%% ================================================================================ %% This LaTeX file was created by AbiWord. %% AbiWord is a free, Open Source word processor. %% You may obtain more information about AbiWord at www.abisource.com %% ================================================================================ \documentclass[12pt]{article} \usepackage[T1]{fontenc} \usepackage{calc} \usepackage{hyperref}\usepackage{setspace} \usepackage{multicol} \usepackage[normalem]{ulem} \usepackage{color} \setlength{\oddsidemargin}{1.250000in-1in} \setlength{\textwidth}{\paperwidth - 1.250000in-1.250000in} \begin{document} \begin{center} \textbf{{\LARGE{}Dynamic Host Configuration Protocol (DHCP)\\and\\ Domain Name System (DNS)\\}}{\scriptsize{}Nick Urbanik \\Copyright Conditions: GNU FDL (see }{\scriptsize{}http://www.gnu.org/licenses/fdl.html)} \end{center} \begin{center} {\large{}Organising computers in a large network} \end{center} \begin{center} {\large{}Reference books:} \end{center} \begin{center} \textit{{\large{}The DHCP Handbook}}{\large{}, Ralph Droms \& Ted Lemon, 2}$^{\mathrm{{\large{}nd}}}${\large{} edition,} \end{center} \begin{center} \textit{DNS and Bind}, Paul Albitz and Cricket Liu, 4$^{\mathrm{th}}$ edition \end{center} \begin{center} \end{center} \begin{flushleft} {\huge{}DHCP: Why?} \end{flushleft} \begin{flushleft} {\Large{}Manually assigning IP addresses (the alternative to DHCP) causes:} \end{flushleft} \begin{flushleft} {\Large{}More work to set up} \end{flushleft} \begin{flushleft} {\Large{}Much more work to change} \end{flushleft} \begin{flushleft} {\Large{}IP address conflicts} \end{flushleft} \begin{flushleft} {\Large{}Unsatisfied users who configure their own machines to cause more conflicts} \end{flushleft} \begin{flushleft} {\huge{}DHCP: Why not?} \end{flushleft} \begin{flushleft} Last year, on many Tuesday afternoons, our laboratories were disrupted by ``network failure'' \end{flushleft} \begin{flushleft} This was caused by project students running DHCP servers on our network, \end{flushleft} \begin{flushleft} \ldotsand also, by a small router running a DHCP server accidentally plugged into our campus network \end{flushleft} \begin{flushleft} Solution: when detect this, run Ethereal listening on ports 67 and 68 \end{flushleft} \begin{flushleft} identify culprit, and turn off rogue server \end{flushleft} \begin{flushleft} {\huge{}What can DHCP do?} \end{flushleft} \begin{flushleft} {\large{}Current standard DHCP servers can:} \end{flushleft} \begin{flushleft} Allocate all IP parameters \end{flushleft} \begin{flushleft} Divide hosts into classes, based on many criteria, such as: \end{flushleft} \begin{flushleft} {\footnotesize{}Manufacturer} \end{flushleft} \begin{flushleft} {\footnotesize{}Explicitly putting individual machines into different classes} \end{flushleft} \begin{flushleft} {\footnotesize{}Whether the machine is registered} \end{flushleft} \begin{flushleft} Offer different parameters to machines in different classes \end{flushleft} \begin{flushleft} Dynamically update DNS servers \end{flushleft} \begin{flushleft} Support a DHCP failover protocol \end{flushleft} \begin{flushleft} {\huge{}Internet Software Consortium: ISC DHCP} \end{flushleft} \begin{flushleft} {\footnotesize{}ISC makes }\textit{{\footnotesize{}reference implementations}}{\footnotesize{} of DNS, DHCP} \end{flushleft} \begin{flushleft} {\footnotesize{}Available from http://www.isc.org/} \end{flushleft} \begin{flushleft} {\footnotesize{}Implemented by people directly involved with the standardisation process} \end{flushleft} \begin{flushleft} {\footnotesize{}Provide the most standards compliant, most feature-rich implementations} \end{flushleft} \begin{flushleft} {\footnotesize{}ISC DHCP server very robust} \end{flushleft} \begin{flushleft} {\footnotesize{}Computer Centre