hardware ethernet and option vendor-class-identifier

Hello Dhcp-users,

I    want    to    make   my   dhcp   server   verify   hardware   and
vendor-class-identifier to send reply.

This is how I expected it :


(not working example)

##########
 subnet 192.168.30.0 netmask 255.255.255.192 {
 option routers 192.168.30.1;
                                            }

class "WINDOWS" {
match if substring(option vendor-class-identifier, 0, 8) = "MSFT";

}

class "LINUX" {
match if substring(option vendor-class-identifier, 0, 8) = "udhcp";

}

host windowspc {hardware ethernet 78:01:02:03:04:05; fixed-address 192.168.30.2; allow members of "WINDOWS";}
host linuxpc {hardware ethernet 44:11:02:03:04:05; fixed-address 192.168.30.3; allow members of "LINUX";}


#######
So  while  dhcp  server receive dhcp request, he checks hardware address and
then vendor class identifier. If both match then he send reply.

Allow  members  need  to  be defined inside pool however I need static
IP configuration based on dhcp.
My example doesn't work. Can anyone help me to make it working ?

Thanks in advance.


--
Best regards,
 Ozga Rafal                          mailto:[hidden email]

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

If you are specifying the fixed-address value based on the "hardware ethernet", why are you bothering with the class identifier. I would just specify that for a given hardware ethernet, assign a specific fixed address.

Is there some circumstance when you think a given MAC address will qualify for different classes?

________________________________________
From: [hidden email] [[hidden email]] on behalf of Rafal [[hidden email]]
Sent: Friday, October 16, 2015 7:32 AM
To: [hidden email]
Subject: hardware ethernet and option vendor-class-identifier

Hello Dhcp-users,

I    want    to    make   my   dhcp   server   verify   hardware   and
vendor-class-identifier to send reply.

This is how I expected it :


(not working example)

##########
 subnet 192.168.30.0 netmask 255.255.255.192 {
 option routers 192.168.30.1;
                                            }

class "WINDOWS" {
match if substring(option vendor-class-identifier, 0, 8) = "MSFT";

}

class "LINUX" {
match if substring(option vendor-class-identifier, 0, 8) = "udhcp";

}

host windowspc {hardware ethernet 78:01:02:03:04:05; fixed-address 192.168.30.2; allow members of "WINDOWS";}
host linuxpc {hardware ethernet 44:11:02:03:04:05; fixed-address 192.168.30.3; allow members of "LINUX";}


#######
So  while  dhcp  server receive dhcp request, he checks hardware address and
then vendor class identifier. If both match then he send reply.

Allow  members  need  to  be defined inside pool however I need static
IP configuration based on dhcp.
My example doesn't work. Can anyone help me to make it working ?

Thanks in advance.


--
Best regards,
 Ozga Rafal                          mailto:[hidden email]

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Hello Patrick,

This is mostly because of security reasons.
Nowadays there is really easy to clone mac.
Adding vendor-class identifier check will make it harder.

I  don't  care about changing IP on network card after lease is active
because each IP will be bound to different vlan.

Anyway is there chance to make hardware ethernet and option vendor-class-identifier
to be checked before dhcp send lease ?






Friday, October 16, 2015, 3:33:33 PM, you wrote:

> If you are specifying the fixed-address value based on the
> "hardware ethernet", why are you bothering with the class
> identifier. I would just specify that for a given hardware ethernet, assign a specific fixed address.

> Is there some circumstance when you think a given MAC address will qualify for different classes?

> ________________________________________
> From: [hidden email]
> [[hidden email]] on behalf of Rafal [[hidden email]]
> Sent: Friday, October 16, 2015 7:32 AM
> To: [hidden email]
> Subject: hardware ethernet and option vendor-class-identifier

> Hello Dhcp-users,

> I    want    to    make   my   dhcp   server   verify   hardware   and
> vendor-class-identifier to send reply.

> This is how I expected it :


> (not working example)

> ##########
>  subnet 192.168.30.0 netmask 255.255.255.192 {
>  option routers 192.168.30.1;
>                                             }

> class "WINDOWS" {
> match if substring(option vendor-class-identifier, 0, 8) = "MSFT";

> }

> class "LINUX" {
> match if substring(option vendor-class-identifier, 0, 8) = "udhcp";

> }

> host windowspc {hardware ethernet 78:01:02:03:04:05; fixed-address
> 192.168.30.2; allow members of "WINDOWS";}
> host linuxpc {hardware ethernet 44:11:02:03:04:05; fixed-address
> 192.168.30.3; allow members of "LINUX";}


> #######
> So  while  dhcp  server receive dhcp request, he checks hardware address and
> then vendor class identifier. If both match then he send reply.

> Allow  members  need  to  be defined inside pool however I need static
> IP configuration based on dhcp.
> My example doesn't work. Can anyone help me to make it working ?

> Thanks in advance.


> --
> Best regards,
>  Ozga Rafal                          mailto:[hidden email]

> _______________________________________________
> dhcp-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/dhcp-users
> _______________________________________________
> dhcp-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/dhcp-users



--
Best regards,
Ozga Rafal                          mailto:[hidden email]

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

It looks like you want to say that one particular host can only be accepted if booted into windows but not when booted into linux?

