Re: MVP for a DHCP server

[Greg Troxel <gdt%lexort.com@localhost>]

Roy Marples <roy%marples.name@localhost> writes:

>  ---- On Tue, 15 Jul 2025 23:32:09 +0100  Greg Troxel <gdt%lexort.com@localhost> wrote --- 
>  > Roy Marples <roy%marples.name@localhost> writes:
>  > 
>  > > I have a ton of devices I have zero control over, can't be customised and yet I only have one box, my main router, with a fixed IP.
>  > > The IP's of my other devices change from time to time, but it's not really important as every box I need to manualy connect to can be reached by mDNS or DDNS.
>  > 
>  > How do you coordinate different per-device firewall rules with npf?
>
> I don't.
>
> Knowing that I don't control some devices it would be foolish to assume I can control the IP address the device wants or even uses.
> For example, a bad actor could negotiate 192.168.1.77/24 via DHCP but also configure a random address on the subnet that no-one is using (hello ARPing)
> or sniff the traffic and use well known IP's.
>
> Putting it another way - an IP address is not a secret - it's a vital part of networking. You never own it, other devices can spoof it.
> It you want this layer of security then each switch needs to have a hardware/port-> IP mapping to enforce it, which is outside the scope of DHCP.

From the CS theory view I can see your point, but in the real world it
is unreasonable.  You are essentially saying that because static
assignment to devices and per-IP firewalling cannot prevent all bad
behavior, it does not make sense to do it at all.

I am guessing that for IOT devices with proprietary firmware, you don't
do any of this.  Or perhaps you avoid them entirely.   I avoid them
pretty hard, but still have some.  Normal people's houses are infested
with them, reporting all sorts of data to the cloud.

For such devices, there are multiple possible levels of malware (a vague
taxonomy for discussion, not meant to be a serious taxonomy):

  - 1: they phone home but don't really leak any private state

  - 2: they send data to the cloud, like when the garage door opens and
    closes

  - 3: they are being used for active attacks in a full-on malware mode,
    steppingstone to other devices

  - 4: beyond that, they are trying to use other IP addresses to
    communicate

as devices are determined by the internet community to be in the 3rd or
4th category, they can be removed and destroyed.  The second category is
pretty much every proprietary-firmware IOT device that connects to the
Internet.

Overall, cybersecurity is about reducing exposure and risk, and one can
never get to zero.  NetBSD isn't certified Orange Book A1.  By your
logic, it's then pointless to have any security mechanisms.

I maintain that per-device-IP firewalls help a lot with the second
category, generally stopping category 2 devices from sending data to the
cloud.  (One should put them on a separate VLAN/SSID, and deconfigure
IPv6, too.)

Of course this is somewhat difficult, but I can't see it leading to a
conclusion "anyone who wants to static-assign IP addresses is confused".