DHCP, the DLINK DI-724GU and handing out IP addresses in a sequence

I have recently received my new D-link DI-724GU a QOS Gigabit wireless
router and from all but this one aspect below it has been perfect.

The one piece of configuration that seems to veer off from the norm of
all the other DHCP servers.

Configuration:
(1) The DI-724GU is the DHCP server on the network - DHCP Server: On
(2) The DHCP IP Address Range: 192.168.0.100 - 192.168.0.254
(3) LAN IP of the router: 192.168.0.1

The problem:
- The DHCP server is not handing out the IP Address Range addresses in
a sequence.

Details:
It appears that the DI-724GU is randomly picking IP addresses within
the IP Range to give to the next client requesting a new IP address.
All of my prior routers ( DI-624 ) /dhcp servers would hand out IP
addresses sequentially.

Question:
Is anyone out there familar enough to know if there a configuration
method to have the router give out the IP addresses within the Valid
DHCP range sequentially?

Thanks in advance for your help,
Paul Cooley
My experience and knowledge with configuring Linux:
http://linuxlore.blogspot.com

"pcooley" <pcooley.newsgroups@gmail.com> hath wroth:

>Is anyone out there familar enough to know if there a configuration
>method to have the router give out the IP addresses within the Valid
>DHCP range sequentially?

It won't happen. Let's say you have a DHCP pool of some number of
IP's. The DHCP server will allocated them sequentially until it runs
out. Then, it reverts to a "least recently used" algorithm and
starts to reassign previous expired leases. It will get out of order
quickly. In addition, clients with leases that have expired because
they drove away, can come back the next day and request the same IP
address and get it. That creates the situation where even rebooting
the router and flushing the DHCP lease cache, won't guarantee that the
returning client gets a new (sequential) lease, instead of recycling
the old one.

If you convince the DI-724GU to allow 253 IP's in the DHCP address
pool, it will remain sequential for a while, but eventially get
scrambled.

So, why do you need sequential IP's? Are you just trying to make sure
that a given computah always gets assigned the same IP address? That's
easy with "static DHCP", "reserved DHCP" or "pre-assigned DHCP"
feature. Looks like the DI-724GU has this feature:
http://support.dlink.com/emulators/di724u/h_dhcp.html
Above URL doesn't work with Firefox but works with IE6. Grrrr....


--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Jeff,

Thanks for your insight. I understand your points, but to add a little
context. I've created a pool of 150 IP addresses for my home network
of ~10 machines. From the get-go the router was delving out IP
addresses across the map. The first two IPs were 192.168.0.106 and
192.168.0.132 after turning the router on for the first time.

> So, why do you need sequential IP's?

There is no particular reason for this other than cleanliness in a
mathematic/sequencial sense.

> Are you just trying to make sure that a given computah always gets assigned the same IP address?

You are correct about using the DHCP feature. For servers I have used
the DHCP reservation feature, it works well. This is only for the
assortment of laptops/desktops that get turned on in my home LAN.

I am just presuming that the DHCP server in the DI-724 has a
non-typical configuration by default and maybe D-Link has a
fix/configuration change to clean up this tiny little mess.

Paul Cooley
http://www.paulcooley.com
http://linuxlore.blogspot.com



Jeff Liebermann wrote:
> "pcooley" <pcooley.newsgroups@gmail.com> hath wroth:
>
> >Is anyone out there familar enough to know if there a configuration
> >method to have the router give out the IP addresses within the Valid
> >DHCP range sequentially?
>
> It won't happen. Let's say you have a DHCP pool of some number of
> IP's. The DHCP server will allocated them sequentially until it runs
> out. Then, it reverts to a "least recently used" algorithm and
> starts to reassign previous expired leases. It will get out of order
> quickly. In addition, clients with leases that have expired because
> they drove away, can come back the next day and request the same IP
> address and get it. That creates the situation where even rebooting
> the router and flushing the DHCP lease cache, won't guarantee that the
> returning client gets a new (sequential) lease, instead of recycling
> the old one.
>
> If you convince the DI-724GU to allow 253 IP's in the DHCP address
> pool, it will remain sequential for a while, but eventially get
> scrambled.
>
> So, why do you need sequential IP's? Are you just trying to make sure
> that a given computah always gets assigned the same IP address? That's
> easy with "static DHCP", "reserved DHCP" or "pre-assigned DHCP"
> feature. Looks like the DI-724GU has this feature:
> http://support.dlink.com/emulators/di724u/h_dhcp.html
> Above URL doesn't work with Firefox but works with IE6. Grrrr....
>
>
> --
> Jeff Liebermann jeffl@comix.santa-cruz.ca.us
> 150 Felker St #D http://www.LearnByDestroying.com
> Santa Cruz CA 95060 http://802.11junk.com
> Skype: JeffLiebermann AE6KS 831-336-2558

"pcooley" <pcooley.newsgroups@gmail.com> hath wroth:

>I understand your points, but to add a little
>context. I've created a pool of 150 IP addresses for my home network
>of ~10 machines. From the get-go the router was delving out IP
>addresses across the map. The first two IPs were 192.168.0.106 and
>192.168.0.132 after turning the router on for the first time.

