FreshTomato Wiki

User Tools

Site Tools

Trace:
basic-static

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
basic-static [2023/06/27 16:13] – [Configuring DHCP Reservations] -formatting hogwildbasic-static [2023/06/27 16:21] (current) – [Static ARP] -condense, clarity hogwild
Line 28: Line 28:
 As mentioned earlier, DHCP Reservation offers the mapped IP address (and Hostname) to the MAC address you specified every time it offers a lease. DHCP Reservation does not prevent a different client from being configured with the same IP address. This is because DHCP Reservation only offers a static mapping to client devices which request a lease. If another device were self-configured with a (true) static IP, or if the router/DHCP were disabled, the other device could take that IP address. Similarly, if the first client for which DHCP Reservation were then self-configured with a static IP, it could claim a different IP address than the one in FreshTomato's DHCP Reservation mapping. As mentioned earlier, DHCP Reservation offers the mapped IP address (and Hostname) to the MAC address you specified every time it offers a lease. DHCP Reservation does not prevent a different client from being configured with the same IP address. This is because DHCP Reservation only offers a static mapping to client devices which request a lease. If another device were self-configured with a (true) static IP, or if the router/DHCP were disabled, the other device could take that IP address. Similarly, if the first client for which DHCP Reservation were then self-configured with a static IP, it could claim a different IP address than the one in FreshTomato's DHCP Reservation mapping.
  
-Even if everything else were working properly, only DHCP lease //offers// are made static. The router's IP→MAC neighbour cache (or "ARP cache") is still filled in dynamically using ARP broadcasts. That means that unless we add something else, FreshTomato is relying on client devices to be honest about their MAC addresses. The data source for ARP mappings is assumed to be “honest” and accurate, even though that source is often the network clients themselves. Under such conditions, there's not much to stop unauthorized or malicious clients from pretending to be a different MAC address (ARP spoofing). ARP spoofing could even include spoofing the router or gateway's MAC address. All this could have serious consequences. This is where Static ARP becomes useful.+Even if everything else were working properly, only DHCP lease //offers// are made static. The router's IP→MAC neighbour cache (ARP cache) is still filled in dynamically using ARP broadcasts. That means that unless we add something else, FreshTomato is relying on client devices to be honest about their MAC addresses. The data source for ARP mappings is assumed to be “honest” and accurate, even though that source is often the network clients themselves. Under such conditions, there's not much to stop unauthorized or malicious clients from pretending to be a different MAC address (ARP spoofing). ARP spoofing could even include spoofing the router or gateway's MAC address. All this could have serious consequences. This is where Static ARP becomes useful. 
  
 ==== Inconsistent Terminology ==== ==== Inconsistent Terminology ====
Line 75: Line 76:
 === Reduces ARP spoofing === === Reduces ARP spoofing ===
  
-By default, ARP gets its mapping information from other network clients. It works in a peer-to-peer fashion. ARP mappings are assumed to be "honest" and accurate, even though the source of that data is often the clients themselves. Given this, there's little to stop unathorized or malicious clients from pretending to be a different MAC address (ARP spoofing). This reduces the reliability/security of Static DHCP mappings. What good is a mapping if a client can spoof another's MAC address? ARP spoofing could even include spoofing the router or gateway's MAC address. That could have dangerous consequences.+By default, ARP gets its mapping information from other clients. It works in a peer-to-peer fashion. ARP mappings are assumed to be "honest" and accurate, even though the source of that data is often the clients themselves. Given this, there's little to stop unathorized or malicious clients from pretending to be a different MAC address (ARP spoofing). This reduces the reliability/security of Static DHCP mappings. What good is a mapping if a client can spoof another's MAC address? ARP spoofing could even include spoofing the router or gateway's MAC address. That could have dangerous consequences.
  
