to plug in in a
> number of different places) we are coming to grips with tracking these
> dynamic addresses.
>
> A couple of years ago we set up a mysql data base with tables for the
> DHCP logs and Radius logs.  This was less than ideal since, in most
> cases we only had a login time and no record when the machine
> disconnected from the network.  To find out who was using an IP at a
> particular time we did a query on the join (on mac address) of the two
> tables and selected the first record for that IP after the given time.
> This works OK for small tables but once you get several million  
> entries
> the finding the 'first after the time' gets really painful.  The pain
> can be reduced significantly by adding a lower bound on the search  
> time
> (say 24 hours) but it still is not ideal.  I can think of other ways  
> of
> tackling this problems but I won't prejudice the discussion at this  
> point.
>
> Anyway we are revisiting the whole issue and I really don't want to
> reinvent the wheel here so I am asking how others deal with this.   
> What
> data are you collecting from DHCP and authentication systems?  How are
> you storing it and how are you doing queries on it.
>
> Has anyone bent standard software (e.g security consoles) to report  
> user
> names instead of domain names for dynamic IPs  .
>
> Russell.
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

More information about the unisog mailing list