Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: IPv6 comes in the game

From: "Sloane, David" <DSloane () vfa com>
Date: Tue, 4 May 2004 11:56:13 -0400
Lorand,

Maybe I'm not understanding your question, but doesn't the IPv6 address
of Host-A include Host-A's (reported) MAC address?

For example, in RFC 1884 - IP Version 6 Addressing Architecture -
http://www.faqs.org/rfcs/rfc1884.html

"   Site-Local addresses have the following format:

    |   10     |
    |  bits    | n bits  |    m bits     |       118-n-m bits         |
    +----------+---------+---------------+----------------------------+
    |1111111011|    0    |   subnet ID   |       interface ID         |
    +----------+---------+---------------+----------------------------+"


and RFC 2073 - An IPv6 Provider-Based Unicast Address Format -
http://www.faqs.org/rfcs/rfc2073.html


"     |                64 bits             |  16 bits  |     48 bits
|
      +--------------------------------+-----------+------------------+
      |       Subscriber Prefix        | Subnet ID |   Interface ID   |
      +--------------------------------+-----------+------------------+"



It seems like you can allow only specific IPv6 addresses based on
specific MAC addresses and restrict everything else.

Of course, this doesn't fix MAC address spoofing.  If you can't get your
802.1x per-port authentication to work, you could do per-port VLAN's.
But that would add another configuration step and opportunity for error,
not to mention pretty complex switch configurations.

The problem with 802.1x that I've had is finding good troubleshooting
tools to figure out what's breaking and what's working.

-David

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Lorand
Jakab
Sent: May 04, 2004 8:33 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] IPv6 comes in the game


Hello everyone,
I am responsible for a university campus building internal network with
200+ computers, currently NAT-ed through a FreeBSD box. Anyone
connecting to the network has to register and is given a static IP
address. In order to prevent spoofing, they have to specify their MAC
address and I enter a static ARP cache entry via /etc/ethers. All
unassigned addresses for the subnet pool have a static entry also, so
they cannot be used (unless guessed).

Now the box has an IPv6 address as well, and a prefix for the internal
network, and I would like to forward IPv6 traffic too. But the above
approach is not feasable anymore (not a good idea to have a 2^64 entry
static neighbor cache). Is it possible to prevent using unassigned IP
addresses to be used for Internet access without entering each assigned
address in the firewall, while still having static MAC entries for
registered addresses?

What would you recommend for this scenario, so it would only be possible
to spoof an address, if a user changed the MAC addres of his NIC to
another legitimate user's MAC, the IP to the other user's IP (if no
autoconfiguration will be used, I haven't decided that yet) and the
legitimate station would not be turned on?

Thanks in advance,
Lorand Jakab

_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: