[unisog] DHCP Address Reuse Questions
George C. Kaplan
gckaplan at ack.berkeley.edu
Wed Oct 12 18:58:13 GMT 2005
On Wednesday, Oct 12, 2005, at 08:56 US/Pacific, Gary Flynn wrote:
> I've got some questions on how DCHP dynamic addresses
> are assigned in practice. First, some background:
> We're planning on implementing a default deny inbound
> Internet access policy. We plan on letting faculty and
> staff expose their computers on demand and letting
> our current access controls provide a security floor
> no lower than the current stance. The idea being, that
> the majority of people would not choose to expose
> their computers and 65,000+ ports to the Internet
> thereby decreasing overall risk.
> Production servers would obviously have static
> We're concerned about informal or temporary servers
> that rely on DHCP services for dynamic addresses.
> If someone chooses to expose their IP address and it
> changes, their server becomes unavailable and someone
> else possibly gets exposed (but only to the level
> they are currently exposed).
> We're using the ISC server with a one day lease time.
> Does anyone have any operational data or statistics
> or could point me to such information that shows how
> often and under what circumstances a client would get
> a different address when their lease has expired?
Assuming a properly functioning DHCP server and client, the client's IP
address won't change as long as it keeps renewing the lease before it
expires. If the client doesn't renew (say, because it's turned off
over the weekend) the ISC server will try to assign the same address to
the client the next time it boots. So if the address pool is large
enough, and there isn't too much turnover, a client will tend to keep
the same IP address.
However, this may not be true if you're running a pair of ISC servers
in a failover configuration. The servers divide up the address pool,
and both may offer addresses to the client. A client that took the
offer from server 1 yesterday may take the offer from server 2 tomorrow.
> Is there anything we can do in the ISC configuration
> that can better encourage resuse?
The simplest way is to configure the DHCP server to assign a fixed IP
address to the client. I think this is the best approach for any
access control policy based on individual host IP addresses. Any
scheme that relies on predicting the behavior of pooled IP addresses is
going to have problems sooner or later.
George C. Kaplan gckaplan at ack.berkeley.edu
Communication & Network Services 510-643-0496
University of California at Berkeley
More information about the unisog