Re: [fw-wiz] IPv6 comes in the game
From: Michael Brown (topo2_at_pacbell.net)
To: firstname.lastname@example.org Date: Tue, 4 May 2004 23:53:09 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Sorry if 2x posted.
802.1x is also fine with FreeRADIUS, I've used personlly on Linux/*BSD
with Linux/*BSD/Win2k.XP clients, wired or wl.
On Tue, 4 May 2004 09:51:01 -0500
"Victor Williams" <email@example.com> wrote:
> Microsoft Windows 2000/2003 server does 802.1x auth fine. We use to handle
> wireless access as well as port access on certain switches in the network.
> Victor Williams
> -----Original Message-----
> From: firstname.lastname@example.org
> [mailto:email@example.com] On Behalf Of Paul D.
> Sent: Tuesday, May 04, 2004 9:23 AM
> To: Lorand Jakab
> Cc: firstname.lastname@example.org
> Subject: Re: [fw-wiz] IPv6 comes in the game
> On Tue, 4 May 2004, Lorand Jakab wrote:
> > Now the box has an IPv6 address as well, and a prefix for the internal
> > network, and I would like to forward IPv6 traffic too. But the above
> > approach is not feasable anymore (not a good idea to have a 2^64 entry
> > static neighbor cache). Is it possible to prevent using unassigned IP
> > addresses to be used for Internet access without entering each
> > assigned address in the firewall, while still having static MAC
> > entries for registered addresses?
> Surely you're not going to have 2^64 active neighbors? I don't see how a v6
> address changes things really?
> In any case, you might want to look at your layer 2 networking gear and see
> if authenticating the device via 802.1x is reasonable (it's built into the
> green switches, not sure about the others.) You may be able to do some
> "hand out an address by authentication group" sort of thing. I'm not sure
> what RADIUS servers support 802.1x though- and it's probably not a
> well-trodden path.
> > What would you recommend for this scenario, so it would only be
> > possible to spoof an address, if a user changed the MAC addres of his
> > NIC to another legitimate user's MAC, the IP to the other user's IP
> > (if no autoconfiguration will be used, I haven't decided that yet) and
> > the legitimate station would not be turned on?
> If you force the user to authenticate prior to forwarding packets, as 802.1x
> does on switches, then you're able to log the authentication at the RADIUS
> server, and equate network activity to a port. If the port's locked to an
> IP address, then you have the ability to track and basically eliminate abuse
> by authenticator.
> I'd probably look at RADIUS servers to see if there's any group addressing
> support, so that you could enable a user's addressing request by userid to
> be v4 or v6.
> I really wish I had the time to fool around with 802.1x, it really looks
> like the best place to do authentication, especially if you can translate
> the results into VLANs or address blocks.
> Paul D. Robertson "My statements in this message are personal opinions
> email@example.com which may have no basis whatsoever in fact."
> firstname.lastname@example.org Director of Risk Assessment TruSecure Corporation
> firewall-wizards mailing list email@example.com
> firewall-wizards mailing list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----
firewall-wizards mailing list