802.1x was: IPv6 comes in the game

[Andras Kis-Szabo <kisza () securityaudit hu>]

Hi Victor,
Dear All,

> Microsoft Windows 2000/2003 server does 802.1x auth fine.  We use to handle
> wireless access as well as port access on certain switches in the network.
And do you trust in the security of 802.1x protocol on wireless
networks? (What is the situation with the first steps and the
key-exchanges?)

> > Now the box has an IPv6 address as well, and a prefix for the internal 
> > network, and I would like to forward IPv6 traffic too. But the above 
> > approach is not feasable anymore (not a good idea to have a 2^64 entry 
> > static neighbor cache). Is it possible to prevent using unassigned IP 
> > addresses to be used for Internet access without entering each 
> > assigned address in the firewall, while still having static MAC 
> > entries for registered addresses?
Probably the eui64 match in Linux Netfilter could help you in some
limited cases (and older implementations).


> If you force the user to authenticate prior to forwarding packets, as 802.1x
> does on switches, then you're able to log the authentication at the RADIUS
> server, and equate network activity to a port.  If the port's locked to an
> IP address, then you have the ability to track and basically eliminate abuse
> by authenticator.
And you could get a deadlock. The IPv6 network itself is a little bit
different from the IPv4 networks on the on-link protocols area. Please
check the differences before you put on mandatory authentication for
each packets!

Best regards,

Andras

-- 
Andras Kis-Szabo <kisza () securityaudit hu>

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards