Hello, On Tue, 08 Jul 2008, R.Kannan wrote: > Last Friday our box mysteriously tried to assign itself the IP of our > network gateway ( 172.18.32.1 ) and succeeded. <snipped> > How can this happen , if this behaviour is acceptable can any one > running *inx assign some arbitrary IP and bring the server / network > down.
Here is a mini-HOWTO to avoid this problem. 1. Ensure that your DHCP server does *not* give dynamic IP addresses to your servers. Separate the dynamic address range from the server address range (for example, using a netmask) and use only the former for DHCP addresses. 2. Run "arpwatch" on some server (for example the DHCP server). This maintains a table matching IP addresses to MAC addresses and warns you whenever there is a change. You can specifically exclude some address ranges like the DHCP address range. 3. Set up a static table of MAC/IP pairs for all your servers and publish this table using LDAP/NIS. Make sure the clients use LDAP/NIS to pick up this data and feed it into their arp table as "permanent" data. What these steps will do: 1. Ensure that your DHCP server will not "give away" one of your server addresses. 2. Ensure that you will receive a warning as soon as some machine assumes the IP address of a server. 3. Ensure that all clients will send packets to the correct MAC address when they want to sent packets to a server IP. As a consequence you will be protected against _accidental_ IP take overs. To guard against _hostile_ IP take overs you need some kind of encryption and authentication for the data. Kapil. -- _______________________________________________ To unsubscribe, email [EMAIL PROTECTED] with "unsubscribe <password> <address>" in the subject or body of the message. http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
