Send dhcp-users mailing list submissions to
dhcp-users@lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/dhcp-users
or, via email, send a message with subject or body 'help' to
dhcp-users-requ...@lists.isc.org
You can reach the person managing the list at
dhcp-users-ow...@lists.isc.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of dhcp-users digest..."
Today's Topics:
1. Re: MAC randomisation and DHCP pools (Mike Richardson)
2. Re: MAC randomisation and DHCP pools (Mike Richardson)
----------------------------------------------------------------------
Message: 1
Date: Wed, 29 Jul 2020 10:55:46 +0100
From: Mike Richardson <mike.richard...@manchester.ac.uk>
To: dhcp-users@lists.isc.org
Subject: Re: MAC randomisation and DHCP pools
Message-ID: <20200729095546.ge8...@jadzia.mcc.ac.uk>
Content-Type: text/plain; charset=us-ascii
Thanks. That's just what I needed. The question about the fixed identifier
is interesting. If devices/DHCP use it then things won't break (as much)
but it's not exactly a great approach to privacy if the device can still be
tracked this way.
Mike
> Going back to the original question where you have a pool of 100 leases and
> 50 clients with a 7 day lease time. Here is what I think might happen.
>
> On day 1 the 50 clients each take one lease. 50 in use, 50 free.
>
> On day 2 the 50 clients all have a new MAC address, now we assume that once
> the new MAC switches over the next time the client tries to renew it will
> not match the old lease but will get a new lease. With a 7 day lease the
> usual renewal time is half way through the lease, so none of these 50
> clients try to renew until 3.5 days after initially getting the lease. So no
> problems for days 2 or 3 until later in the day.
>
> So now we have 50 old leases and 50 new leases. Of course some systems may
> have been shutdown and released their lease, so maybe less than 50 leases in
> use initially so <50 old leases and 50 new leases.
>
> On day 4 the first few clients to renew with a new MAC address use up the
> previous few free leases. Other clients get "no free leases". The dhcp
> server can't revoke a lease it has already legitimately given to a client. I
> would expect this behaviour to continue until the first of the 7 day leases
> expire.
>
> Now the question is, for a client with a new MAC address, but possibly the
> same dhcp-identifier, will it match the existing lease? If it does
> match,then no problem. Behaviour will be much the same as previously.
>
> The other thing with this is that if the client gets a new IP address, all
> existing sessions break, so apps and webpages may have to reload or may not
> pass authentication. So there could be a noticeable interruption.
>
> The above is what I think will happen based on my understanding of ISC
> dhcpd. I don't really know exactly how the new IOS version will behave. I
> would suggest setting up a trial and testing with one of these new devices
> and see what actually happens. There are too many variables to predict what
> will happen exactly.
>
> regards,
> -glenn
>
>
> On 2020-07-27 19:34, Mike Richardson wrote:
> >On Sun, Jul 26, 2020 at 03:13:16PM -0400, Bill Shirley wrote:
> >> Did you see my reply about:?
> >> adaptive-lease-time-threshold 75; # use min-lease-time
> >>when
> >> pool is above this percent
> >
> >I did and thanks for the information, that sounds very useful in the
> >circumstances but I'm not after a solution to a problem, I'm just trying
> >to
> >understand the behaviour of the server in a given configuration. I have
> >to
> >write up a 'these are the implications' type summary to be sent to a large
> >number of different organisations and knowing what happens when using
> >longer
> >leases will help. I don't know their configurations and can't dictate to
> >them. All I can do is say "if you're doing X then Y happens".
> >
> >Thanks,
> >
> >Mike
> _______________________________________________
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
> dhcp-users mailing list
> dhcp-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
--
Mike Richardson
** This email address will no longer work after 30th September 2018 **
** Please use doc...@perpetual.name instead for personal email **
** For work related communication use mike.richard...@jisc.ac.uk **
------------------------------
Message: 2
Date: Wed, 29 Jul 2020 11:00:16 +0100
From: Mike Richardson <mike.richard...@manchester.ac.uk>
To: dhcp-users@lists.isc.org
Subject: Re: MAC randomisation and DHCP pools
Message-ID: <20200729100016.gf8...@jadzia.mcc.ac.uk>
Content-Type: text/plain; charset=us-ascii
On Mon, Jul 27, 2020 at 07:36:36PM +0200, Sten Carlsen wrote:
> From reading the links provided by Matt, I see a somewhat better
> situation. Thanks Matt for providing this information.
>
> I may not have read all the information correctly, so no guarantee.
