Subject: Re: dhcpd(8) _cannot_ be completely disabled on an interface
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Andrew Brown <atatat@atatdot.net>
List: tech-security
Date: 01/07/2002 15:48:13
>> I think [dhcp uses bpf] because it needs to know which interface the
>> packet arrived on, and there traditionally hasn't been a way to find
>> this out about UDP packets. [...]
>>
>> If NetBSD already has a way to identify the incoming interface for an
>> IP datagram it could probably be put to use.
>
>It looks as though setting IP_RECVIF with setsockopt (level IPPROTO_IP,
>if I've read the code right) should do this - search for IP_RECVIF and
>INP_RECVIF in /sys/netinet for full details.
so...it would seem that with proper use of IP_RECVIF/INP_RECVIF and
IP_RECVDSTADDR/INP_RECVDSTADDR, one can find out on which interface
and at which address a udp datagram was received.
not having dug too deeply into dhcpd or the protocol, however, i
remain unconvinced that not knowing the actual source hardware is
acceptable. doesn't dhcpd need to know that in order to send the
reply? and won't it need to use a bpf in order to do so?
--
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org * "ah! i see you have the internet
twofsonet@graffiti.com (Andrew Brown) that goes *ping*!"
andrew@crossbar.com * "information is power -- share the wealth."