in TY used MS DHCP on NT 4} \end{flushleft} \begin{flushleft} {\footnotesize{}Crashed twice, with complete loss of database containing MAC addresses of all computers on campus} \end{flushleft} \begin{flushleft} {\footnotesize{}Out of action for two days at a time, long sessions of manual retyping of all the data again} \end{flushleft} \begin{flushleft} {\footnotesize{}Replaced with system based on ISC DHCP server on a 486} \end{flushleft} \begin{flushleft} {\footnotesize{}Has worked well ever since (no down time)} \end{flushleft} \begin{flushleft} {\huge{}Characteristics of DHCP} \end{flushleft} \begin{flushleft} \textit{\uline{{\large{}All}}}{\large{} communication initiated by the client} \end{flushleft} \begin{flushleft} {\large{}Uses UDP on port 68 for client, port 67 for server} \end{flushleft} \begin{flushleft} {\small{}One DHCP session has a common xid ("transaction ID" in Ethereal), randomly selected by the client} \end{flushleft} \begin{flushleft} {\large{}Uses }\textit{\uline{{\large{}unicast}}}{\large{} when client has IP address, [and client is }\textit{{\large{}not }}{\large{}in REBINDING state --- see later]; }\textit{\uline{{\large{}broadcast}}}{\large{} otherwise} \end{flushleft} \begin{flushleft} {\large{}Addresses offered from} \end{flushleft} \begin{flushleft} \textit{\uline{{\large{}address pools}}}{\large{}, or} \end{flushleft} \begin{flushleft} {\large{}Fixed addresses allocated to particular computers} \end{flushleft} \begin{flushleft} {\huge{}Leases} \end{flushleft} \begin{flushleft} {\footnotesize{}Server offers IP address and network parameters for a limited time (called a }\textit{\uline{{\footnotesize{}lease}}}{\footnotesize{})} \end{flushleft} \begin{flushleft} {\footnotesize{}In practice, leases may very from 30 minutes to a week or so} \end{flushleft} \begin{flushleft} {\footnotesize{}Short lease:} \end{flushleft} \begin{flushleft} {\footnotesize{}clients get updated parameters quickly} \end{flushleft} \begin{flushleft} {\footnotesize{}Essential if have more clients than addresses} \end{flushleft} \begin{flushleft} {\footnotesize{}requires more processing power on server} \end{flushleft} \begin{flushleft} {\footnotesize{}Long lease:} \end{flushleft} \begin{flushleft} {\footnotesize{}more reliable (clients may continue to operate for a week after DHCP server fails)} \end{flushleft} \begin{flushleft} {\footnotesize{}but takes longer for all clients to get new settings if they change} \end{flushleft} \begin{flushleft} {\huge{}(Some) Standards for DHCP} \end{flushleft} \begin{flushleft} RFC 2131 --- Basic DHCP operation \end{flushleft} \begin{flushleft} {\footnotesize{}excerpts from this appear in exams!} \end{flushleft} \begin{flushleft} RFC 2132 --- DHCP options: a list of the kinds of things a client can ask a DHCP server for \end{flushleft} \begin{flushleft} IETF Drafts: \end{flushleft} \begin{flushleft} {\footnotesize{}draft-ietf-dhc-authentication-14.txt} \end{flushleft} \begin{flushleft} {\footnotesize{}supports authentication between clients and servers} \end{flushleft} \begin{flushleft} {\footnotesize{}draft-ietf-dhc-dhcp-dns-12.txt} \end{flushleft} \begin{flushleft} {\footnotesize{}interaction between DHCP and DNS servers} \end{flushleft} \begin{flushleft} {\footnotesize{}draft-ietf-dhc-failover-07.txt} \end{flushleft} \begin{flushleft} {\footnotesize{}supports failover between 2 DHCP servers} \end{flushleft} \begin{flushleft} {\huge{}DHCP Messages 1} \end{flushleft} \begin{flushleft} DHCPDISCOVER --- from client \end{flushleft} \begin{flushleft} client has no address, asking for a new one \end{flushleft} \begin{flushleft} DHCPOFFER --- from server \end{flushleft} \begin{flushleft} Offer of address and other parameters \end{flushleft} \begin{flushleft} DHCPREQUEST --- from client \end{flushleft} \begin{flushleft} Client asks if can use the