[unisog] DHCP Address Reuse Questions

George C. Kaplan gckaplan at ack.berkeley.edu
Wed Oct 12 18:58:13 GMT 2005


On Wednesday, Oct 12, 2005, at 08:56 US/Pacific, Gary Flynn wrote:

>
> Hi,
>
> I've got some questions on how DCHP dynamic addresses
> are assigned in practice. First, some background:
>
> We're planning on implementing a default deny inbound
> Internet access policy. We plan on letting faculty and
> staff expose their computers on demand and letting
> our current access controls provide a security floor
> no lower than the current stance. The idea being, that
> the majority of people would not choose to expose
> their computers and 65,000+ ports to the Internet
> thereby decreasing overall risk.
>
> Production servers would obviously have static
> addresses.
>
> We're concerned about informal or temporary servers
> that rely on DHCP services for dynamic addresses.
> If someone chooses to expose their IP address and it
> changes, their server becomes unavailable and someone
> else possibly gets exposed (but only to the level
> they are currently exposed).
>
> We're using the ISC server with a one day lease time.
>
> Does anyone have any operational data or statistics
> or could point me to such information that shows how
> often and under what circumstances a client would get
> a different address when their lease has expired?

Assuming a properly functioning DHCP server and client, the client's IP 
address won't change as long as it keeps renewing the lease before it 
expires.  If the client doesn't renew (say, because it's turned off 
over the weekend) the ISC server will try to assign the same address to 
the client the next time it boots.  So if the address pool is large 
enough, and there isn't too much turnover, a client will tend to keep 
the same IP address.

However, this may not be true if you're running a pair of ISC servers 
in a failover configuration.  The servers divide up the address pool, 
and both may offer addresses to the client.  A client that took the 
offer from server 1 yesterday may take the offer from server 2 tomorrow.

> Is there anything we can do in the ISC configuration
> that can better encourage resuse?

The simplest way is to configure the DHCP server to assign a fixed IP 
address to the client.  I think this is the best approach for any 
access control policy based on individual host IP addresses.  Any 
scheme that relies on predicting the behavior of pooled IP addresses is 
going to have problems sooner or later.

-- 
George C. Kaplan                            gckaplan at ack.berkeley.edu
Communication & Network Services            510-643-0496
University of California at Berkeley



More information about the unisog mailing list