[unisog] DHCP Address Reuse Questions

Gene Rackow rackow at mcs.anl.gov
Wed Oct 12 16:50:01 GMT 2005

Something you could consider doing...

Since you have a process that the user will need to follow to get
their address/port exposed to the outside world, why not go the
extra step and grab the MAC address for the machine as well then
add that into the DHCP server as a reserved address?    You may
want to force them on the request for exposed conduit to release/renew
their lease so they get an address in a different "pool" where you know
these machines are more exposed than others.  Tie the DHCP static lease
to your firewall entry.  When the firewall hole goes away, the DHCP
reservation is removed.

Now more your actual  questions..  I'm not sure how the code actually
makes the determinations.  From a more practical view, I see:

Once a lease is handed out, it adds that entry to the leases
file.  From there, the dhcp server does not appear to reuse that
IP address unless
  1. the MAC address now appears on an IP address/subnet other than this one.
  2. the IP address now appears to be used by a different MAC address (another
         dhcp server handed it out or static)
  3. all free addresses in the pool have been used and this is the next
          available.  aka least recently used algorithm

I was looking at my dhcp-leases file for my home net yesterday.  I've changed 
things around a number of times since I originally built it up.  Upgraded almost
everything in pieces, etc.  Migrations, etc.  I see entries in the leases file
dating back to 1997 for a subnet that I turned off.  Since I have a fairly large
open pool in the current assignable set, I see my daughters laptop will still
get the same address as she had when she brought it with her last new years.
A few have been reused/re-assigned since then.

On a more crowded work network, the oldest open entry dhcp.leases is only 2
days old.  We tend to have about 26 of 29 host addresses in use by a ever
changing set of hardware.  For this net, the chance of IP reuse is quite high.
(I can hear the kids in the background "move your feet, loose your feet").


Gary Flynn made the following keystrokes:
 >I've got some questions on how DCHP dynamic addresses
 >are assigned in practice. First, some background:
 >We're planning on implementing a default deny inbound
 >Internet access policy. We plan on letting faculty and
 >staff expose their computers on demand and letting
 >our current access controls provide a security floor
 >no lower than the current stance. The idea being, that
 >the majority of people would not choose to expose
 >their computers and 65,000+ ports to the Internet
 >thereby decreasing overall risk.
 >Production servers would obviously have static
 >We're concerned about informal or temporary servers
 >that rely on DHCP services for dynamic addresses.
 >If someone chooses to expose their IP address and it
 >changes, their server becomes unavailable and someone
 >else possibly gets exposed (but only to the level
 >they are currently exposed).
 >We're using the ISC server with a one day lease time.
 >Does anyone have any operational data or statistics
 >or could point me to such information that shows how
 >often and under what circumstances a client would get
 >a different address when their lease has expired?
 >Is there anything we can do in the ISC configuration
 >that can better encourage resuse?
 >Gary Flynn
 >Security Engineer
 >James Madison University
 >unisog mailing list
 >unisog at lists.sans.org

More information about the unisog mailing list