Re: [fw-wiz] IPv6 comes in the game

From: Michael Brown (topo2_at_pacbell.net)
Date: 05/05/04

  • Next message: Ben Nagy: "RE: [fw-wiz] NAT Pseudo Security"
    To: firewall-wizards@honor.icsalabs.com
    Date: Tue, 4 May 2004 23:53:09 -0700
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Sorry if 2x posted.
    802.1x is also fine with FreeRADIUS, I've used personlly on Linux/*BSD
    with Linux/*BSD/Win2k.XP clients, wired or wl.
     
    On Tue, 4 May 2004 09:51:01 -0500
    "Victor Williams" <vbwilliams@essvote.net> wrote:

    > Microsoft Windows 2000/2003 server does 802.1x auth fine. We use to handle
    > wireless access as well as port access on certain switches in the network.
    >
    >
    > Victor Williams
    >
    >
    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Paul D.
    > Robertson
    > Sent: Tuesday, May 04, 2004 9:23 AM
    > To: Lorand Jakab
    > Cc: firewall-wizards@honor.icsalabs.com
    > Subject: Re: [fw-wiz] IPv6 comes in the game
    >
    >
    > On Tue, 4 May 2004, Lorand Jakab wrote:
    >
    > > Now the box has an IPv6 address as well, and a prefix for the internal
    > > network, and I would like to forward IPv6 traffic too. But the above
    > > approach is not feasable anymore (not a good idea to have a 2^64 entry
    > > static neighbor cache). Is it possible to prevent using unassigned IP
    > > addresses to be used for Internet access without entering each
    > > assigned address in the firewall, while still having static MAC
    > > entries for registered addresses?
    >
    > Surely you're not going to have 2^64 active neighbors? I don't see how a v6
    > address changes things really?
    >
    > In any case, you might want to look at your layer 2 networking gear and see
    > if authenticating the device via 802.1x is reasonable (it's built into the
    > green switches, not sure about the others.) You may be able to do some
    > "hand out an address by authentication group" sort of thing. I'm not sure
    > what RADIUS servers support 802.1x though- and it's probably not a
    > well-trodden path.
    >
    > > What would you recommend for this scenario, so it would only be
    > > possible to spoof an address, if a user changed the MAC addres of his
    > > NIC to another legitimate user's MAC, the IP to the other user's IP
    > > (if no autoconfiguration will be used, I haven't decided that yet) and
    > > the legitimate station would not be turned on?
    >
    > If you force the user to authenticate prior to forwarding packets, as 802.1x
    > does on switches, then you're able to log the authentication at the RADIUS
    > server, and equate network activity to a port. If the port's locked to an
    > IP address, then you have the ability to track and basically eliminate abuse
    > by authenticator.
    >
    > I'd probably look at RADIUS servers to see if there's any group addressing
    > support, so that you could enable a user's addressing request by userid to
    > be v4 or v6.
    >
    > I really wish I had the time to fool around with 802.1x, it really looks
    > like the best place to do authentication, especially if you can translate
    > the results into VLANs or address blocks.
    >
    > Paul
    > ----------------------------------------------------------------------------
    > -
    > Paul D. Robertson "My statements in this message are personal opinions
    > paul@compuwar.net which may have no basis whatsoever in fact."
    > probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    > _______________________________________________
    > firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFAmI9VyEfMczxaHdsRAljyAKCKO6GyLyfS0axeaxZAbWiCdg1lZACdFhl3
    mDNDfbnTesZAwnS5Dtj99cQ=
    =DDHL
    -----END PGP SIGNATURE-----
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Ben Nagy: "RE: [fw-wiz] NAT Pseudo Security"

    Relevant Pages

    • Re: CBC questions
      ... >> point was that a MAC usually cannot be safely omitted. ... Even if we assume that authentication normally is ... Simply messing up the first block with random ... and nothing you do to the IV will fix it. ...
      (sci.crypt)
    • Re: CBC questions
      ... authentication, and not a very tricky one. ... either they're a fancy way of gluing an encryption scheme and a MAC ... Since CBC mode is weak without authentication, ... cipher E_Kand use hXOR E_Kinstead of the above construction. ...
      (sci.crypt)
    • Re: Controlling OS X Snow Leopard from Windows
      ... Mac OS X Screen Sharing service will ... connection attempts from standard VNC clients will be refused. ... Apple-proprietary method of encrypted transmission of authentication ...
      (comp.sys.mac.system)
    • Re: Controlling OS X Snow Leopard from Windows
      ... Mac OS X Screen Sharing service will ... connection attempts from standard VNC clients will be refused. ... Apple-proprietary method of encrypted transmission of authentication ...
      (comp.sys.mac.system)
    • Re: W2K3, IAS, Cisco 1200 AP, PEAP, and MAC authentication
      ... > I am having a heck of a time getting PEAP working with MAC ... > scanners to access my 802.11b network and configuring them for static ... > created an AD user with the MAC address as the user name and password. ... > I configured the access point to do MAC authentication against the ...
      (microsoft.public.internet.radius)