this is pretty much how I do it

with wildcards: ive not enabled ipcp-allow-local and ipcp-allow-remote
so the client tell me what their ip is. the server will allocate an ip, but the client 
can not.


----- Original Message ----- 
From: "Jacco de Leeuw" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 20, 2003 9:05 PM
Subject: Re: ip allocation bug


> 
> Tim Warnock wrote:
>  
> > is there a way of having it do it, and even allocate
> > static ip addresses to users?
> 
> Perhaps something like this (/etc/ppp/chap-secrets) might work:
> 
> # Secrets for authentication using CHAP
> # client        server  secret                  IP addresses
> jacco           *       "mysecret"              210.8.120.129
> *               jacco   "mysecret"              210.8.120.129
> tim             *       "rumpelstiltskin"       210.8.120.130
> *               tim     "rumpelstiltskin"       210.8.120.130
> 
> This touches upon another issue. It seems that when dynamic
> IP addresses are used in combination with the "*" wildcard 
> in chap-secrets, the user can configure _any_ static IP address
> that he wants. L2tpd/pppd will happily assign it to him, even
> if the address falls outside the allowed "ip range". Scary.
> 
> Perhaps it would be better to specifiy the allowed IP range
> in chap-secrets as well? (Or use static IP addresses, as
> mentioned above). For example:
> 
> # Secrets for authentication using CHAP
> # client        server  secret                  IP addresses
> jacco           *       "mysecret"              210.8.120.129/27
> *               jacco   "mysecret"              210.8.120.129/27
> tim             *       "rumpelstiltskin"       210.8.120.129/27
> *               tim     "rumpelstiltskin"       210.8.120.129/27
> 
> The passwords will be valid only for the 210.8.120.129/27 subnet,
> i.e. 32 addresses starting from .129.
> 
> What do you guys think of it? Wildcards considered harmful?
> 
> Jacco
> -- 
> Jacco de Leeuw                         mailto:[EMAIL PROTECTED]
> Zaandam, The Netherlands           http://www.jacco2.dds.nl
>                Coffee is not my cup of tea.

Reply via email to