Every so often I'll find myself discussing some aspect of network address architecture and the matter of static versus dynamic addressing will surface. Each approach has benefits and drawbacks. However, I wanted to debunk a myth that has always irked me: static addressing is not a security measure.
Some people argue that DHCP exposes a vulnerability because it allows an attacker who connects to your network to automatically receive a valid address. This is akin to asserting that rolling up the windows of your car will protect it from being stolen. Anyone with layer two connectivity to your network is free to send packets from whatever address he choses, valid or not. (Whether those packets actually make it anywhere depends on the access controls applied to the infrastructure itself.) Additionally, any intruder with half a clue will have no problem finding a valid source IP address on a statically-assigned network if that's what he needs.
Most of the audience is already well aware of these facts, and understands that static addressing offers no advantage over DHCP in terms of securing a network. However, I'd like to reverse the argument and offer that DHCP can actually offer better security than static addressing, through the use of IP source guard and Dynamic ARP Inspection (DAI) on Cisco switches. Traffic can be restricted on layer two ports so that only packets with a valid IP source address (assigned via DHCP) are allowed onto the network.
I'm curious whether any readers have faced a similar argument in their work, on either side, or if anyone can provide an opposing viewpoint. Comments?