Firewall Wizards mailing list archives
Re: IPv6 comes in the game
From: Michael Brown <topo2 () pacbell net>
Date: Tue, 4 May 2004 23:53:09 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry if 2x posted. 802.1x is also fine with FreeRADIUS, I've used personlly on Linux/*BSD with Linux/*BSD/Win2k.XP clients, wired or wl. On Tue, 4 May 2004 09:51:01 -0500 "Victor Williams" <vbwilliams () essvote net> wrote:
Microsoft Windows 2000/2003 server does 802.1x auth fine. We use to handle wireless access as well as port access on certain switches in the network. Victor Williams -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Paul D. Robertson Sent: Tuesday, May 04, 2004 9:23 AM To: Lorand Jakab Cc: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] IPv6 comes in the game On Tue, 4 May 2004, Lorand Jakab wrote:Now the box has an IPv6 address as well, and a prefix for the internal network, and I would like to forward IPv6 traffic too. But the above approach is not feasable anymore (not a good idea to have a 2^64 entry static neighbor cache). Is it possible to prevent using unassigned IP addresses to be used for Internet access without entering each assigned address in the firewall, while still having static MAC entries for registered addresses?Surely you're not going to have 2^64 active neighbors? I don't see how a v6 address changes things really? In any case, you might want to look at your layer 2 networking gear and see if authenticating the device via 802.1x is reasonable (it's built into the green switches, not sure about the others.) You may be able to do some "hand out an address by authentication group" sort of thing. I'm not sure what RADIUS servers support 802.1x though- and it's probably not a well-trodden path.What would you recommend for this scenario, so it would only be possible to spoof an address, if a user changed the MAC addres of his NIC to another legitimate user's MAC, the IP to the other user's IP (if no autoconfiguration will be used, I haven't decided that yet) and the legitimate station would not be turned on?If you force the user to authenticate prior to forwarding packets, as 802.1x does on switches, then you're able to log the authentication at the RADIUS server, and equate network activity to a port. If the port's locked to an IP address, then you have the ability to track and basically eliminate abuse by authenticator. I'd probably look at RADIUS servers to see if there's any group addressing support, so that you could enable a user's addressing request by userid to be v4 or v6. I really wish I had the time to fool around with 802.1x, it really looks like the best place to do authentication, especially if you can translate the results into VLANs or address blocks. Paul ---------------------------------------------------------------------------- - Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAmI9VyEfMczxaHdsRAljyAKCKO6GyLyfS0axeaxZAbWiCdg1lZACdFhl3 mDNDfbnTesZAwnS5Dtj99cQ= =DDHL -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- IPv6 comes in the game Lorand Jakab (May 04)
- Re: IPv6 comes in the game Paul D. Robertson (May 04)
- RE: IPv6 comes in the game Victor Williams (May 04)
- Re: IPv6 comes in the game Michael Brown (May 05)
- 802.1x was: IPv6 comes in the game Andras Kis-Szabo (May 05)
- Re: 802.1x was: IPv6 comes in the game Victor B. Williams (May 05)
- RE: 802.1x was: IPv6 comes in the game Victor Williams (May 05)
- RE: IPv6 comes in the game Victor Williams (May 04)
- Re: IPv6 comes in the game Lorand Jakab (May 04)
- Re: IPv6 comes in the game Paul D. Robertson (May 04)
- <Possible follow-ups>
- RE: IPv6 comes in the game Sloane, David (May 04)
- RE: IPv6 comes in the game Lorand Jakab (May 04)
- RE: IPv6 comes in the game Eduardo Jacob (May 05)