Re: [fw-wiz] IPv6 comes in the game
From: Lorand Jakab (jlori_at_go.ro)
To: "Paul D. Robertson" <firstname.lastname@example.org> Date: Tue, 04 May 2004 17:21:30 +0200
On Tue, 2004-05-04 at 16:22, Paul D. Robertson wrote:
> On Tue, 4 May 2004, Lorand Jakab wrote:
> > Now the box has an IPv6 address as well, and a prefix for the internal
> > network, and I would like to forward IPv6 traffic too. But the above
> > approach is not feasable anymore (not a good idea to have a 2^64 entry
> > static neighbor cache). Is it possible to prevent using unassigned IP
> > addresses to be used for Internet access without entering each assigned
> > address in the firewall, while still having static MAC entries for
> > registered addresses?
> Surely you're not going to have 2^64 active neighbors? I don't see how a
> v6 address changes things really?
Currently we have a subnet with netmask 255.255.248.0 which means 4096
possible addresses, so I have an /etc/ethers with 4096 entries. A 64
prefix in IPv6 would yield 2^64 possible addresses, and I don't think
such a static neighbor table is reasonable.
> In any case, you might want to look at your layer 2 networking gear and
> see if authenticating the device via 802.1x is reasonable (it's built into
> the green switches, not sure about the others.) You may be able to do
> some "hand out an address by authentication group" sort of thing. I'm not
> sure what RADIUS servers support 802.1x though- and it's probably not a
> well-trodden path.
We use Allied Telesyn 8326 and 8350 switches with the latest firmware,
but 802.1x is not mentioned anywhere in the documentation, so I suppose
it's not supported. But looking through the documentation gave me a new
idea, using the switches' port based security. I didn't use it so far,
since the other approach worked well, and we had worse gear before,
without this possibility. Also, users don't connect directly to the main
switch stack, but instead into smaller switches, distributed in the
rooms of the building so one port could have up to 8 entries.
The port based security approach has the dispadvantage of not being
scriptable, like server only modifications and we have pretty frequent
user information changes.
firewall-wizards mailing list