 Here again, Static ARP binding can help. When enabled, Static ARP binding will ignore ARP spoofing attempts. FreshTomato will ignore all (broadcast) ARP replies of devices listed in the table. Instead, FreshTomato will check the Static DHCP tables to find the MAC address that belongs to a certain IP address. We assume this information is more accurate, since the Static DHCP table is maintained by the network administrator. Here again, Static ARP binding can help. When enabled, Static ARP binding will ignore ARP spoofing attempts. FreshTomato will ignore all (broadcast) ARP replies of devices listed in the table. Instead, FreshTomato will check the Static DHCP tables to find the MAC address that belongs to a certain IP address. We assume this information is more accurate, since the Static DHCP table is maintained by the network administrator.
  
-**MAC Address: **Here you enter the MAC Address you wish to bind.+**MAC Address:  **Hereenter the MAC Address you wish to bind.
  
-**Bound To: **Checking this enables Static ARP binding for the IP - MAC address mapping. It adds a Static ARP entry for the mapping in FreshTomato's ARP table based on data found in the Static DHCP table. (Default: Disabled).+**Bound To:  **Checking this enables Static ARP binding for the IP - MAC address mapping. It adds a Static ARP entry for it in FreshTomato's ARP table based on data found in the Static DHCP table. (Default: Disabled).
  
-**IP Address:** Here, enter the IP address you want bound to the MAC address entered. This is optional. If you leave the IP address empty, it will only link a Hostname to a MAC address, allowing for normal DHCP operations. This "lack of IP" might be helpful for devices that don't automatically have a Hostname assigned, but for which you still prefer a dynamic IP allocation.+**IP Address:**  Here, enter the address you want bound to the MAC address entered. This is optional. If you leave the IP address empty, it will only link a Hostname to a MAC address, allowing for normal DHCP operations. This "lack of IP" might be helpful for devices that don't automatically have a Hostname assigned, but for which you still prefer a dynamic IP allocation.
  
-**IP Traffic:** Checking this enables IP bandwidth Monitoring for the mapped MAC Address/IP address/Hostname combination. (Default: Disabled).+**IP Traffic:** Checking this enables IP Traffic Monitoring for the mapped MAC Address/IP address/Hostname combination. (Default: Disabled).
  
-**Hostname:** Here, enter the (optional) DHCP Client Identifier to be mapped to the client device. This arbitrary human-readable nickname makes it easier to identify the device on the network.+**Hostname:**  Here, enter the (optional) DHCP Client Identifier to be mapped to the client device. This arbitrary human-readable nickname makes it easier to identify the device on the network.
  
 Traditionally, devices were identified within DHCP by a //hardware type// code and //a client hardware (MAC) address//. Later, the optional Hostname field allowed more freedom when mapping device names in DHCP. Ironically, many people still used the //hardware type// followed by the //client hardware address// (for example, 01 00 01 02 a0 bc d3.) as a Hostname. However, you are not limited to that. You can create your own naming scheme. Traditionally, devices were identified within DHCP by a //hardware type// code and //a client hardware (MAC) address//. Later, the optional Hostname field allowed more freedom when mapping device names in DHCP. Ironically, many people still used the //hardware type// followed by the //client hardware address// (for example, 01 00 01 02 a0 bc d3.) as a Hostname. However, you are not limited to that. You can create your own naming scheme.
  
-These days, the client's DNS/Netbios name is often used as the Hostname. One limitation is that every client device must have a unique Hostname on the broadcast domain. Otherwise, conflicts could occur.+These days, the client's DNS/Netbios name is often used as the Hostname. Every client device must have a unique Hostname on the broadcast domain. Otherwise, conflicts could occur.
  
-Hostname description derived from IETF (IETF.ORG) RFC2131 Standards Track, DHCP Protocol, page 8+Hostname description derived from IETF (IETF.ORG) RFC2131 Standards Track, DHCP Protocol, page 8  [[https://tools.ietf.org/html/rfc2131|https://tools.ietf.org/html/rfc2131]]
  
-[[https://tools.ietf.org/html/rfc2131|https://tools.ietf.org/html/rfc2131]] 
  
 ===== Options ===== ===== Options =====
basic-static.1687878806.txt.gz · Last modified: 2023/06/27 16:13 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki