Great Circle Associates Firewalls
(March 1994) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: DHCP and certain firewall configs
From: alastair @ cadence . com (Alastair Young)
Date: Tue, 1 Mar 1994 11:58:37 -0800
To: firewalls @ greatcircle . com 
>The "Networking" section of _PC Week_ occasionally provides interesting
>information on new capabilities of those annoying little boxes that just
>won't go away ;).
>
>The latest one ( Vol 8 No 11, Feb 28 94, p35 ) mentions an intention
>by Microsoft to support dynamic IP addressing to make it "easier for
>administrators to move NT systems on a network and to support portable
>NT systems." 
>
>"WINS (Windows Internet Naming Service) track IP addresses and the system
>names to which they are assigned.  WINS works with the [IETF]'s Dynamic
>Host Configuration Protocol, which uncouples IP addresses from physical
>                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
>node addresses and reassigns them as nodes go off-line or users move to
>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
>different systems."
>^^^^^^^^^^^^^^^^^ 
>
>Ugh.
>
>Since this is news to me, I'm still reading the DHCP RFCs ( rfc13{4,5}1 )
>-- but, at first pass, it seems as though this can play havoc with certain
>weaknesses in IP if a hostile insider wants to mess around.  I can also
>imagine certain firewall configurations that might break if IP addresses
>become even more meaningless than they already are ( e.g., proxies and 
>wrappers ). 
>
>Securing multi-protocol WANs built on dynamically-addressed protocols 
>( e.g., Vines; Appletalk ) is one of the most difficult security problems  
>I personally see.  The relative stability of IP addresses has been a factor
>in my occasional use of IP-encapsulation as a firewalling tool, even if
>the router directly supports the protocol in question.
>
>Any of the more seasoned firewallers given any thought to this class of
>problem, or know more about DHCP ? 
>
>Richard

Dynamic IP addressing is nothing new. Macintoshes do it routinely. PSI and
some other vendors have a dynamic IP dialup service. Usually the dynamic IP
addresses are in a specific range and are administered by a server. You
just don't "trust" the IP addresses in the dynamic range and you keep the
keys to the server and only do dynamic when you really have to,

Al

---------------------------------------------------------------------------
Alastair Young                                     _               Ariel NH
Cadence Design Systems, Information Services     )/___     _     Red Hunter
555 River Oaks Parkway, 4B1                    __/(___)_*##/c 
San Jose CA 95134         Fax: (408)894-3487  / /\\|| \ /  \ Brakes'n'lites
alastair @
 cadence .
 com           (408)428-5278  \__/ ----'\__/  novel eh?
---------------------------------------------------------------------------
These statements and opinions are mine, not those of Cadence Design Systems
Indexed By Date Previous: Re: DHCP and certain firewall configs
From: Ben Pratt<prattb @ phibro . com>
Next: Reminder: WWW forms can be hazardous (fwd)
From: bmanning @ is . rice . edu (William Manning)
Indexed By Thread Previous: Re: DHCP and certain firewall configs
From: Ben Pratt<prattb @ phibro . com>
Next: Reminder: WWW forms can be hazardous (fwd)
From: bmanning @ is . rice . edu (William Manning)
Google
 
Search Internet Search www.greatcircle.com