That can happen if the clients were previously connected to a
different DHCP server with the same IP address. The client will try
to renew the same IP address as it previously obtained from the old
DHCP server, even after the lease has expired.

In Windoze XP, if you run:
IPCONFIG /RELEASE
it will clear the save DHCP address, and try to obtain a new one when
you run:
IPCONFIG /RENEW

>> So, why do you need sequential IP's?
>
>There is no particular reason for this other than cleanliness in a
>mathematic/sequencial sense.

All networking starts out clean and elegant. It then follows entropy
towards virtualization, randomness, encryption, and generally
messiness.

It's possible that someone might have considered predictable DHCP IP
assignments to be some manner of security risk. I you know the next
DHCP IP address to be assigned, one could use that IP to hijack a
session. However, I'm just guessing and have no idea if this is
correct.

>> Are you just trying to make sure that a given computah always gets assigned the same IP address?
>
>You are correct about using the DHCP feature. For servers I have used
>the DHCP reservation feature, it works well. This is only for the
>assortment of laptops/desktops that get turned on in my home LAN.

Well, the obvious solution is to use the "reserved IP" feature with
all your laptops/desktops.

>I am just presuming that the DHCP server in the DI-724 has a
>non-typical configuration by default and maybe D-Link has a
>fix/configuration change to clean up this tiny little mess.

Dunno.

>Paul Cooley
>http://www.paulcooley.com
>http://linuxlore.blogspot.com
--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Jeff Liebermann wrote:
> That can happen if the clients were previously connected to a
> different DHCP server with the same IP address. The client will try
> to renew the same IP address as it previously obtained from the old
> DHCP server, even after the lease has expired.

You are correct. Part of the DHCP protocol, the DHCPDISCOVER phase,
allows for an option to request an IP address.

Prior to the installation of this router, these computers were all
connected to a DI-624 and when they were they had IP addresses of
192.168.0.100 - 192.168.0.112. In the upgrade to the DI-724DU the
machines where powered down appropriately.

>
> All networking starts out clean and elegant. It then follows entropy
> towards virtualization, randomness, encryption, and generally
> messiness.
>

Many philosophical debates can start with the above statement ;)

>
> It's possible that someone might have considered predictable DHCP IP
> assignments to be some manner of security risk. I you know the next
> DHCP IP address to be assigned, one could use that IP to hijack a
> session. However, I'm just guessing and have no idea if this is
> correct.

Potentially security could be a problem, but if I've got unwanted hosts
on my local LAN I have bigger problems upstream. That is a good theory
though. I hadn't thought of it.

Just to try out D-Link support on this issue, I submitted a ticket.
Interestingly, but not a surprise, they have the response below. They
suggest static IPs for all machines. Not a happy path for myself, for
instance having my parents/friends bring over their laptops and have to
manually give them IP addresses isn't on my 'I sign up for that' list.


Thank-you,
Paul Cooley
http://linuxlore.blogspot.com

Email response from D-Link Technical support:
Paul,

We appreciate you writing to us.

Please try assigning a static Ip to all the computers.

Windows 2000/XP

To release and renew IP address, go to Start > Run. Type in CMD and
press Enter. At the prompt, type in ipconfig and press Enter. This
will display the adapter information such as IP address, Subnet mask,
and default gateway.

To view additional information such as Mac address, DNS servers, etc,
type in ipconfig /all.

To release IP address, type ipconfig /release.

To renew IP address, type ipconfig /renew.

If you are not able to get an IP address try setting one statically:

Windows 2000

Step 1 Right-click on My Network Places and select Properties.

Step 2 Right-click on the Local Area Connection which represents your
network card and select Properties.

Step 3 Highlight Internet Protocol (TCP/IP) and click Properties.
Enter your IP information for your network.

If connecting to a router, make sure the default gateway and a DNS
server is the IP address of the router (192.168.0.1).

Windows XP

Step 4 Click on Start > Control Panel > Network and Internet
Connections > Network connections.

Step 5 See Step 2 for Windows 2000 and continue from there.

Should you require further assistance with your D-Link products, please
reply to this message, or call toll free at 877-453-5465.