Allow statements do not fit into a host declaration AFAIK.

You may consider having a class for windows and a class for linux, then deny unknown hosts and allow the relevant class in each pool (one pool for each class).

Then you can use subclass statements to select who is what based on hardware.

If you are specifying the fixed-address value based on the "hardware ethernet", why are you bothering with the class identifier. I would just specify that for a given hardware ethernet, assign a specific fixed address.

Is there some circumstance when you think a given MAC address will qualify for different classes?

________________________________________
From: [hidden email] [[hidden email]] on behalf of Rafal [[hidden email]]
Sent: Friday, October 16, 2015 7:32 AM
To: [hidden email]
Subject: hardware ethernet and option vendor-class-identifier

Hello Dhcp-users,

I    want    to    make   my   dhcp   server   verify   hardware   and
vendor-class-identifier to send reply.

This is how I expected it :


(not working example)

##########
 subnet 192.168.30.0 netmask 255.255.255.192 {
 option routers 192.168.30.1;
                                            }

class "WINDOWS" {
match if substring(option vendor-class-identifier, 0, 8) = "MSFT";

}

class "LINUX" {
match if substring(option vendor-class-identifier, 0, 8) = "udhcp";

}

host windowspc {hardware ethernet 78:01:02:03:04:05; fixed-address 192.168.30.2; allow members of "WINDOWS";}
host linuxpc {hardware ethernet 44:11:02:03:04:05; fixed-address 192.168.30.3; allow members of "LINUX";}


#######
So  while  dhcp  server receive dhcp request, he checks hardware address and
then vendor class identifier. If both match then he send reply.

Allow  members  need  to  be defined inside pool however I need static
IP configuration based on dhcp.
My example doesn't work. Can anyone help me to make it working ?

Thanks in advance.


--
Best regards,
 Ozga Rafal                          [hidden email]

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

       "MALE BOVINE MANURE!!!" 

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Rafal <[hidden email]> wrote:

> Allow  members  need  to  be defined inside pool

That does not work, or slightly longer version, it will give you some very odd results which are very very unlikely to be what you want.

Class and host declarations are global in scope - so even if you defined them within a subnet (or pool, or shared-network) they will still be global and will still "exist" in other scopes. However, while your (eg) host statement is global, it will inherit options from the scope it is defined in - thus you can have a host in a subnet, which is given options (eg router) inherited from another subnet where it is defined. Hence why it is highly unlikely to give the results you expect or want.

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Just reply to the thread, no need to copy me directly.

I think Sten's pointed you down the right path. There appears to be a syntax issue with your example (as he points out), but, as important, from a logical/manageable perspective, you will have an easier time if you set up the classes in the way he describes.

But I think the benefit is marginal. If they are taking the time to fake the MAC, what are the odds that they won't be able to pick the correct operating system, too?

Are you going to have something in place to identify where they originate their request so you can accept/deny accordingly? I'm using option-82 to get a similar result, but just to assign them to the appropriate pools. You could use the same functionality.

I'm not convinced any of this is where you need to be spending your processing cycles for a security benefit.

________________________________________
From: Rafal [[hidden email]]
Sent: Friday, October 16, 2015 8:42 AM
To: Users of ISC DHCP; Patrick Trapp
Subject: Re: hardware ethernet and option vendor-class-identifier

Hello Patrick,

This is mostly because of security reasons.
Nowadays there is really easy to clone mac.
Adding vendor-class identifier check will make it harder.

I  don't  care about changing IP on network card after lease is active
because each IP will be bound to different vlan.

Anyway is there chance to make hardware ethernet and option vendor-class-identifier
to be checked before dhcp send lease ?






Friday, October 16, 2015, 3:33:33 PM, you wrote:

> If you are specifying the fixed-address value based on the
> "hardware ethernet", why are you bothering with the class
> identifier. I would just specify that for a given hardware ethernet, assign a specific fixed address.

> Is there some circumstance when you think a given MAC address will qualify for different classes?

> ________________________________________
> From: [hidden email]
> [[hidden email]] on behalf of Rafal [[hidden email]]
> Sent: Friday, October 16, 2015 7:32 AM
> To: [hidden email]
> Subject: hardware ethernet and option vendor-class-identifier

> Hello Dhcp-users,

> I    want    to    make   my   dhcp   server   verify   hardware   and
> vendor-class-identifier to send reply.

> This is how I expected it :


> (not working example)

> ##########
>  subnet 192.168.30.0 netmask 255.255.255.192 {
>  option routers 192.168.30.1;
>                                             }

> class "WINDOWS" {
> match if substring(option vendor-class-identifier, 0, 8) = "MSFT";

> }

> class "LINUX" {
> match if substring(option vendor-class-identifier, 0, 8) = "udhcp";

> }

> host windowspc {hardware ethernet 78:01:02:03:04:05; fixed-address
> 192.168.30.2; allow members of "WINDOWS";}
> host linuxpc {hardware ethernet 44:11:02:03:04:05; fixed-address
> 192.168.30.3; allow members of "LINUX";}


> #######
> So  while  dhcp  server receive dhcp request, he checks hardware address and
> then vendor class identifier. If both match then he send reply.

> Allow  members  need  to  be defined inside pool however I need static
> IP configuration based on dhcp.
> My example doesn't work. Can anyone help me to make it working ?

> Thanks in advance.


> --
> Best regards,
>  Ozga Rafal                          mailto:[hidden email]

> _______________________________________________
> dhcp-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/dhcp-users
> _______________________________________________
> dhcp-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/dhcp-users



--
Best regards,
Ozga Rafal                          mailto:[hidden email]

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Hello Patrick,

I just posted example to make it more clear.
In working environment there will be STB as dhcp client.
I  cannot control firmware of STB. So I can just make harder to obtain
IP for foreign devices.
STB sends dhcp with model type in vendor-class-identifier field.
So thats reason why I want to add additional check before obtaining IP
address.  Cloning  vendor-class-identifier  field  is  bit harder than
simple mac address clone.


Rafal




Friday, October 16, 2015, 3:51:57 PM, you wrote:

> Just reply to the thread, no need to copy me directly.

> I think Sten's pointed you down the right path. There appears to be
> a syntax issue with your example (as he points out), but, as
> important, from a logical/manageable perspective, you will have an
> easier time if you set up the classes in the way he describes.

> But I think the benefit is marginal. If they are taking the time to
> fake the MAC, what are the odds that they won't be able to pick the correct operating system, too?

> Are you going to have something in place to identify where they
> originate their request so you can accept/deny accordingly? I'm
> using option-82 to get a similar result, but just to assign them to
> the appropriate pools. You could use the same functionality.

> I'm not convinced any of this is where you need to be spending your
> processing cycles for a security benefit.

> ________________________________________
> From: Rafal [[hidden email]]
> Sent: Friday, October 16, 2015 8:42 AM
> To: Users of ISC DHCP; Patrick Trapp
> Subject: Re: hardware ethernet and option vendor-class-identifier

> Hello Patrick,

> This is mostly because of security reasons.
> Nowadays there is really easy to clone mac.
> Adding vendor-class identifier check will make it harder.

> I  don't  care about changing IP on network card after lease is active
> because each IP will be bound to different vlan.

> Anyway is there chance to make hardware ethernet and option vendor-class-identifier
> to be checked before dhcp send lease ?






> Friday, October 16, 2015, 3:33:33 PM, you wrote:

>> If you are specifying the fixed-address value based on the
>> "hardware ethernet", why are you bothering with the class
>> identifier. I would just specify that for a given hardware ethernet, assign a specific fixed address.

>> Is there some circumstance when you think a given MAC address will qualify for different classes?

>> ________________________________________
>> From: [hidden email]
>> [[hidden email]] on behalf of Rafal [[hidden email]]
>> Sent: Friday, October 16, 2015 7:32 AM
>> To: [hidden email]
>> Subject: hardware ethernet and option vendor-class-identifier

>> Hello Dhcp-users,

>> I    want    to    make   my   dhcp   server   verify   hardware   and
>> vendor-class-identifier to send reply.

>> This is how I expected it :


>> (not working example)

>> ##########
>>  subnet 192.168.30.0 netmask 255.255.255.192 {
>>  option routers 192.168.30.1;
>>                                             }

>> class "WINDOWS" {
>> match if substring(option vendor-class-identifier, 0, 8) = "MSFT";

>> }

>> class "LINUX" {
>> match if substring(option vendor-class-identifier, 0, 8) = "udhcp";

>> }

>> host windowspc {hardware ethernet 78:01:02:03:04:05; fixed-address
>> 192.168.30.2; allow members of "WINDOWS";}
>> host linuxpc {hardware ethernet 44:11:02:03:04:05; fixed-address
>> 192.168.30.3; allow members of "LINUX";}


>> #######
>> So  while  dhcp  server receive dhcp request, he checks hardware address and
>> then vendor class identifier. If both match then he send reply.

>> Allow  members  need  to  be defined inside pool however I need static
>> IP configuration based on dhcp.
>> My example doesn't work. Can anyone help me to make it working ?

>> Thanks in advance.


>> --
>> Best regards,
>>  Ozga Rafal                          mailto:[hidden email]

>> _______________________________________________
>> dhcp-users mailing list
>> [hidden email]
>> https://lists.isc.org/mailman/listinfo/dhcp-users
>> _______________________________________________
>> dhcp-users mailing list
>> [hidden email]
>> https://lists.isc.org/mailman/listinfo/dhcp-users



> --
> Best regards,
> Ozga Rafal                          mailto:[hidden email]

> _______________________________________________
> dhcp-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/dhcp-users



--
Best regards,
Ozga Rafal                          mailto:[hidden email]

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Be careful with your string comparisons:

here you have an 8 char substring on the left and a 4 char string on the
right. These will never be equal, as the left string will be something
like "MSFTxxxx"

> match if substring(option vendor-class-identifier, 0, 8) = "MSFT";

You need substring(blah, 0, 4) = "MSFT"

regards,
-glenn

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users