offered address and parameters \end{flushleft} \begin{flushleft} DHCPACK --- from server \end{flushleft} \begin{flushleft} Server says ``yes, go ahead, this address and these parameters are yours; the lease starts now.'' \end{flushleft} \begin{flushleft} {\huge{}DHCP Messages 2} \end{flushleft} \begin{flushleft} DHCPNAK --- from server \end{flushleft} \begin{flushleft} ``no, you may not have that address; go to the INIT state'' \end{flushleft} \begin{flushleft} DHCPDECLINE --- from client \end{flushleft} \begin{flushleft} Client has detected another machine is using the offered address, and tells the server about this problem \end{flushleft} \begin{flushleft} DHCPRELEASE --- from client \end{flushleft} \begin{flushleft} Server expires the lease immediately \end{flushleft} \begin{flushleft} DHCPINFORM --- from client \end{flushleft} \begin{flushleft} Client already has an IP address, but wants other network settings from the server \end{flushleft} \begin{flushleft} {\huge{}State Diagram for DHCP protocol} \end{flushleft} \begin{flushleft} {\Large{}See page 3}{\Large{}4}{\Large{} of RFC 2131 for a more complete state diagram.} \end{flushleft} \begin{flushleft} \end{flushleft} \begin{flushleft} \end{flushleft} \begin{flushleft} {\huge{}DHCP Client States 1} \end{flushleft} \begin{flushleft} {\footnotesize{}INIT (client is booting)} \end{flushleft} \begin{flushleft} {\footnotesize{}no IP address yet.} \end{flushleft} \begin{flushleft} {\footnotesize{}next message from client will be a broadcast DHCPDISCOVER.} \end{flushleft} \begin{flushleft} {\footnotesize{}INIT-REBOOT (has unexpired lease)} \end{flushleft} \begin{flushleft} {\footnotesize{}has IP address, but is not using it} \end{flushleft} \begin{flushleft} {\footnotesize{}client will next broadcast DHCPREQUEST} \end{flushleft} \begin{flushleft} {\footnotesize{}Will move to BIND state if no response} \end{flushleft} \begin{flushleft} {\footnotesize{}SELECTING (has received at least one DHCPOFFER)} \end{flushleft} \begin{flushleft} {\footnotesize{}Waiting for any other DHCPOFFERS} \end{flushleft} \begin{flushleft} {\footnotesize{}BOUND (Client has an address)} \end{flushleft} \begin{flushleft} {\footnotesize{}Initiated by client receiving DHCPACK to DHCPREQUEST} \end{flushleft} \begin{flushleft} {\footnotesize{}Send no more messages until T1 (renewal time, configured in client by the server)} \end{flushleft} \begin{flushleft} {\huge{}DHCP Client States 2} \end{flushleft} \begin{flushleft} {\small{}RENEWING (client has reached }\textit{\uline{{\small{}renewal time}}}{\small{} T1 in BOUND state)} \end{flushleft} \begin{flushleft} {\small{}client }\textit{\uline{{\small{}unicasts}}}\textit{{\small{} }}{\small{}DHCPREQUEST to server} \end{flushleft} \begin{flushleft} {\small{}server}\textit{{\small{} }}\textit{\uline{{\small{}unicasts}}}\textit{{\small{} }}{\small{}DHCPACK to client} \end{flushleft} \begin{flushleft} {\small{}T1 = lease time / 2} \end{flushleft} \begin{flushleft} {\small{}REBINDING (client has reached }\textit{\uline{{\small{}rebinding time}}}{\small{} T2 without DHCPACK from server)} \end{flushleft} \begin{flushleft} {\small{}client broadcasts DHCPREQUEST} \end{flushleft} \begin{flushleft} {\small{}client is looking for another server} \end{flushleft} \begin{flushleft} {\small{}T2 = lease time * 7/8} \end{flushleft} \begin{flushleft} {\small{}If lease expires, client goes back to INIT state} \end{flushleft} \begin{flushleft} {\small{}Any network connections lost---bad for users!! Don't let it happen to them!