RE: [fw-wiz] IPv6 comes in the game

From: Sloane, David (
Date: 05/04/04

  • Next message: Lorand Jakab: "RE: [fw-wiz] IPv6 comes in the game"
    To: "Lorand Jakab" <>, <>
    Date: Tue, 4 May 2004 11:56:13 -0400


    Maybe I'm not understanding your question, but doesn't the IPv6 address
    of Host-A include Host-A's (reported) MAC address?

    For example, in RFC 1884 - IP Version 6 Addressing Architecture -

    " Site-Local addresses have the following format:

        | 10 |
        | bits | n bits | m bits | 118-n-m bits |
        |1111111011| 0 | subnet ID | interface ID |

    and RFC 2073 - An IPv6 Provider-Based Unicast Address Format -

    " | 64 bits | 16 bits | 48 bits
          | Subscriber Prefix | Subnet ID | Interface ID |

    It seems like you can allow only specific IPv6 addresses based on
    specific MAC addresses and restrict everything else.

    Of course, this doesn't fix MAC address spoofing. If you can't get your
    802.1x per-port authentication to work, you could do per-port VLAN's.
    But that would add another configuration step and opportunity for error,
    not to mention pretty complex switch configurations.

    The problem with 802.1x that I've had is finding good troubleshooting
    tools to figure out what's breaking and what's working.


    -----Original Message-----
    [] On Behalf Of Lorand
    Sent: May 04, 2004 8:33 AM
    Subject: [fw-wiz] IPv6 comes in the game

    Hello everyone,
    I am responsible for a university campus building internal network with
    200+ computers, currently NAT-ed through a FreeBSD box. Anyone
    connecting to the network has to register and is given a static IP
    address. In order to prevent spoofing, they have to specify their MAC
    address and I enter a static ARP cache entry via /etc/ethers. All
    unassigned addresses for the subnet pool have a static entry also, so
    they cannot be used (unless guessed).

    Now the box has an IPv6 address as well, and a prefix for the internal
    network, and I would like to forward IPv6 traffic too. But the above
    approach is not feasable anymore (not a good idea to have a 2^64 entry
    static neighbor cache). Is it possible to prevent using unassigned IP
    addresses to be used for Internet access without entering each assigned
    address in the firewall, while still having static MAC entries for
    registered addresses?

    What would you recommend for this scenario, so it would only be possible
    to spoof an address, if a user changed the MAC addres of his NIC to
    another legitimate user's MAC, the IP to the other user's IP (if no
    autoconfiguration will be used, I haven't decided that yet) and the
    legitimate station would not be turned on?

    Thanks in advance,
    Lorand Jakab

    firewall-wizards mailing list
    firewall-wizards mailing list

  • Next message: Lorand Jakab: "RE: [fw-wiz] IPv6 comes in the game"