From: Adam Forsyth (forsytad@luther.edu)
Date: Thu Sep 27 2001 - 21:15:51 CDT
I think I get the idea now. I suppose ideally in addition to blocking
the non registered addresses, you'd keep the ip domain for registered
users with-in a few hundred addresses of your actual number of users to
maximize the chance that the dhcp server will try to use it. So you can
find out and yell at them.
Further more, you could make your addressing system harder to figure out
by choosing more random smaller chunks of the address space in the
registered and unregistered pools. So, rather than 172.16.2.0-->
172.16.4.0 is unregistered and 172.16.5.0--> 172.16.8.0 being registered
addresses, something more like:
registered addresses
172.16.2.0--> 172.16.2.100
172.16.3.100--> 172.16.3.254
172.16.4.50--> 172.16.4.254
172.16.5.150--> 172.16.4.254
172.16.6.1--> 172.16.6.50
unregistered addresses
172.16.2.101--> 172.16.2.254
172.16.3.1--> 172.16.3.99
172.16.4.1--> 172.16.4.49
172.16.5.1--> 172.16.4.149
172.16.6.51--> 172.16.6.254
On Thursday, September 27, 2001, at 07:39 PM, Nick Ciesinski wrote:
> Ok.. I will clarify a bit about what I mean by non-registered.
>
> Non-registered to me is an ip that is for non-registered students. You
> might ask what is the point of blocking the non-registered ip's since
> all a user would need to do is pick a registered ip. The fact is many
> students don't know how the system works, so they have really no idea
> that the ip they first get is a special ip for non-registered users.
> Also, if they do figure it out they will have to figure out which ip's
> are for registered people (which is not that hard.) However, if a
> student picks a registered user ip and hard codes it most likely the
> dhcp sever will try and use that ip and get an abandoned address. So
> what we do is check the abandoned address and see if people are using
> them and if so track them down.
>
> We are looking at finding a way to communicate with the router. This
> will allow us to block all ip's until they are in use by a registered
> user, but, we have not come to a solid conclusion yet on how to do that.
>
> Nick
>
>
> -----Original Message-----
> From: owner-netreg@southwestern.edu
> [mailto:owner-netreg@southwestern.edu] On Behalf Of Mark Bodnar
> Sent: Thursday, September 27, 2001 8:51 AM
> To: netreg@southwestern.edu
> Subject: Re: NetReg: Force use of DHCP server vs picking your own
> manually
>
> If using ipfilter or ipchains, the better position would be to deny all
> and
> permit only registered addresses. Also, you don't need everything to be
> on
> the same box. Using a modified parsing routine, you could create an
> ipfilter
> ruleset or chain to send to the gateway.
>
> "King, Michael" wrote:
>
>> Someone earlier in the list (circa last year I think) mentioned that
> they
>> had a small script that would check the arp tables of their router,
> and
>> would "poison" any IP's that didn't have a MAC in the dhcpd.conf file.
>>
>> I don't know what they meant by poison it, but It's in the list
> archive
>> somewhere
>>
>> -----Original Message-----
>> From: Adam Forsyth [mailto:forsytad@luther.edu]
>> Sent: Wednesday, September 26, 2001 10:13 PM
>> To: netreg@southwestern.edu
>> Subject: NetReg: Force use of DHCP server vs picking your own manually
>>
>> Netreg is great, I love it compared to any other method we've used to
>> accomplish the task of distributing ip addresses to users of our
> ResNet,
>> and making them register the fact that they have a computer plugged
> into
>> it.
>>
>> I've got one little problem though. Since we started using it a month
>> ago, I've been noticing that there is nothing to stop a student from
>> picking an address from the registered range(randomly off the top of
> his
>> head without consultation with the DHCP server), and manually
> assigning
>> it, the proper gateway and a DNS server to his computer. He can then
> go
>> on his merry way happily using the network without first having
>> registering his connection with our netreg server.
>>
>> I can think of a couple of potential possible solutions to this
> problem.
>>
>> 1.) We could make the NetReg/DHCP/DNS server also work as a router
> and
>> make it the default gateway for this network. We'd have to create a
>> script that went through the leases file and allowed access to all of
>> registered addresses and blocked all of the rest of the addresses in
>> the entire subnet.
>>
>> 2.) Another thought I've come up with is that maybe we could come up
>> with a crazy and overly complicated subnetting scheme such that it'd
> be
>> much more complicated to come up with a combination of addresses and
>> subnet masks such that it'd be much more difficult to pick a
> combination
>> that would work and that we'd route for you. I don't think I'm enough
>> of a router guru to come up with this scheme, and furthermore if your
>> only motivation in dodging my system is to obtain a static ip address
>> that I don't randomly change once a week, and you don't mind being
>> registered, you'd just register, and then copy down all of the values
>> and assign them to yourself manually.
>>
>> Has anyone already come up with a solution to this
>> problem......hopefully more elegant, simple to implement and
> fool-proof
>> than mine? If so, I'd appreciate hearing your advice.
>>
>> Thanks in Advance for your help
>>
>> --
>> Adam Forsyth
>> Senior Systems Administrator
>> Luther College
>>
>> **********************************************************************
>> To unsubscribe from this list, send an e-mail message to
>> majordomo@southwestern.edu containing a single line with the words:
>> unsubscribe netreg
>> Send requests for assistance to: owner-netreg@southwestern.edu
>> **********************************************************************
>> **********************************************************************
>> To unsubscribe from this list, send an e-mail message to
>> majordomo@southwestern.edu containing a single line with the words:
>> unsubscribe netreg
>> Send requests for assistance to: owner-netreg@southwestern.edu
>> **********************************************************************
>
> --
> Mark Bodnar
> Technical Director of IT
> Phillips Exeter Academy
> 20 Main St.
> Exeter, NH 03833
> 603.777.3693
> mbodnar@exeter.edu
>
>
> **********************************************************************
> To unsubscribe from this list, send an e-mail message to
> majordomo@southwestern.edu containing a single line with the words:
> unsubscribe netreg
> Send requests for assistance to: owner-netreg@southwestern.edu
> **********************************************************************
>
> **********************************************************************
> To unsubscribe from this list, send an e-mail message to
> majordomo@southwestern.edu containing a single line with the words:
> unsubscribe netreg
> Send requests for assistance to: owner-netreg@southwestern.edu
> **********************************************************************
**********************************************************************
To unsubscribe from this list, send an e-mail message to
majordomo@southwestern.edu containing a single line with the words:
unsubscribe netreg
Send requests for assistance to: owner-netreg@southwestern.edu
**********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:36 CDT