} \end{flushleft} \begin{flushleft} {\huge{}Obtaining an initial configuration} \end{flushleft} \begin{flushleft} {\Large{}The client is booting, with no IP lease} \end{flushleft} \begin{flushleft} {\huge{}Confirming an IP Address when restarting} \end{flushleft} \begin{flushleft} {\Large{}The client's lease has not expired} \end{flushleft} \begin{flushleft} {\huge{}Extending a lease} \end{flushleft} \begin{flushleft} {\Large{}Lease is extended at T1 before expires} \end{flushleft} \begin{flushleft} {\Large{}Unicast, because address is valid} \end{flushleft} \begin{flushleft} {\large{}only case of unicast in DHCP protocol} \end{flushleft} \begin{flushleft} {\Large{}T1 = leasetime/2} \end{flushleft} \begin{flushleft} {\huge{}Moving a computer to new subnet} \end{flushleft} \begin{flushleft} {\Large{}Refuse old address, issue a new one} \end{flushleft} \begin{flushleft} {\huge{}Problems on the Network} \end{flushleft} \begin{flushleft} Often a computer has a bad configuration \end{flushleft} \begin{flushleft} Faulty hardware may also cause excessive resending of bad packets \end{flushleft} \begin{flushleft} Less often, a person may be doing something naughty on purpose! \end{flushleft} \begin{flushleft} Need some way to: \end{flushleft} \begin{flushleft} {\footnotesize{}track the location of a computer on the network} \end{flushleft} \begin{flushleft} {\footnotesize{}determine if a computer is managed by the company or is a notebook brought in by a visitor} \end{flushleft} \begin{flushleft} Want some way to register company machines \end{flushleft} \begin{flushleft} {\huge{}Ways of using DHCP} \end{flushleft} \begin{flushleft} There are two fundamentally different ways of using DHCP \end{flushleft} \begin{flushleft} Typified by implementation in Campus, and ICT (till yesterday) \end{flushleft} \begin{flushleft} {\footnotesize{}(both implemented by Nick!)} \end{flushleft} \begin{flushleft} {\footnotesize{}Fixed addresses for registered clients (Campus network)} \end{flushleft} \begin{flushleft} {\footnotesize{}Dynamic addresses for all comers (ICT till recently)} \end{flushleft} \begin{flushleft} Better: can provide automatic registration for clients: see chapter 20 of \textit{The DHCP Handbook} \end{flushleft} \begin{flushleft} \textbf{{\huge{}/etc/dhcpd.conf}} \end{flushleft} \begin{flushleft} {\Large{}This plain text configuration controls behaviour of ISC DHCP server} \end{flushleft} \begin{flushleft} {\Large{}ISC DHCP server supports conditional statements, switch statements, substring expressions} \end{flushleft} \begin{flushleft} {\large{}Almost a complete programming language!} \end{flushleft} \begin{flushleft} {\Large{}This text file can be generated by software (Perl programs often used)} \end{flushleft} \begin{flushleft} \textbf{{\huge{}dhcpd.leases}} \end{flushleft} \begin{flushleft} {\Large{}This plain text file is generated by the DHCP server} \end{flushleft} \begin{flushleft} {\Large{}Can be parsed by a Perl program} \end{flushleft} \begin{flushleft} {\Large{}Can be used to determine the MAC address of an unregistered computer} \end{flushleft} \begin{flushleft} {\huge{}Advantage of text configuration} \end{flushleft} \begin{flushleft} {\large{}Text can be easily generated by a program} \end{flushleft} \begin{flushleft} {\large{}Can be easily checked by a human} \end{flushleft} \begin{flushleft} {\large{}Microsoft DHCP server configuration and lease information is in an undocumented binary format} \end{flushleft} \begin{flushleft} {\large{}reduces what can be done with it} \end{flushleft} \begin{flushleft} {\large{}makes it hard to enter large amounts of information about many computers} \end{flushleft} \begin{flushleft} experience at Tsing Yi Computer Centre \end{flushleft} \begin{flushleft} {\huge{}host records with fixed address} \end{flushleft} \begin{flushleft} {\large{}Can specify a fixed address for particular hosts:} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{}\# Machine type = COMPAQ DESKPRO Laboratory = A204c}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{}host a204c-03 \{}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{} hardware ethernet 00:01:03:44:1d:62;}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{} fixed-address 172.19.80.003;}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{}\}}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{}\# Machine type = COMPAQ DESKPRO Laboratory = A204c}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{}host a204c-04 \{}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{} hardware ethernet 00:01:03:45:2d:8f;}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{} fixed-address 172.19.80.004;}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{}\}}} \end{flushleft} \begin{flushleft} {\large{}Can generate these with a Perl program} \end{flushleft} \begin{flushleft} {\huge{}Method used by Computer Centre} \end{flushleft} \begin{flushleft} {\Large{}Uses Samba, ISC DHCP} \end{flushleft} \begin{flushleft} {\Large{}Documented on our web site; see the link to ``DHCP and DNS System'' }{\Large{}http://nicku.org/snm/dhcp-dns-system/} \end{flushleft} \begin{flushleft} \end{flushleft} \begin{flushleft} {\huge{}Older method used in ICT: free for all!} \end{flushleft} \begin{flushleft} Each client is offered: \end{flushleft} \begin{flushleft} {\footnotesize{}an address in range 172.19.123.1 to 172.19.127.200} \end{flushleft} \begin{flushleft} {\footnotesize{}netmask /18} \end{flushleft} \begin{flushleft} {\footnotesize{}default gateway 172.19.127.254} \end{flushleft} \begin{flushleft} {\footnotesize{}domain name, tyict.vtc.edu.hk} \end{flushleft} \begin{flushleft} {\footnotesize{}name servers }{\footnotesize{}172.19.64.52, 202.40.209.220} \end{flushleft} \begin{flushleft} {\footnotesize{}WINS servers }{\footnotesize{}192.168.68.240, 202.20.100.226} \end{flushleft} \begin{flushleft} {\footnotesize{}NTP server ntp.tyict.vtc.edu.hk} \end{flushleft} \begin{flushleft} {\footnotesize{}a lease of 2 hours (7200 seconds / 3600)} \end{flushleft} \begin{flushleft} {\footnotesize{}The DHCP server attempts to create a DNS record for the client} \end{flushleft} \begin{flushleft} {\footnotesize{}A separate log file will be created (see man syslog)} \end{flushleft} \begin{flushleft} {\huge{}Older method used in ICT: free for all!} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{}authoritative;}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{}log-facility local1;}} \end{flushleft} \begin{flushleft} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{}option domain-name "tyict.vtc.edu.hk";}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{}ddns-update-style interim;}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{}option netbios-name-servers 192.168.68.240, 202.20.100.226;}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{}option domain-name-servers 172.19.64.52, 202.40.209.220;}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{}option ntp-servers ntp.tyict.vtc.edu.hk;}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{}subnet 172.19.64.0 netmask 255.255.192.0 \{}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{} option routers 172.19.127.254;}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{} max-lease-time 7200;}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{} default-lease-time 7200;}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{} range 172.19.123.1 172.19.127.200;}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{}\}}} \end{flushleft} \begin{flushleft} {\huge{}Troubleshooting DHCP 1} \end{flushleft} \begin{flushleft} {\large{}Our major problem: unauthorised DHCP servers giving DHCPNAK to all requests} \end{flushleft} \begin{flushleft} {\large{}Solution: use }\textbf{{\large{}ethereal}}{\large{} in promiscuous mode with filter}\textbf{{\large{} port 67 or port 68}} \end{flushleft} \begin{flushleft} {\large{}Examine packets from rogue server} \end{flushleft} \begin{flushleft} {\large{}Use}\textbf{{\large{} }}\textbf{{\large{}xnmap}}\textbf{{\large{} }}{\large{}to