On Thu, Dec 07, 2006 at 02:53:49PM -0500, Ralph Droms wrote:
> It would be interesting to hear from SPs about how they filter DHCP - why
> bother filtering on the UDP source port if the destination port will be
> known to be 547?
A process separate from the system's "super-user access" DHCP client
software might be producing the packet, maliciously. That's been the
historic reason for source port filters for services like these. It
cuts down a bit on the bad behaviour, in the absence of real security.
But it's probably not any current operator's reason. The simple truth
is that it's easier to create one Berkeley Socket bound to the proper
source port for both receiving and transmitting. So that's what some
implementations do. Since an operator can observe these
implementations operating this way, filter rules (designed to be the
most limiting rather than the most liberal) are set to check for it.
My own preference would be that the source port selection be
consistent among implementations ("SHOULD" at least). I just like
the symmetry.
Conversely: Why send a packet from a high source port if you're going
to have to get responses via the low port?
It has not so far been my impression that answers to this question
have been the bastion of good design.
--
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
Attachment:
pgpJ5tqexZPvh.pgp
Description: PGP signature
_______________________________________________ dhcwg mailing list dhcwg at ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg