Security of dhcpd on non-listening interfaces?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Security of dhcpd on non-listening interfaces?

stevel_isc
Ok, so now that my multiple chrooted dhcp servers idea was shot down in
flames I need to retreat to serving only the more secure vlans.

Some of you appear to know the code well.  How secure is the server from
malicious packets on non-listening interfaces?

What I mean is, does the code identify and discard packets (both ip and raw
sockets) for ignored interfaces prior to doing risky things (like parsing
and memory reallocation)?

Are there links to discussions on this?  I should check out the relevant
sections of code, but before starting from scratch I'll bet there's a wealth
of discussion somewhere.


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Security of dhcpd on non-listening interfaces?

Simon Hobson
[hidden email] wrote:

> Some of you appear to know the code well.  How secure is the server from
> malicious packets on non-listening interfaces?
>
> What I mean is, does the code identify and discard packets (both ip and raw
> sockets) for ignored interfaces prior to doing risky things (like parsing
> and memory reallocation)?
>
> Are there links to discussions on this?  I should check out the relevant
> sections of code, but before starting from scratch I'll bet there's a wealth
> of discussion somewhere.

I don't recall any discussion of this in the past, and I've been on here for quite a few years.

As an alternative tack, can you separate the services onto two (or more) servers ? In my experience, people looking at security to the level you appear to be doing tend to distrust security that relies only on software configuration - and for some of my customers at work that also means not relying on VLANs for traffic separation.

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users