One of the articles I posted states that the MAC will change every 24 hours,
which means that things could change mid-lease, between renewals, if
correct. The Apple site mentions 'periodically', which could mean anything
really.
Thanks,
Mike
> Inline below:
> --
> Best regards
> Sten Carlsen
> For every problem, there is a solution that
> is simple, elegant, and wrong.
> HL Mencken
>
> On 27 Jul 2020, at 15.08, [1]glenn.satch...@uniq.com.au wrote:
>
> Hi Mike,
> Going back to the original question where you have a pool of 100 leases
> and 50 clients with a 7 day lease time. Here is what I think might
> happen.
> On day 1 the 50 clients each take one lease. 50 in use, 50 free.
> On day 2 the 50 clients all have a new MAC address, now we assume that
> once the new MAC switches over the next time the client tries to renew
> it will not match the old lease but will get a new lease. With a 7 day
> lease the usual renewal time is half way through the lease, so none of
> these 50 clients try to renew until 3.5 days after initially getting
> the lease. So no problems for days 2 or 3 until later in the day.
>
> For IOS the MAC stays constant until it detaches from that network, so
> renewal is not an issue. Going away and returning later might be but
> then the old lease should be free - for each network the user can chose
> to keep a constant MAC, some will, most will not is my guess.
>
> So now we have 50 old leases and 50 new leases. Of course some systems
> may have been shutdown and released their lease, so maybe less than 50
> leases in use initially so <50 old leases and 50 new leases.
> On day 4 the first few clients to renew with a new MAC address use up
> the previous few free leases. Other clients get "no free leases". The
> dhcp server can't revoke a lease it has already legitimately given to a
> client. I would expect this behaviour to continue until the first of
> the 7 day leases expire.
> Now the question is, for a client with a new MAC address, but possibly
> the same dhcp-identifier, will it match the existing lease? If it does
> match,then no problem. Behaviour will be much the same as previously.
>
> AFAIK in the RFC, the ClientID is to main ID, MAC is not used by
> default, only as a second option, so fixed ID should be fine.
>
> The other thing with this is that if the client gets a new IP address,
> all existing sessions break, so apps and webpages may have to reload or
> may not pass authentication. So there could be a noticeable
> interruption.
>
> Since at least IOS seems to keep the MAC while connected, this is not a
> problem, The new address comes with the next discover in dhcpd
>
> The above is what I think will happen based on my understanding of ISC
> dhcpd. I don't really know exactly how the new IOS version will behave.
> I would suggest setting up a trial and testing with one of these new
> devices and see what actually happens. There are too many variables to
> predict what will happen exactly.
>
> It seems that IOS would change addresses between networks but not
> across renewals. That will reduce the traceability quite much with
> little harm. If needed the IOS can be told to not change the MAC for
> any particular network.
>
> regards,
> -glenn
> On 2020-07-27 19:34, Mike Richardson wrote:
>
> On Sun, Jul 26, 2020 at 03:13:16PM -0400, Bill Shirley wrote:
>
> Did you see my reply [2]about:?
> adaptive-lease-time-threshold 75; # use min-lease-time
> when
> pool is above this percent
>
> I did and thanks for the information, that sounds very useful in the
> circumstances but I'm not after a solution to a problem, I'm just
> trying to
> understand the behaviour of the server in a given configuration. I
> have to
> write up a 'these are the implications' type summary to be sent to a
> large
> number of different organisations and knowing what happens when
> using longer
> leases will help. I don't know their configurations and can't
> dictate to
> them. All I can do is say "if you're doing X then Y happens".
> Thanks,
> Mike
>
> _______________________________________________
> ISC funds the development of this software with paid support
> subscriptions. Contact us at [3]https://www.isc.org/contact/ for more
> information.
> dhcp-users mailing list
> [4]dhcp-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>
> References
>
> 1. mailto:glenn.satch...@uniq.com.au
> 2. about:?
> 3. https://www.isc.org/contact/
> 4. mailto:dhcp-users@lists.isc.org
> _______________________________________________
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
> dhcp-users mailing list
> dhcp-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
--
Mike Richardson
** This email address will no longer work after 30th September 2018 **
** Please use doc...@perpetual.name instead for personal email **
** For work related communication use mike.richard...@jisc.ac.uk **
------------------------------
Subject: Digest Footer
_______________________________________________
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
dhcp-users mailing list
dhcp-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users
------------------------------
End of dhcp-users Digest, Vol 141, Issue 21
*******************************************
