From: Nick Ciesinski (ciesinskna26@mail.uww.edu)
Date: Thu Sep 27 2001 - 19:38:49 CDT
Ok.. I will clarify a bit about what I mean by non-registered.
Non-registered to me is an ip that is for non-registered students. You
might ask what is the point of blocking the non-registered ip's since
all a user would need to do is pick a registered ip. The fact is many
students don't know how the system works, so they have really no idea
that the ip they first get is a special ip for non-registered users.
Also, if they do figure it out they will have to figure out which ip's
are for registered people (which is not that hard.) However, if a
student picks a registered user ip and hard codes it most likely the
dhcp sever will try and use that ip and get an abandoned address. So
what we do is check the abandoned address and see if people are using
them and if so track them down.
We are looking at finding a way to communicate with the router. This
will allow us to block all ip's until they are in use by a registered
user, but, we have not come to a solid conclusion yet on how to do that.
Nick
-----Original Message-----
From: owner-netreg@southwestern.edu
[mailto:owner-netreg@southwestern.edu] On Behalf Of Mark Bodnar
Sent: Thursday, September 27, 2001 8:51 AM
To: netreg@southwestern.edu
Subject: Re: NetReg: Force use of DHCP server vs picking your own
manually
If using ipfilter or ipchains, the better position would be to deny all
and
permit only registered addresses. Also, you don't need everything to be
on
the same box. Using a modified parsing routine, you could create an
ipfilter
ruleset or chain to send to the gateway.
"King, Michael" wrote:
> Someone earlier in the list (circa last year I think) mentioned that
they
> had a small script that would check the arp tables of their router,
and
> would "poison" any IP's that didn't have a MAC in the dhcpd.conf file.
>
> I don't know what they meant by poison it, but It's in the list
archive
> somewhere
>
> -----Original Message-----
> From: Adam Forsyth [mailto:forsytad@luther.edu]
> Sent: Wednesday, September 26, 2001 10:13 PM
> To: netreg@southwestern.edu
> Subject: NetReg: Force use of DHCP server vs picking your own manually
>
> Netreg is great, I love it compared to any other method we've used to
> accomplish the task of distributing ip addresses to users of our
ResNet,
> and making them register the fact that they have a computer plugged
into
> it.
>
> I've got one little problem though. Since we started using it a month
> ago, I've been noticing that there is nothing to stop a student from
> picking an address from the registered range(randomly off the top of
his
> head without consultation with the DHCP server), and manually
assigning
> it, the proper gateway and a DNS server to his computer. He can then
go
> on his merry way happily using the network without first having
> registering his connection with our netreg server.
>
> I can think of a couple of potential possible solutions to this
problem.
>
> 1.) We could make the NetReg/DHCP/DNS server also work as a router
and
> make it the default gateway for this network. We'd have to create a
> script that went through the leases file and allowed access to all of
> registered addresses and blocked all of the rest of the addresses in
> the entire subnet.
>
> 2.) Another thought I've come up with is that maybe we could come up
> with a crazy and overly complicated subnetting scheme such that it'd
be
> much more complicated to come up with a combination of addresses and
> subnet masks such that it'd be much more difficult to pick a
combination
> that would work and that we'd route for you. I don't think I'm enough
> of a router guru to come up with this scheme, and furthermore if your
> only motivation in dodging my system is to obtain a static ip address
> that I don't randomly change once a week, and you don't mind being
> registered, you'd just register, and then copy down all of the values
> and assign them to yourself manually.
>
> Has anyone already come up with a solution to this
> problem......hopefully more elegant, simple to implement and
fool-proof
> than mine? If so, I'd appreciate hearing your advice.
>
> Thanks in Advance for your help
>
> --
> Adam Forsyth
> Senior Systems Administrator
> Luther College
>
> **********************************************************************
> To unsubscribe from this list, send an e-mail message to
> majordomo@southwestern.edu containing a single line with the words:
> unsubscribe netreg
> Send requests for assistance to: owner-netreg@southwestern.edu
> **********************************************************************
> **********************************************************************
> To unsubscribe from this list, send an e-mail message to
> majordomo@southwestern.edu containing a single line with the words:
> unsubscribe netreg
> Send requests for assistance to: owner-netreg@southwestern.edu
> **********************************************************************
-- Mark Bodnar Technical Director of IT Phillips Exeter Academy 20 Main St. Exeter, NH 03833 603.777.3693 mbodnar@exeter.edu********************************************************************** To unsubscribe from this list, send an e-mail message to majordomo@southwestern.edu containing a single line with the words: unsubscribe netreg Send requests for assistance to: owner-netreg@southwestern.edu **********************************************************************
********************************************************************** To unsubscribe from this list, send an e-mail message to majordomo@southwestern.edu containing a single line with the words: unsubscribe netreg Send requests for assistance to: owner-netreg@southwestern.edu **********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:36 CDT