gather more information about the rogue server} \end{flushleft} \begin{flushleft} {\large{}Now go and talk with the person responsible} \end{flushleft} \begin{flushleft} {\huge{}Troubleshooting DHCP 2} \end{flushleft} \begin{flushleft} {\large{}Other problems:} \end{flushleft} \begin{flushleft} {\large{}Examine the dhcpd log using tail --f} \end{flushleft} \begin{flushleft} shows all dhcp messages received and sent by the server \end{flushleft} \begin{flushleft} {\large{}Examine log on the client} \end{flushleft} \begin{flushleft} {\large{}Use tcpdump or ethereal to collect data} \end{flushleft} \begin{flushleft} analyse it in Ethereal \end{flushleft} \begin{flushleft} {\large{}Compare with the client state diagram} \end{flushleft} \begin{flushleft} {\large{}Compare with normal, expected behaviour} \end{flushleft} \begin{flushleft} {\huge{}Automatic Client Registration} \end{flushleft} \begin{center} {\Large{}Making it easy for customers to register their computers} \end{center} \begin{center} {\Large{}Avoiding manual misconfigured settings} \end{center} \begin{flushleft} {\huge{}Automatic Client Registration} \end{flushleft} \begin{flushleft} {\large{}It is good to be able to map IP addresses to particular computers (and users)} \end{flushleft} \begin{flushleft} {\large{}Often computers cause trouble without the user being aware} \end{flushleft} \begin{flushleft} e.g., project students with rogue DHCP servers \end{flushleft} \begin{flushleft} {\large{}Want convenience for user and sysadmin} \end{flushleft} \begin{flushleft} {\large{}Can use the ISC DHCP server to implement such an automatic registration system.} \end{flushleft} \begin{flushleft} {\large{}Depends on dividing IP hosts into two }\textit{{\large{}classes}}{\large{}: known and unknown.} \end{flushleft} \begin{flushleft} {\huge{}ISC DHCP host declarations} \end{flushleft} \begin{flushleft} {\footnotesize{}The file /etc/dhcpd.conf controls the behaviour of the ISC DHCP server} \end{flushleft} \begin{flushleft} {\footnotesize{}It may be edited by external programs and host statements may be added:} \end{flushleft} \begin{flushleft} {\footnotesize{}Examples:} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{}host a204-16 \{}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{} hardware ethernet 00:08:02:1d:87:72;}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{}\}}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{}host a204-17 \{}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{} hardware ethernet 00:08:02:1d:87:02;}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{}\}}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{}host a204-18 \{}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{} hardware ethernet 00:08:02:1c:1c:43;}} \end{flushleft} \begin{flushleft} \textbf{{\footnotesize{}\}}} \end{flushleft} \begin{flushleft} {\huge{}Known and unknown hosts} \end{flushleft} \begin{flushleft} {\footnotesize{}A host is }\textit{{\footnotesize{}known}}{\footnotesize{} if it has a host declaration} \end{flushleft} \begin{flushleft} \textbf{{\scriptsize{}subnet 172.19.64.0 netmask 255.255.192.0 \{}} \end{flushleft} \begin{flushleft} \textbf{{\scriptsize{} option routers 172.19.127.254;}} \end{flushleft} \begin{flushleft} \end{flushleft} \begin{flushleft} \textbf{{\scriptsize{} \# Unknown clients get this pool.}} \end{flushleft} \begin{flushleft} \textbf{{\scriptsize{} pool \{}} \end{flushleft} \begin{flushleft} \textbf{{\scriptsize{} option domain-name-servers bogus.}}\textbf{{\scriptsize{}tyict.vtc.edu.hk}}\textbf{{\scriptsize{};}} \end{flushleft} \begin{flushleft} \textbf{{\scriptsize{} max-lease-time }}\textbf{{\scriptsize{}12}}\textbf{{\scriptsize{}0;}} \end{flushleft} \begin{flushleft} \textbf{{\scriptsize{} range 172.19.12}}\textbf{{\scriptsize{}0}}\textbf{{\scriptsize{}.