Re: MVP for a DHCP server

[Roy Marples <roy%marples.name@localhost>]

Roy

 ---- On Wed, 16 Jul 2025 10:51:20 +0100  Greg Troxel <gdt%lexort.com@localhost> wrote --- 
 > Roy Marples <roy%marples.name@localhost> writes:
 > 
 > >  ---- On Tue, 15 Jul 2025 23:32:09 +0100  Greg Troxel <gdt%lexort.com@localhost> wrote --- 
 > >  > Roy Marples <roy%marples.name@localhost> writes:
 > >  > 
 > >  > > I have a ton of devices I have zero control over, can't be customised and yet I only have one box, my main router, with a fixed IP.
 > >  > > The IP's of my other devices change from time to time, but it's not really important as every box I need to manualy connect to can be reached by mDNS or DDNS.
 > >  > 
 > >  > How do you coordinate different per-device firewall rules with npf?
 > >
 > > I don't.
 > >
 > > Knowing that I don't control some devices it would be foolish to assume I can control the IP address the device wants or even uses.
 > > For example, a bad actor could negotiate 192.168.1.77/24 via DHCP but also configure a random address on the subnet that no-one is using (hello ARPing)
 > > or sniff the traffic and use well known IP's.
 > >
 > > Putting it another way - an IP address is not a secret - it's a vital part of networking. You never own it, other devices can spoof it.
 > > It you want this layer of security then each switch needs to have a hardware/port-> IP mapping to enforce it, which is outside the scope of DHCP.
 > 
 > From the CS theory view I can see your point, but in the real world it
 > is unreasonable.  You are essentially saying that because static
 > assignment to devices and per-IP firewalling cannot prevent all bad
 > behavior, it does not make sense to do it at all.
 > 
 > I am guessing that for IOT devices with proprietary firmware, you don't
 > do any of this.  Or perhaps you avoid them entirely.   I avoid them
 > pretty hard, but still have some.  Normal people's houses are infested
 > with them, reporting all sorts of data to the cloud.
 > 
 > For such devices, there are multiple possible levels of malware (a vague
 > taxonomy for discussion, not meant to be a serious taxonomy):
 > 
 >   - 1: they phone home but don't really leak any private state
 > 
 >   - 2: they send data to the cloud, like when the garage door opens and
 >     closes
 > 
 >   - 3: they are being used for active attacks in a full-on malware mode,
 >     steppingstone to other devices
 > 
 >   - 4: beyond that, they are trying to use other IP addresses to
 >     communicate
 > 
 > as devices are determined by the internet community to be in the 3rd or
 > 4th category, they can be removed and destroyed.  The second category is
 > pretty much every proprietary-firmware IOT device that connects to the
 > Internet.
 > 
 > Overall, cybersecurity is about reducing exposure and risk, and one can
 > never get to zero.  NetBSD isn't certified Orange Book A1.  By your
 > logic, it's then pointless to have any security mechanisms.

No, I am saying can we do things better.

 > I maintain that per-device-IP firewalls help a lot with the second
 > category, generally stopping category 2 devices from sending data to the
 > cloud.  (One should put them on a separate VLAN/SSID, and deconfigure
 > IPv6, too.)
 > 
 > Of course this is somewhat difficult, but I can't see it leading to a
 > conclusion "anyone who wants to static-assign IP addresses is confused".

I just don't want to maintain anything ephemeral like an IP address.
Why can't we instead blacklist by ethernet address in NPF?
And if NPF lacks that vital feature then why not have a script to maintain a list of blocked IPs and reload NPF?

Roy