IPv6 comes in the game

[Lorand Jakab <jlori () go ro>]

Hello everyone,
I am responsible for a university campus building internal network with
200+ computers, currently NAT-ed through a FreeBSD box. Anyone
connecting to the network has to register and is given a static IP
address. In order to prevent spoofing, they have to specify their MAC
address and I enter a static ARP cache entry via /etc/ethers. All
unassigned addresses for the subnet pool have a static entry also, so
they cannot be used (unless guessed).

Now the box has an IPv6 address as well, and a prefix for the internal
network, and I would like to forward IPv6 traffic too. But the above
approach is not feasable anymore (not a good idea to have a 2^64 entry
static neighbor cache). Is it possible to prevent using unassigned IP
addresses to be used for Internet access without entering each assigned
address in the firewall, while still having static MAC entries for
registered addresses?

What would you recommend for this scenario, so it would only be possible
to spoof an address, if a user changed the MAC addres of his NIC to
another legitimate user's MAC, the IP to the other user's IP (if no
autoconfiguration will be used, I haven't decided that yet) and the
legitimate station would not be turned on?

Thanks in advance,
Lorand Jakab

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards