bootp: it's dead Jim, dead.

By Paul Murphy, author of The Unix Guide to Defenestration

DHCP is widely assumed to be standard component of any network set-up but it shouldn't be. From a security perspective you're much better off with static IP assignments even if that is harder to manage in a mixed Unix/Wintel environment.

The reason for that is simple: it thwarts users who try to sneak in their own wireless access points or other IP devices that provide easy access to the drive-by hacker community.

You'll get a lot of argument from the PC community on this --and I find that reminding them of DHCP's origin as a Windows 3.11 network patch cobbled together from Unix bootp code for diskless device support doesn't seem to move them to enthusiasm -- but the bottom line is that requiring all devices to have permanently assigned static addresses gives you far better control over who uses your network and for what.

One compromise you may be able to sell them on is to use IPv6 internally --giving you static addressing while preserving the Wintel approach to external access using proxie servers, gateways, and NAT. This approach isn't always feasible, but where it is, you can often sell them on the gee-whizziness of getting ahead of future technology at the hidden cost of giving you better network security and control. -- and when they start blaming IPv6 for boot or other network problems, just let them drop two groups from the static address.