On 2021-08-09 09:56 -06, "Theo de Raadt" <[email protected]> wrote: > Using the word "security", you've got to be kidding. > > If a dhcp server on a L2 segment can be "rogue" about one thing, it can > most certainly lie about any other answer, or act out in many other > ways. > > The only way to avoid "rogue" DHCP servers on a segment is to not ask > DHCP questions on that segment. > > This is not a security feature. It is purely for selecting aspects of > the answer from TRUSTED DHCP servers.
...and filtering out non-malicious "rogue" DHCP servers. Say you are at a conference or on a hotel wifi with not-stellar L2 security and some jackass spins up a linksys. you can either a) go to a different hotel b) ignore the stupid dhcp server and maybe get work done It's convenient, not a security feature. > > Andras Vinter <[email protected]> wrote: > >> The Linux dhclient supports it and it's actually a nice to have >> feature as it can increase the security by keeping out the rogue DHCP >> servers from an entire LAN range. But probably you can achieve similar >> functionality with the interface restriction. >> >> On Mon, Aug 9, 2021 at 3:33 PM Stuart Henderson <[email protected]> wrote: >> > >> > On 2021/08/09 15:03, Andras Vinter wrote: >> > > It's probably an overkill for first implementation, but in the future >> > > I think we should support subnet definitions in CIDR notation (e.x.: >> > > 192.168.0.0/24) and IP ranges for fine control (e.x.: >> > > 192.168.0.100-192.168.0.254). >> > >> > dhclient never needed that. >> > >> -- I'm not entirely sure you are real.
