Firewall Wizards mailing list archives
802.1x was: IPv6 comes in the game
From: Andras Kis-Szabo <kisza () securityaudit hu>
Date: Wed, 05 May 2004 10:44:35 +0200
Hi Victor, Dear All,
Microsoft Windows 2000/2003 server does 802.1x auth fine. We use to handle wireless access as well as port access on certain switches in the network.
And do you trust in the security of 802.1x protocol on wireless networks? (What is the situation with the first steps and the key-exchanges?)
Now the box has an IPv6 address as well, and a prefix for the internal network, and I would like to forward IPv6 traffic too. But the above approach is not feasable anymore (not a good idea to have a 2^64 entry static neighbor cache). Is it possible to prevent using unassigned IP addresses to be used for Internet access without entering each assigned address in the firewall, while still having static MAC entries for registered addresses?
Probably the eui64 match in Linux Netfilter could help you in some limited cases (and older implementations).
If you force the user to authenticate prior to forwarding packets, as 802.1x does on switches, then you're able to log the authentication at the RADIUS server, and equate network activity to a port. If the port's locked to an IP address, then you have the ability to track and basically eliminate abuse by authenticator.
And you could get a deadlock. The IPv6 network itself is a little bit different from the IPv4 networks on the on-link protocols area. Please check the differences before you put on mandatory authentication for each packets! Best regards, Andras -- Andras Kis-Szabo <kisza () securityaudit hu> _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- IPv6 comes in the game Lorand Jakab (May 04)
- Re: IPv6 comes in the game Paul D. Robertson (May 04)
- RE: IPv6 comes in the game Victor Williams (May 04)
- Re: IPv6 comes in the game Michael Brown (May 05)
- 802.1x was: IPv6 comes in the game Andras Kis-Szabo (May 05)
- Re: 802.1x was: IPv6 comes in the game Victor B. Williams (May 05)
- RE: 802.1x was: IPv6 comes in the game Victor Williams (May 05)
- RE: IPv6 comes in the game Victor Williams (May 04)
- Re: IPv6 comes in the game Lorand Jakab (May 04)
- Re: IPv6 comes in the game Paul D. Robertson (May 04)
- <Possible follow-ups>
- RE: IPv6 comes in the game Sloane, David (May 04)
- RE: IPv6 comes in the game Lorand Jakab (May 04)
- RE: IPv6 comes in the game Eduardo Jacob (May 05)