Using the word "security", you've got to be kidding. If a dhcp server on a L2 segment can be "rogue" about one thing, it can most certainly lie about any other answer, or act out in many other ways.
The only way to avoid "rogue" DHCP servers on a segment is to not ask DHCP questions on that segment. This is not a security feature. It is purely for selecting aspects of the answer from TRUSTED DHCP servers. Andras Vinter <eand...@gmail.com> wrote: > The Linux dhclient supports it and it's actually a nice to have > feature as it can increase the security by keeping out the rogue DHCP > servers from an entire LAN range. But probably you can achieve similar > functionality with the interface restriction. > > On Mon, Aug 9, 2021 at 3:33 PM Stuart Henderson <s...@spacehopper.org> wrote: > > > > On 2021/08/09 15:03, Andras Vinter wrote: > > > It's probably an overkill for first implementation, but in the future > > > I think we should support subnet definitions in CIDR notation (e.x.: > > > 192.168.0.0/24) and IP ranges for fine control (e.x.: > > > 192.168.0.100-192.168.0.254). > > > > dhclient never needed that. > > >
