** SNIP ** With respect to the refusal to accept dhcp offers from ports other than the dhcp port (68) I think that Dan is correct in his implementation regarding rfc2131, even though he is a bit uncertain. Well so am I :) According to Dan - Section 4.1 of the DHCP RFC 2131 states: DHCP uses UDP as its transport protocol. DHCP messages from a client to a server are sent to the 'DHCP server' port (67), and DHCP messages from a server to a client are sent to the 'DHCP client' port (68). It feels right to refuse offers from other ports. And I understand the "spoofing" concept that Dan mentions, but... 1. If I take a laptop and connect it to the network I can then easily set up a dhcp server (since I'm root on my own laptop), and send offers on port 68. One way to stop this is to make sure to not let other network cards connect to the network by e.g. restricting the MAC addresses allowed on the network. 2. If there is such a restriction then, as Dan said, anyone with an account on a workstation, can set up a dhcp server on port >1024. Now the question is - "Is there a real threat that someone will spoof the dhcp address? And if so why? What can the attacker gain by doing this?". I sent some comments to RFC 2131 at: http://www.faqs.org/rfcs/rfc2131.html Best, /Richard Torkar
Attachment:
signature.asc
Description: This is a digitally signed message part