Re: MVP for a DHCP server

[Mouse <mouse%Rodents-Montreal.ORG@localhost>]

>> [...]
>> I maintain that per-device-IP firewalls help a lot with the second
>> category, generally stopping category 2 devices from sending data to
>> the cloud.  (One should put them on a separate VLAN/SSID, and
>> deconfigure IPv6, too.)

>> Of course this is somewhat difficult, but I can't see it leading to
>> a conclusion "anyone who wants to static-assign IP addresses is
>> confused".

> I just don't want to maintain anything ephemeral like an IP address.

Not everyone considers IP addresses ephemeral.

> Why can't we instead blacklist by ethernet address in NPF?

Possibly because the NPF machine and the devices being blocked have a
router between them?

Possibly because the devices vary their MACs?

Possibly because the administrative burden of updating the NPF config
each time a new device is to be blacklisted (or whitelisted, if the
configuration blocks by default) is seen as the greater cost?

To steal a phrase from X11, "mechanism, not policy".  I think it's not
the DHCP server's place to dictate policies like "IP addresses are
ephemeral" or "phone-home blocking must be on the first-hop router".  I
would say it should provide mechanisms by which the network admin can
implement whatever policy is appropriate for the site in question.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B