RE: [fw-wiz] IPv6 comes in the game

From: Sloane, David (DSloane_at_vfa.com)
Date: 05/04/04

  • Next message: Lorand Jakab: "RE: [fw-wiz] IPv6 comes in the game"
    To: "Lorand Jakab" <jlori@go.ro>, <firewall-wizards@honor.icsalabs.com>
    Date: Tue, 4 May 2004 11:56:13 -0400
    
    

    Lorand,

    Maybe I'm not understanding your question, but doesn't the IPv6 address
    of Host-A include Host-A's (reported) MAC address?

    For example, in RFC 1884 - IP Version 6 Addressing Architecture -
    http://www.faqs.org/rfcs/rfc1884.html

    " Site-Local addresses have the following format:

        | 10 |
        | bits | n bits | m bits | 118-n-m bits |
        +----------+---------+---------------+----------------------------+
        |1111111011| 0 | subnet ID | interface ID |
        +----------+---------+---------------+----------------------------+"

    and RFC 2073 - An IPv6 Provider-Based Unicast Address Format -
    http://www.faqs.org/rfcs/rfc2073.html

    " | 64 bits | 16 bits | 48 bits
    |
          +--------------------------------+-----------+------------------+
          | Subscriber Prefix | Subnet ID | Interface ID |
          +--------------------------------+-----------+------------------+"

    It seems like you can allow only specific IPv6 addresses based on
    specific MAC addresses and restrict everything else.

    Of course, this doesn't fix MAC address spoofing. If you can't get your
    802.1x per-port authentication to work, you could do per-port VLAN's.
    But that would add another configuration step and opportunity for error,
    not to mention pretty complex switch configurations.

    The problem with 802.1x that I've had is finding good troubleshooting
    tools to figure out what's breaking and what's working.

    -David

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Lorand
    Jakab
    Sent: May 04, 2004 8:33 AM
    To: firewall-wizards@honor.icsalabs.com
    Subject: [fw-wiz] IPv6 comes in the game

    Hello everyone,
    I am responsible for a university campus building internal network with
    200+ computers, currently NAT-ed through a FreeBSD box. Anyone
    connecting to the network has to register and is given a static IP
    address. In order to prevent spoofing, they have to specify their MAC
    address and I enter a static ARP cache entry via /etc/ethers. All
    unassigned addresses for the subnet pool have a static entry also, so
    they cannot be used (unless guessed).

    Now the box has an IPv6 address as well, and a prefix for the internal
    network, and I would like to forward IPv6 traffic too. But the above
    approach is not feasable anymore (not a good idea to have a 2^64 entry
    static neighbor cache). Is it possible to prevent using unassigned IP
    addresses to be used for Internet access without entering each assigned
    address in the firewall, while still having static MAC entries for
    registered addresses?

    What would you recommend for this scenario, so it would only be possible
    to spoof an address, if a user changed the MAC addres of his NIC to
    another legitimate user's MAC, the IP to the other user's IP (if no
    autoconfiguration will be used, I haven't decided that yet) and the
    legitimate station would not be turned on?

    Thanks in advance,
    Lorand Jakab

    _______________________________________________
    firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Lorand Jakab: "RE: [fw-wiz] IPv6 comes in the game"

    Relevant Pages

    • Re: IPv6 and DNS
      ... And the IPv6 security extensions mean that one cannot ... predict the IPV6 address from the known MAC address. ... network and is now addressable. ...
      (Debian-User)
    • Re: How to manage serial numbers
      ... the MAC address was the default from whatever software ... If someone replaces the switch in the production line without checking ... what procedures and quality control rules are for. ... I am ignoring IPv6 in this case - because I am not using IPv6 here. ...
      (comp.arch.embedded)
    • Re: IP Address
      ... But what you said was IPCONFIG reports "link-local IPv6 address". ... "It's the MAC address of your PCs LAN card or CNR". ... the "interface id" in the IPv6 address is the two halves separated by 0xFFFE. ... Dim X As Long, IPaddressAs String, Query As String ...
      (microsoft.public.excel.programming)
    • Re: Secure vs Insecure IP6 address
      ... Also, I don't think "domain" is actually a proper term in the IPv6 context, Could you be referring to how IPv6 has an address space large enough such that every person on Earth currently could have their own /48 _prefix_ so as to assign individual addresses to each of their devices as they see fit? ... by using the MAC address of the network card as well. ... Number 1 requires physical access to the network to install the rogue router, and burglar alarms aside, that is more likely to be noticed the smaller and smaller the network is. ...
      (comp.unix.bsd.openbsd.misc)
    • Re: [opensuse] How to enforce IPs regardless of the clients setup.
      ... perspective, provided they're not duplicated on your local lan, ... Is this still true with IPV6? ... scheme for generating IPv6 addresses based on the MAC address through ...
      (SuSE)