For D-Link's preferred Home Networking application please try
http://www.networkmagic.com/nmlp/dlinksupport.php from Pure Networks.
It simplifies Microsoft Networking and may allow you to trouble shoot
your network on your own.

Thank you for networking with D-Link.

Sincerely,
******* ********
D-Link Technical Support

Yes, apparently people have considered that. I was asking about IP
addresses (and also port numbers) this summer, and someone pointed out
that the newer algorithms hand out IP addresses and port numbers
randomly to avoid certain man-in-the-middle attacks, and went on to
sketch out how such an attack could be conducted.

You don't want your IP addresses or your port numbers to be assigned
sequentially as a spoofer can use that to break into your network.
It's not trivial to exploit, but it is an additional vulnerability.

paulcharlescooley@gmail.com hath wroth:

>Prior to the installation of this router, these computers were all
>connected to a DI-624 and when they were they had IP addresses of
>192.168.0.100 - 192.168.0.112. In the upgrade to the DI-724DU the
>machines where powered down appropriately.

If their leases haven't expired when you changed routers, the clients
will request the old address from the new router. Rebooting the
computah does nothing. I think (not sure) that:
IPCONFIG /release
clears the old IP address.

>> All networking starts out clean and elegant. It then follows entropy
>> towards virtualization, randomness, encryption, and generally
>> messiness.

>Many philosophical debates can start with the above statement ;)

Nope. Just one debate. Every project I've ever worked on started out
as an elegant proposition, where all the parts and pieces were to fit
together neatly, and nothing could go wrong. The final results were
usually the opposite. Any bright ideas along the way, that promised
more elegance, were met with firm opposition by management, claiming
that it would "ruin the schedule" or some such rot. This insured that
any complexities and messiness that were originally required to
salvage the design, were deemed permanent. Much to my amazement, some
of the the stuff I designed and worked on actually worked despite the
conspicuous lack of elegance and neatness.

>Potentially security could be a problem, but if I've got unwanted hosts
>on my local LAN I have bigger problems upstream. That is a good theory
>though. I hadn't thought of it.

If you have unwanted hosts, then use encryption to keep them off.

>Just to try out D-Link support on this issue, I submitted a ticket.

Masochist.

>Email response from D-Link Technical support:

(boiler plate answer excavated from the support database.)

>For D-Link's preferred Home Networking application please try
>http://www.networkmagic.com/nmlp/dlinksupport.php from Pure Networks.
>It simplifies Microsoft Networking and may allow you to trouble shoot
>your network on your own.

Yech. I remove that thing when installed (usually by AOL). I guess
it might be useful, but I haven't found it so.



--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Jeff Liebermann wrote:
>
> If their leases haven't expired when you changed routers, the clients
> will request the old address from the new router. Rebooting the
> computah does nothing. I think (not sure) that:
> IPCONFIG /release
> clears the old IP address.

As you recall these were all well ordered at one time, so if they
requested their old IP and got it all would be well in my bubble.

>
> Nope. Just one debate. Every project I've ever worked on started out
> as an elegant proposition, where all the parts and pieces were to fit
> together neatly, and nothing could go wrong. The final results were
> usually the opposite. Any bright ideas along the way, that promised
> more elegance, were met with firm opposition by management, claiming
> that it would "ruin the schedule" or some such rot. This insured that
> any complexities and messiness that were originally required to
> salvage the design, were deemed permanent. Much to my amazement, some
> of the the stuff I designed and worked on actually worked despite the
> conspicuous lack of elegance and neatness.

Indeed. Many times my desire for clean solutions aren't necessary.
However, I always feel that the cost of maintaining and supporting
these systems isn't often considered. If the design/implementation was
clean(er) then often the modifications 3 years down the road fall out
easier.

> If you have unwanted hosts, then use encryption to keep them off.

I assure you that I don't have any unwanted hosts, all is encrypted. I
was only using that as an example.

> >Just to try out D-Link support on this issue, I submitted a ticket.
>
> Masochist.

:-). In all truth I used the same email that I posted and it didn't
cost me much time. They responded quickly. Kodos to them.


Thanks for the interesting conversation.

Paul Cooley
http://linuxlore.blogspot.com

Thanks. That is backed up by what I am seeing too.

Paul Cooley
http://linuxlore.blogspot.com
Chris F Clark wrote:
> Yes, apparently people have considered that. I was asking about IP
> addresses (and also port numbers) this summer, and someone pointed out
> that the newer algorithms hand out IP addresses and port numbers
> randomly to avoid certain man-in-the-middle attacks, and went on to
> sketch out how such an attack could be conducted.
>
> You don't want your IP addresses or your port numbers to be assigned
> sequentially as a spoofer can use that to break into your network.
> It's not trivial to exploit, but it is an additional vulnerability.