Firewall Wizards mailing list archives

RE: IPv6 comes in the game

From: Lorand Jakab <jlori () go ro>
Date: Tue, 04 May 2004 18:08:00 +0200

I am aware of the stateless autoconfiguration of IPv6 addresses, but the
IPv6 protocol allows manual configuration as well, just like IPv4. I
successfully tested this (manually adding IPv6 addresses) on Linux,
FreeBSD, Windows 200 and Windows XP so any user can change its IPv6
address.

Lorand Jakab

On Tue, 2004-05-04 at 17:56, Sloane, David wrote:

Lorand,

Maybe I'm not understanding your question, but doesn't the IPv6 address
of Host-A include Host-A's (reported) MAC address?

For example, in RFC 1884 - IP Version 6 Addressing Architecture -
http://www.faqs.org/rfcs/rfc1884.html

"   Site-Local addresses have the following format:

    |   10     |
    |  bits    | n bits  |    m bits     |       118-n-m bits         |
    +----------+---------+---------------+----------------------------+
    |1111111011|    0    |   subnet ID   |       interface ID         |
    +----------+---------+---------------+----------------------------+"


and RFC 2073 - An IPv6 Provider-Based Unicast Address Format -
http://www.faqs.org/rfcs/rfc2073.html


"     |              64 bits             |  16 bits  |     48 bits
|
      +--------------------------------+-----------+------------------+
      |       Subscriber Prefix        | Subnet ID |   Interface ID   |
      +--------------------------------+-----------+------------------+"



It seems like you can allow only specific IPv6 addresses based on
specific MAC addresses and restrict everything else.

Of course, this doesn't fix MAC address spoofing.  If you can't get your
802.1x per-port authentication to work, you could do per-port VLAN's.
But that would add another configuration step and opportunity for error,
not to mention pretty complex switch configurations.

The problem with 802.1x that I've had is finding good troubleshooting
tools to figure out what's breaking and what's working.

-David



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

IPv6 comes in the game Lorand Jakab (May 04)
- Re: IPv6 comes in the game Paul D. Robertson (May 04)
  - RE: IPv6 comes in the game Victor Williams (May 04)
    - Re: IPv6 comes in the game Michael Brown (May 05)
    - 802.1x was: IPv6 comes in the game Andras Kis-Szabo (May 05)
    - Re: 802.1x was: IPv6 comes in the game Victor B. Williams (May 05)
    - RE: 802.1x was: IPv6 comes in the game Victor Williams (May 05)
  - Re: IPv6 comes in the game Lorand Jakab (May 04)
- <Possible follow-ups>
- RE: IPv6 comes in the game Sloane, David (May 04)
  - RE: IPv6 comes in the game Lorand Jakab (May 04)
- RE: IPv6 comes in the game Eduardo Jacob (May 05)