Re: IPv6 comes in the game

[Michael Brown <topo2 () pacbell net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sorry if 2x posted.
802.1x is also fine with FreeRADIUS, I've used personlly on Linux/*BSD
with Linux/*BSD/Win2k.XP clients, wired or wl.
 
On Tue, 4 May 2004 09:51:01 -0500
"Victor Williams" <vbwilliams () essvote net> wrote:

> Microsoft Windows 2000/2003 server does 802.1x auth fine.  We use to handle
> wireless access as well as port access on certain switches in the network.
>
>  
> Victor Williams 
>
>
> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Paul D.
> Robertson
> Sent: Tuesday, May 04, 2004 9:23 AM
> To: Lorand Jakab
> Cc: firewall-wizards () honor icsalabs com
> Subject: Re: [fw-wiz] IPv6 comes in the game
>
>
> On Tue, 4 May 2004, Lorand Jakab wrote:
>
> > Now the box has an IPv6 address as well, and a prefix for the internal 
> > network, and I would like to forward IPv6 traffic too. But the above 
> > approach is not feasable anymore (not a good idea to have a 2^64 entry 
> > static neighbor cache). Is it possible to prevent using unassigned IP 
> > addresses to be used for Internet access without entering each 
> > assigned address in the firewall, while still having static MAC 
> > entries for registered addresses?
>
> Surely you're not going to have 2^64 active neighbors?  I don't see how a v6
> address changes things really?
>
> In any case, you might want to look at your layer 2 networking gear and see
> if authenticating the device via 802.1x is reasonable (it's built into the
> green switches, not sure about the others.)  You may be able to do some
> "hand out an address by authentication group" sort of thing.  I'm not sure
> what RADIUS servers support 802.1x though- and it's probably not a
> well-trodden path.
>
> > What would you recommend for this scenario, so it would only be 
> > possible to spoof an address, if a user changed the MAC addres of his 
> > NIC to another legitimate user's MAC, the IP to the other user's IP 
> > (if no autoconfiguration will be used, I haven't decided that yet) and 
> > the legitimate station would not be turned on?
>
> If you force the user to authenticate prior to forwarding packets, as 802.1x
> does on switches, then you're able to log the authentication at the RADIUS
> server, and equate network activity to a port.  If the port's locked to an
> IP address, then you have the ability to track and basically eliminate abuse
> by authenticator.
>
> I'd probably look at RADIUS servers to see if there's any group addressing
> support, so that you could enable a user's addressing request by userid to
> be v4 or v6.
>
> I really wish I had the time to fool around with 802.1x, it really looks
> like the best place to do authentication, especially if you can translate
> the results into VLANs or address blocks.
>
> Paul
> ----------------------------------------------------------------------------
> -
> Paul D. Robertson      "My statements in this message are personal opinions
> paul () compuwar net       which may have no basis whatsoever in fact."
> probertson () trusecure com Director of Risk Assessment TruSecure Corporation
> _______________________________________________
> firewall-wizards mailing list firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAmI9VyEfMczxaHdsRAljyAKCKO6GyLyfS0axeaxZAbWiCdg1lZACdFhl3
mDNDfbnTesZAwnS5Dtj99cQ=
=DDHL
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards