Eric Cheng wrote: > On Wed, Jul 08, 2009 at 06:25:35PM -0700, Peter Memishian wrote: >> Per the RFC (and per our implementation) the DHCP server must use the >> client ID when it's available, and fallback to chaddr when the client ID >> is not available. We rely on this for e.g the DHCP client to work with >> IPMP. The relevant text in RFC2131 is: >> >> A DHCP server needs to use some unique identifier to associate a >> client with its lease. The client MAY choose to explicitly provide >> the identifier through the 'client identifier' option. If the client >> supplies a 'client identifier', the client MUST use the same 'client >> identifier' in all subsequent messages, and the server MUST use that >> identifier to identify the client. If the client does not provide a >> 'client identifier' option, the server MUST use the contents of the >> 'chaddr' field to identify the client. >> > > do you know under what circumstances would a client choose a client-ID > different from chaddr? I am trying to understand when we can do > DHCP antispoof and when we cannot (without setting up explicit ACLs).
Any time it wants to. The client ID might be any desired string, including the administrator's pet's name. It's roughly equivalent to a system name. I think policies regarding who gets what IP address out of a DHCP server are best implemented in the server itself, and not in middleboxes. In other words, let the DHCP messages out, and if you see DHCPACK in return, then there's your answer: it's allowed.
