Community discussions

MikroTik App
 
jmay
Member
Member
Topic Author
Posts: 326
Joined: Tue Jun 23, 2009 8:26 pm

Scientific Explanation needed for DHCP renew needed!

Tue Aug 09, 2016 10:31 pm

I need someone to answer this question for me, preferably someone from MT. We have a subpoena from the authorities investigating a customer and they want to know information on who an IP address belongs to. We are a small wisp and have no history tracking in place. The date in question is 10 days ago and our dhcp server is setup with a 7 day lease. I know from experience that MT will always re-hand out the same IP each time, but since there is a small chance this IP was being used by another customer I need to know specifically how the dhcp release and renew works. If the MT lease expires how long will the MT hold that address in memory before allocating it to someone else? I ask this because I've seen leases expire before and modules will still get the same IP again, so is that a coincidence or is there a period of time that the router will store that information? Also the subscriber in this case is a Canopy module which does not log dhcp client renew information, if this had been a MT subscriber this probably would have been easier.

Thanks!
 
barkas
Member Candidate
Member Candidate
Posts: 260
Joined: Sun Sep 25, 2011 10:51 pm

Re: Scientific Explanation needed for DHCP renew needed!

Tue Aug 09, 2016 11:59 pm

If you answer that you know whose ip that was, best be absolutely sure.

So, you can not be sure, since you have no logs and the lease expired at least once.
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1290
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Scientific Explanation needed for DHCP renew needed!

Wed Aug 10, 2016 12:11 am

From an admin point of view, you can safely assume that the client has had the same IP for quite some time.
From a legal point of view, unless you log to a syslog, you have no admissible evidence that you can hand over.


The DHCP will assign an address. The client will renew that address 50% though. On a 7 day lease, the client renews at 3 days, 12 hours.
The server will allow the client to keep that address until the lease fully expires, without a renewal. So, you can assume the client with
that address today, had it 3 days before that, and 3 days before that... and so on.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
jmay
Member
Member
Topic Author
Posts: 326
Joined: Tue Jun 23, 2009 8:26 pm

Re: Scientific Explanation needed for DHCP renew needed!

Wed Aug 10, 2016 12:48 am

I'm trying to be very delicate on how I handle this because I do not want anyone accused that potentially could be innocent. We have never needed to keep a dhcp log in the past. I now see we over looked a major flaw in our strategy that might come back to haunt us. So if the lease expires in the MT, it's immediately available to anyone? There is no buffer period?
 
Paternot
Forum Veteran
Forum Veteran
Posts: 709
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Scientific Explanation needed for DHCP renew needed!

Wed Aug 10, 2016 5:28 am

There's no way to know. There are many implementations that try not to give an already used address to someone, until the pool is completely used.

Example:
You get 10.0.0.2, with 3 days lease time.

You keep the computer off for 6 days. From day 3 onwards the IP is available - but not necessarily used. Is quite common for the DHCP server keep it "reserved" for You, and handle the next free IP to the next client (10.0.0.3, in our case). It will keep doing it until complete a full circle, and THEN it would use again the 10.0.0.2.

Problem is: this is not necessarily true.

Long answer short? You don't know, and there is no way to prove it (do You have logs?). If You don't have logs, it is safer to say "I don't know".
 
jkarras
Member Candidate
Member Candidate
Posts: 224
Joined: Fri Sep 06, 2013 3:07 am
Location: Utah, USA

Re: Scientific Explanation needed for DHCP renew needed!

Wed Aug 10, 2016 6:57 am

I agree with everyone here. Having worked with law enforcement on similar requests I just wanted to mention one other thing to calm some fears.

If you're not required by any industry regulation, local law, or company policy to keep the DHCP logs don't worry about getting in trouble with law enforcement for not having info. They are just reaching out to gather as much information as they can get for their case. You are not under a microscope the person they are investigating is. Unless of course you or your company is the one under investigation.

As others have said if you don't have credible logs to provide don't make up information that is worse for everyone.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Jun 08, 2015 12:09 pm

Re: Scientific Explanation needed for DHCP renew needed!

Wed Aug 10, 2016 12:10 pm

The DHCP server in the MikroTik will keep a full table of MAC addresses and issued IP address for
each available address. So, when your client has obtained a lease and it has expired, that MAC-IP
combination is kept until the same client re-requests it or until so many other clients have requested
an address that it needs to re-issue the address (it re-issues the oldest expired lease).
Unfortunately it does not appear to be possible to print the leases that have expired, although they
are remembered.

By default, the DHCP server logs each request/release in the router log. You should configure a
log server to keep this information across reboots and overflows of the in-memory log store that
is normally used.

Who is online

Users browsing this forum: Baks38RUS, pe1chl, WookieeFer and 73 guests