[Ilugc] duplicate IP on network Issue
- From: kapil@xxxxxxxxxxx (Kapil Hari Paranjape)
- Date: Tue Jul 8 20:36:37 2008
Hello,
On Tue, 08 Jul 2008, R.Kannan wrote:
Last Friday our box mysteriously tried to assign itself the IP of our
network gateway ( 172.18.32.1 ) and succeeded.
<snipped>
How can this happen , if this behaviour is acceptable can any one
running *inx assign some arbitrary IP and bring the server / network
down.
Here is a mini-HOWTO to avoid this problem.
1. Ensure that your DHCP server does *not* give dynamic IP addresses
to your servers. Separate the dynamic address range from the server
address range (for example, using a netmask) and use only the former
for DHCP addresses.
2. Run "arpwatch" on some server (for example the DHCP server). This
maintains a table matching IP addresses to MAC addresses and warns you
whenever there is a change. You can specifically exclude some
address ranges like the DHCP address range.
3. Set up a static table of MAC/IP pairs for all your servers and
publish this table using LDAP/NIS. Make sure the clients use LDAP/NIS
to pick up this data and feed it into their arp table as "permanent"
data.
What these steps will do:
1. Ensure that your DHCP server will not "give away" one of your
server addresses.
2. Ensure that you will receive a warning as soon as some machine
assumes the IP address of a server.
3. Ensure that all clients will send packets to the correct MAC
address when they want to sent packets to a server IP.
As a consequence you will be protected against _accidental_ IP take
overs. To guard against _hostile_ IP take overs you need some kind of
encryption and authentication for the data.
Kapil.
--
Other related posts:
