Duplicate MAC problems

Hello,
Sorry if this is a newbie question, I hope somebody can help. It is
about getting different IP addresses for same (software) MAC from the
DHCP server. For example, I have 2 PCs. We copy the software MAC from
the first PC to the other PC. When we do that, the DHCP gives the same
IP address, therefore both PCs have the same IP address. Is there a
way to configure the DHCP server that besides the MAC, there is
another factor to determine what IP address will be given, let's say
the host name? Thanks in advance!

On Thu, 22 Nov 2007 17:56:31 -0800, Sonny wrote:

> Sorry if this is a newbie question, I hope somebody can help. It is
> about getting different IP addresses for same (software) MAC from the
> DHCP server. For example, I have 2 PCs. We copy the software MAC from
> the first PC to the other PC.

Why do you want to do something as totally stupid as that?

> When we do that, the DHCP gives the same
> IP address, therefore both PCs have the same IP address. Is there a way
> to configure the DHCP server that besides the MAC, there is another
> factor to determine what IP address will be given, let's say the host
> name? Thanks in advance!

Even if the DHCP server could be twisted to allocate different addresses
for the same Ethernet address, the systems still could not communicate
either with each other or with any other system on the same network.
Within a network IP addresses are *not* used; Ethernet addresses are.

On Nov 23, 11:01 am, Dave Uhring <daveuhr...@yahoo.com> wrote:
> On Thu, 22 Nov 2007 17:56:31 -0800, Sonny wrote:
> > Sorry if this is a newbie question, I hope somebody can help. It is
> > about getting different IP addresses for same (software) MAC from the
> > DHCP server. For example, I have 2 PCs. We copy the software MAC from
> > the first PC to the other PC.
>
> Why do you want to do something as totally stupid as that?
>
> > When we do that, the DHCP gives the same
> > IP address, therefore both PCs have the same IP address. Is there a way
> > to configure the DHCP server that besides the MAC, there is another
> > factor to determine what IP address will be given, let's say the host
> > name? Thanks in advance!
>
> Even if the DHCP server could be twisted to allocate different addresses
> for the same Ethernet address, the systems still could not communicate
> either with each other or with any other system on the same network.
> Within a network IP addresses are *not* used; Ethernet addresses are.


We are in an ISP company. Hackers know how the DHCP works, and using
this knowledge they copy MAC addresses of legitimate clients to have
Internet connections. We want to know how to configure the DHCP to
assign IP addresses not just based only on MAC so only legitimate
clients can have access.

On Thu, 22 Nov 2007 21:15:25 -0800, Sonny wrote:

> We are in an ISP company. Hackers know how the DHCP works, and using
> this knowledge they copy MAC addresses of legitimate clients to have
> Internet connections. We want to know how to configure the DHCP to
> assign IP addresses not just based only on MAC so only legitimate
> clients can have access.

Then your clients also use some kind of modem between their Ethernet NICs
and your DHCP server, right? Do those modems not have unique addresses
which can be queried before forwarding the DHCPREQUEST to the server? Do
you not also maintain a registry of such modem identifiers used by your
clients?

Barring such hardware solutions you could implement RADIUS to
authenticate your legitimate users. Many Linux distros have FreeRADIUS
available in package form.

On Nov 23, 2:25 pm, Dave Uhring <daveuhr...@yahoo.com> wrote:
> On Thu, 22 Nov 2007 21:15:25 -0800, Sonny wrote:
> > We are in an ISP company. Hackers know how the DHCP works, and using
> > this knowledge they copy MAC addresses of legitimate clients to have
> > Internet connections. We want to know how to configure the DHCP to
> > assign IP addresses not just based only on MAC so only legitimate
> > clients can have access.
>
> Then your clients also use some kind of modem between their Ethernet NICs
> and your DHCP server, right? Do those modems not have unique addresses
> which can be queried before forwarding the DHCPREQUEST to the server?

Actually, as an ISP, we do not use a DSL Modem, but rather we used a
certain technology, if equated, its similar to a Large LAN
environment.

> Do
> you not also maintain a registry of such modem identifiers used by your
> clients?

We are using a proprietary device to connect to the dhcp server, but
unfortunately, its not translating its identifier (i. e. MAC) because
its connected to the server like a bridge.

So an abusive user (user A) do is copy the mac of an authenticated
user (user B) then using dhcp, user A gets the ip that is assigned to
user B and gets authenticated. Also user A doesn't mind having
conflicting IP's because most of the time user B is offline anyway.

We are aware that dhcp uses the machine's MAC to determine the ip to
give you (via leases or statically assigned in .conf)

So the main problem I'm facing right now is if there is a way dhcp
could identify a machine's IP (from the leases or .conf) using an
machine id other than the mac address.

I'm looking at an MAC-HOSTNAME identifier, but is this reliable?

>
> Barring such hardware solutions you could implement RADIUS to
> authenticate your legitimate users. Many Linux distros have FreeRADIUS
> available in package form.

We don't use RADIUS, we design a more simpler authentication system
using IP and MAC.

On Thu, 22 Nov 2007 17:56:31 -0800, Sonny rearranged some electrons to
say:

> Hello,
> Sorry if this is a newbie question, I hope somebody can help. It is
> about getting different IP addresses for same (software) MAC from the
> DHCP server. For example, I have 2 PCs. We copy the software MAC from
> the first PC to the other PC. When we do that, the DHCP gives the same
> IP address, therefore both PCs have the same IP address. Is there a way
> to configure the DHCP server that besides the MAC, there is another
> factor to determine what IP address will be given, let's say the host
> name? Thanks in advance!

You can't have two computers on a network with the same MAC address.

