Securing network by manually mapping mac to ip

cmisip · 10-30-2003, 08:43 PM

I just found out that ipsec does not encrypt non ip traffic such as dhcp and arp. The output of tcpdump shows the machine ips and mac address in the network even with ipsec running. The recommendation was to use static addressess and manually map ip to mac address via arp. Does anybody know how to do this and do I have to do it for each client? Thanks.

Robert0380 · 10-31-2003, 05:04 AM

yes, in your dhcpd.conf file you'll have to add an entry for each MAC-IP combo. If you have lots of clients, a script will come in handy

Code:

host haagen {
   hardware ethernet 08:00:2b:4c:59:23;
   fixed-address 192.168.1.222;
}

haagen is just a hostname (can be anything u want but keep em different)
i pulled this from here:

http://www.sashanet.com/internet/lin...to/DHCP-4.html

This is how my school's dorm network is setup. Each student must register his/her computer my entering their email account and password then entering their MAC address. Lots of checking involved. They must be registered for the room to get a computer on the network and they must register the right MAC to get an internet connection. Even if they try to just hard code an IP that maches the network's subnet mask, they still wont get a connection. Because it must match in the router also.

do that for each client and get rid of the subnet range statements

cmisip · 11-02-2003, 01:02 PM

Thanks for the reply, however, I have stopped using dhcpd and use static addresses now. It is not a big network. Just a home lan with 5 computers. Is there another way that the arp mac:ip address mapping can be done?

unSpawn · 11-04-2003, 10:26 AM

Read MAC/IP pairs from file, "man arp", option "-f"?