Firewall Wizards mailing list archives
RE: IPv6 comes in the game
From: "Sloane, David" <DSloane () vfa com>
Date: Tue, 4 May 2004 11:56:13 -0400
Lorand, Maybe I'm not understanding your question, but doesn't the IPv6 address of Host-A include Host-A's (reported) MAC address? For example, in RFC 1884 - IP Version 6 Addressing Architecture - http://www.faqs.org/rfcs/rfc1884.html " Site-Local addresses have the following format: | 10 | | bits | n bits | m bits | 118-n-m bits | +----------+---------+---------------+----------------------------+ |1111111011| 0 | subnet ID | interface ID | +----------+---------+---------------+----------------------------+" and RFC 2073 - An IPv6 Provider-Based Unicast Address Format - http://www.faqs.org/rfcs/rfc2073.html " | 64 bits | 16 bits | 48 bits | +--------------------------------+-----------+------------------+ | Subscriber Prefix | Subnet ID | Interface ID | +--------------------------------+-----------+------------------+" It seems like you can allow only specific IPv6 addresses based on specific MAC addresses and restrict everything else. Of course, this doesn't fix MAC address spoofing. If you can't get your 802.1x per-port authentication to work, you could do per-port VLAN's. But that would add another configuration step and opportunity for error, not to mention pretty complex switch configurations. The problem with 802.1x that I've had is finding good troubleshooting tools to figure out what's breaking and what's working. -David -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Lorand Jakab Sent: May 04, 2004 8:33 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] IPv6 comes in the game Hello everyone, I am responsible for a university campus building internal network with 200+ computers, currently NAT-ed through a FreeBSD box. Anyone connecting to the network has to register and is given a static IP address. In order to prevent spoofing, they have to specify their MAC address and I enter a static ARP cache entry via /etc/ethers. All unassigned addresses for the subnet pool have a static entry also, so they cannot be used (unless guessed). Now the box has an IPv6 address as well, and a prefix for the internal network, and I would like to forward IPv6 traffic too. But the above approach is not feasable anymore (not a good idea to have a 2^64 entry static neighbor cache). Is it possible to prevent using unassigned IP addresses to be used for Internet access without entering each assigned address in the firewall, while still having static MAC entries for registered addresses? What would you recommend for this scenario, so it would only be possible to spoof an address, if a user changed the MAC addres of his NIC to another legitimate user's MAC, the IP to the other user's IP (if no autoconfiguration will be used, I haven't decided that yet) and the legitimate station would not be turned on? Thanks in advance, Lorand Jakab _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- IPv6 comes in the game Lorand Jakab (May 04)
- Re: IPv6 comes in the game Paul D. Robertson (May 04)
- RE: IPv6 comes in the game Victor Williams (May 04)
- Re: IPv6 comes in the game Michael Brown (May 05)
- 802.1x was: IPv6 comes in the game Andras Kis-Szabo (May 05)
- Re: 802.1x was: IPv6 comes in the game Victor B. Williams (May 05)
- RE: 802.1x was: IPv6 comes in the game Victor Williams (May 05)
- RE: IPv6 comes in the game Victor Williams (May 04)
- Re: IPv6 comes in the game Lorand Jakab (May 04)
- Re: IPv6 comes in the game Paul D. Robertson (May 04)
- <Possible follow-ups>
- RE: IPv6 comes in the game Sloane, David (May 04)
- RE: IPv6 comes in the game Lorand Jakab (May 04)
- RE: IPv6 comes in the game Eduardo Jacob (May 05)