On Nov 23, 10:18 am, david <n...@nospam.com> wrote:
> You can't have two computers on a network with the same MAC address.

Hi David,

At wi-fi network (802.11a/b/g), users fake them MAC Address to a
authenticated MAC to bypass the security. If the legitimate computer
uses a bad designed TCP/IP stack (ie. Windows), this approach will
work completely, if it uses a good TCP/IP stack implementation that
respect the RFC 793 specification (ie. Linux), will not work. This is
because when a Windows host receive a packet that he is not expecting
he just drops the packet. A Linux machine will reset the connection.

Sonny, is your ISP should use a 802.1x authentication method. It's the
best approach I know.

On Fri, 23 Nov 2007 00:22:38 -0800, Sonny wrote:
> On Nov 23, 2:25 pm, Dave Uhring <daveuhr...@yahoo.com> wrote:

> We are aware that dhcp uses the machine's MAC to determine the ip to
> give you (via leases or statically assigned in .conf)
>
> So the main problem I'm facing right now is if there is a way dhcp could
> identify a machine's IP (from the leases or .conf) using an machine id
> other than the mac address.

Not without writing your own DHCP server.

> I'm looking at an MAC-HOSTNAME identifier, but is this reliable?

If a freeloader can fake his Ethernet address then faking a hostname
would be trivial.

>> Barring such hardware solutions you could implement RADIUS to
>> authenticate your legitimate users. Many Linux distros have FreeRADIUS
>> available in package form.
>
> We don't use RADIUS, we design a more simpler authentication system
> using IP and MAC.

Then you are going to have to change your attitude regarding RADIUS.

Sonny wrote:
> On Nov 23, 2:25 pm, Dave Uhring <daveuhr...@yahoo.com> wrote:
>> On Thu, 22 Nov 2007 21:15:25 -0800, Sonny wrote:
>>> We are in an ISP company.

No, you're not.

>>> Hackers know how the DHCP works,

*Everybody* knows how DHCP works; everybody, that is, besides you.

>>> and using
>>> this knowledge they copy MAC addresses of legitimate clients

Erm.. how would they do this, exactly ?

Do you routinely allow hackers access to your DHCP servers' network ?

>>>to have
>>> Internet connections. We want to know how to configure the DHCP to
>>> assign IP addresses not just based only on MAC so only legitimate
>>> clients can have access.

DHCP is *not* an access mechanism.
It's not.

>> Then your clients also use some kind of modem between their Ethernet NICs
>> and your DHCP server, right? Do those modems not have unique addresses
>> which can be queried before forwarding the DHCPREQUEST to the server?
>
> Actually, as an ISP, we do not use a DSL Modem, but rather we used a
> certain technology, if equated, its similar to a Large LAN
> environment.

Describe the technology, or at least, specify the layer 2 protocol it uses.

>> Do
>> you not also maintain a registry of such modem identifiers used by your
>> clients?
>
> We are using a proprietary device to connect to the dhcp server,

-- which is "converted to intelligible TCP/IP *somewhere* before it hits
the actual DHCP server.

> but
> unfortunately, its not translating its identifier (i. e. MAC) because
> its connected to the server like a bridge.

"Like a bridge" ?
Ooh sell me some more of that snake oil, please?

> So an abusive user (user A) do is copy the mac

Again - how do you think they are going to do this ?

> of an authenticated
> user (user B) then using dhcp, user A gets the ip that is assigned to
> user B and gets authenticated.

No.
Again, DHCP is not designed for, nor capable of, any kind of authentication.

> Also user A doesn't mind having
> conflicting IP's because most of the time user B is offline anyway.

And user A is a hacker, or did you forget about that during the previous
3 sentences ?

> We are aware that dhcp uses the machine's MAC to determine the ip to
> give you (via leases or statically assigned in .conf)

....which would also be leases.

> So the main problem I'm facing right now is if there is a way dhcp
> could identify a machine's IP

No, it *provides* the client with an IP.

> (from the leases or .conf) using an machine id other than the mac address.

The MAC *is* the machine ID.
It's the only one that has any chance of succeeding at it.

> I'm looking at an MAC-HOSTNAME identifier, but is this reliable?

There's no such thing.

>> Barring such hardware solutions you could implement RADIUS to
>> authenticate your legitimate users. Many Linux distros have FreeRADIUS
>> available in package form.
>
> We don't use RADIUS, we design a more simpler authentication system
> using IP and MAC.

WHAHAHAHAHAHAHHA

<plonk>


J.

On Thu, 22 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <be2df938-09fa-48de-8b69-(E-Mail Removed)>,
Sonny wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.

>We are in an ISP company. Hackers know how the DHCP works, and using
>this knowledge they copy MAC addresses of legitimate clients to have
>Internet connections. We want to know how to configure the DHCP to
>assign IP addresses not just based only on MAC so only legitimate
>clients can have access.

>NNTP-Posting-Host: 203.84.191.122

[compton ~]$ host 203.84.191.122
Host not found.
[compton ~]$

1. While you are at it, get someone who knows how to configure the REQUIRED
PTR records on your DNS server.

2. See RFC3118 (and RFC4030)

3118 Authentication for DHCP Messages. R. Droms, W. Arbaugh, Eds..
June 2001. (Format: TXT=35536 bytes) (Status: PROPOSED STANDARD)

4030 The Authentication Suboption for the Dynamic Host Configuration
Protocol (DHCP) Relay Agent Option. M. Stapp, T. Lemon. March 2005.
(Format: TXT=34332 bytes) (Status: PROPOSED STANDARD)

3. See that your terms and conditions have serious ramifications for
fraud, and enforce them by using authentication for all services.

Old guy