> we could possibly make macnospoof catch DHCP packets with spoofed > chaddr. for client-ID, I am not so sure. usually it is the same as > chaddr but for cases it is not we should not blindly drop the packet. > do you know if the DHCP server could be told to look at both chaddr > and client-ID when assigning an address? if that can be assumed then > chaddr antispoof should be sufficient for preventing IP stealing.
Per the RFC (and per our implementation) the DHCP server must use the client ID when it's available, and fallback to chaddr when the client ID is not available. We rely on this for e.g the DHCP client to work with IPMP. The relevant text in RFC2131 is: A DHCP server needs to use some unique identifier to associate a client with its lease. The client MAY choose to explicitly provide the identifier through the 'client identifier' option. If the client supplies a 'client identifier', the client MUST use the same 'client identifier' in all subsequent messages, and the server MUST use that identifier to identify the client. If the client does not provide a 'client identifier' option, the server MUST use the contents of the 'chaddr' field to identify the client. -- meem
