Subject: Re: dhcpd(8) _cannot_ be completely disabled on an interface
To: Dennis Ferguson , Andrew Brown <atatat@atatdot.net>
From: John Nemeth <jnemeth@victoria.tc.ca>
List: tech-security
Date: 01/09/2002 19:05:21
On May 30,  9:05am, Dennis Ferguson wrote:
}
} > and...if the address isn't on the local network, then adding an arp
} > entry will fail, no?
} 
} Which address?  If we're talking about the IP address, then you're the
} server which assigned the address and something is broken if the address
} you assigned isn't on the interface's subnet.  If we're talking about the

     Wrong!  You're neglecting the possibility of a relayed request.

} >                i ought still to be able to answer such a dhcp
} > request, no?  i'm stuck on seeing the possibility of a discrepancy
} > between the link layer address that the packet comes from and the link
} > layer address as embedded in the dhcp packet itself...kinda like the
} 
} As I noted you could always broadcast the response back instead if you
} felt some need to do it this way.

     Only if the client is on the local net.  If the request was
relayed, then you are supposed to send the response directly to the
relay agent.

} I don't see any problem which is fixed by looking at the source address
} in the ethernet header.  The protocol certainly doesn't require it, in
} fact it seems to require that you don't do this.

     Looking at the source address in the ethernet header wouldn't help
you in the case of a relayed request anyways.

}-- End of excerpt from Dennis Ferguson