Re: [fw-wiz] IPv6 comes in the game

From: Lorand Jakab (jlori_at_go.ro)
Date: 05/04/04

  • Next message: Melson, Paul: "RE: [fw-wiz] NAT Pseudo Security"
    To: "Paul D. Robertson" <paul@compuwar.net>
    Date: Tue, 04 May 2004 17:21:30 +0200
    
    

    On Tue, 2004-05-04 at 16:22, Paul D. Robertson wrote:
    > On Tue, 4 May 2004, Lorand Jakab wrote:
    >
    > > Now the box has an IPv6 address as well, and a prefix for the internal
    > > network, and I would like to forward IPv6 traffic too. But the above
    > > approach is not feasable anymore (not a good idea to have a 2^64 entry
    > > static neighbor cache). Is it possible to prevent using unassigned IP
    > > addresses to be used for Internet access without entering each assigned
    > > address in the firewall, while still having static MAC entries for
    > > registered addresses?
    >
    > Surely you're not going to have 2^64 active neighbors? I don't see how a
    > v6 address changes things really?

    Currently we have a subnet with netmask 255.255.248.0 which means 4096
    possible addresses, so I have an /etc/ethers with 4096 entries. A 64
    prefix in IPv6 would yield 2^64 possible addresses, and I don't think
    such a static neighbor table is reasonable.

    > In any case, you might want to look at your layer 2 networking gear and
    > see if authenticating the device via 802.1x is reasonable (it's built into
    > the green switches, not sure about the others.) You may be able to do
    > some "hand out an address by authentication group" sort of thing. I'm not
    > sure what RADIUS servers support 802.1x though- and it's probably not a
    > well-trodden path.

    We use Allied Telesyn 8326 and 8350 switches with the latest firmware,
    but 802.1x is not mentioned anywhere in the documentation, so I suppose
    it's not supported. But looking through the documentation gave me a new
    idea, using the switches' port based security. I didn't use it so far,
    since the other approach worked well, and we had worse gear before,
    without this possibility. Also, users don't connect directly to the main
    switch stack, but instead into smaller switches, distributed in the
    rooms of the building so one port could have up to 8 entries.

    The port based security approach has the dispadvantage of not being
    scriptable, like server only modifications and we have pretty frequent
    user information changes.

    Lorand Jakab

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Melson, Paul: "RE: [fw-wiz] NAT Pseudo Security"

    Relevant Pages

    • RE: Network scanning
      ... > be sourced on one port.. ... > plenty of cisco switches that do this anyhow, ... > Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich ... > informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. ...
      (Security-Basics)
    • Re: Port trunking / link aggregation problem
      ... A port trunk always sends packets from a particular source ... A single link is designated for flooding broadcasts and packets ... As a result typical switches allow you to do load balancing based ...
      (comp.dcom.lans.ethernet)
    • Re: Duplex/Speed Hardcoding
      ... Have a colleague who insists every port on every switch be hardcoded to ... general app - that they now only hardcode the duplex settings? ... A long while ago we had a pair of non-Cisco switches and if you ...
      (comp.dcom.sys.cisco)
    • Re: Static IP outside of router DHCP range
      ... Unfortunately my 8 clients are little $50 boxes with an Ethernet port and yellow, red, and white outputs for composite NTSC video and stereo audio, but no provisions whatsoever to flash their NVRAM. ... So I have no way to either reserve IP addresses based on Mac addresses, nor do I have a way to set them up as static. ... I still am wondering if my Netgear switches truly have any "memory" of the ports associated with specific IP addresses of the connected clients, as they have no reset or reboot function as far as I know. ...
      (alt.comp.hardware.pc-homebuilt)
    • Help with the logic of my structure?
      ... I am using snmp to walk a couple of tables on some switches to output a list ... multiple ports and or the same port but with different hosts. ... I also tried replacing the "foreach" with a "while - ... push @pport, "$host-$_"; ...
      (perl.beginners)