}}\textbf{{\scriptsize{}0}}\textbf{{\scriptsize{} 172.19.12}}\textbf{{\scriptsize{}2}}\textbf{{\scriptsize{}.2}}\textbf{{\scriptsize{}55}}\textbf{{\scriptsize{};}} \end{flushleft} \begin{flushleft} \textbf{{\scriptsize{} allow unknown clients;}} \end{flushleft} \begin{flushleft} \textbf{{\scriptsize{} \}}} \end{flushleft} \begin{flushleft} \end{flushleft} \begin{flushleft} \textbf{{\scriptsize{} \# Known clients get this pool.}} \end{flushleft} \begin{flushleft} \textbf{{\scriptsize{} pool \{}} \end{flushleft} \begin{flushleft} \textbf{{\scriptsize{} option domain-name-servers ns.}}\textbf{{\scriptsize{}tyict.vtc.edu.hk}}\textbf{{\scriptsize{};}} \end{flushleft} \begin{flushleft} \textbf{{\scriptsize{} max-lease-time 28800;}} \end{flushleft} \begin{flushleft} \textbf{{\scriptsize{} range range 172.19.123.1 172.19.127.200;}} \end{flushleft} \begin{flushleft} \textbf{{\scriptsize{} deny unknown clients;}} \end{flushleft} \begin{flushleft} \textbf{{\scriptsize{} \}}} \end{flushleft} \begin{flushleft} \textbf{{\scriptsize{}\}}} \end{flushleft} \begin{flushleft} {\huge{}Known and unknown hosts} \end{flushleft} \begin{flushleft} {\large{}So the hosts a204-16, a204-17 and }{\large{}a204-18}{\large{} get full parameters} \end{flushleft} \begin{flushleft} {\large{}Others (without a hosts declaration) get} \end{flushleft} \begin{flushleft} a short lease \end{flushleft} \begin{flushleft} a bogus name server that redirects all web access to a registration server \end{flushleft} \begin{flushleft} {\large{}Block the IP addresses from unknown hosts at the firewall} \end{flushleft} \begin{flushleft} {\large{}they get no Internet access} \end{flushleft} \begin{flushleft} {\large{}users are motivated to register} \end{flushleft} \begin{flushleft} {\huge{}The registration server} \end{flushleft} \begin{flushleft} {\large{}All unregistered hosts }{\large{}get}{\large{} a }{\large{}"bogus" }{\large{}name server that maps all hostnames to itself} \end{flushleft} \begin{flushleft} {\large{}The web browser will go to the registration application, no matter URL entered} \end{flushleft} \begin{flushleft} {\large{}Registration application edits }\textbf{{\large{}/etc/dhcpd.conf}}{\large{} on DHCP server} \end{flushleft} \begin{flushleft} {\large{}Adds the host as a }\textit{{\large{}known host}} \end{flushleft} \begin{flushleft} {\large{}Gets the information from the DHCP lease} \end{flushleft} \begin{flushleft} {\large{}User just needs to enter their user name and LDAP password} \end{flushleft} \begin{flushleft} {\huge{}Registration Application} \end{flushleft} \begin{flushleft} {\large{}A web application} \end{flushleft} \begin{flushleft} {\large{}User interface is very simple --- enter only:} \end{flushleft} \begin{flushleft} user name \end{flushleft} \begin{flushleft} password \end{flushleft} \begin{flushleft} {\large{}Application knows IP address from web server} \end{flushleft} \begin{flushleft} {\large{}Looks up MAC address from DHCP leases file} \end{flushleft} \begin{flushleft} {\large{}Edits /etc/dhcpd.conf, adds a host record} \end{flushleft} \begin{flushleft} {\large{}Can assign a fixed or dynamic address} \end{flushleft} \begin{flushleft} {\huge{}Registered computer} \end{flushleft} \begin{flushleft} Now the client can either reboot, or wait 60 seconds to T1, and get a long term lease \end{flushleft} \begin{flushleft} The machine becomes a ``known host'' \end{flushleft} \begin{flushleft} Client can now access Internet conveniently \end{flushleft} \begin{flushleft} Could extend this by adding MAC address to access control list of the appropriate port on the main switch \end{flushleft} \begin{flushleft} Unregistered computers blocked by switch \end{flushleft} \begin{flushleft} Enforces limiting access to registered computers only \end{flushleft} \begin{flushleft} \end{flushleft} \end{document}