Re: dhcp and foreign ip
On Mon, 02 Mar 2015 18:56:46 +0100
Pol Hallen <deben@fuckaround.org> wrote:
> Hi all :-)
>
> An easy environment: 1 server 2 lans:
>
> 192.168.1.0 - local lan1
> 192.168.2.0 - local wlan0
>
> only one dhcp server manages these 2 lans
>
> Sometimes I see inside the arp table (from wlan0) a strange IP like:
>
> 10.168.245.246 or similar
>
> what does it mean?
> Could be a PC with static IP goes inside my lan (via wireless) or
> what?
>
Yes. A WAP may relay packets before it knows that the sender is
authenticated, as many authentication mechanisms involve TCP exchanges
and therefore need a valid local IP address. Your DHCP logs may well
show addresses being handed out to these outsiders, but presumably your
other logs do not show anyone actually being authenticated at the time
you see these addresses.
I don't believe that wireless encryption methods are relevant at the
DHCP level, so even though your WAP uses WPA2 and a long password,
which will stop anyone being authenticated, this doesn't affect DHCP
negotiations. Let's put it this way: in a network belonging to one of
my clients, I often see DHCP addresses being handed out to machines
that do not belong in the network, but there is never a sign of any
further use of those addresses. There is certainly a strong WPA2
passphrase set there.
I believe that during DHCP negotiations, the addresses 0.0.0.0 and
255.255.255.255 can be used, but I don't think there is much checking,
as DHCP traffic works on MAC addresses until an IP address is assigned.
I recently mentioned here that my Win8 machine was taking exception to
my DHCP server using 127.0.1.1 as a source address, while every other
OS that has used my network has not even noticed. So an outsider could
be using any source address, and is likely to use the one it last
managed to lease from the correct network.
--
Joe
Reply to: