Firewall Wizards mailing list archives
RE: IPv6 comes in the game
From: Lorand Jakab <jlori () go ro>
Date: Tue, 04 May 2004 18:08:00 +0200
I am aware of the stateless autoconfiguration of IPv6 addresses, but the IPv6 protocol allows manual configuration as well, just like IPv4. I successfully tested this (manually adding IPv6 addresses) on Linux, FreeBSD, Windows 200 and Windows XP so any user can change its IPv6 address. Lorand Jakab On Tue, 2004-05-04 at 17:56, Sloane, David wrote:
Lorand, Maybe I'm not understanding your question, but doesn't the IPv6 address of Host-A include Host-A's (reported) MAC address? For example, in RFC 1884 - IP Version 6 Addressing Architecture - http://www.faqs.org/rfcs/rfc1884.html " Site-Local addresses have the following format: | 10 | | bits | n bits | m bits | 118-n-m bits | +----------+---------+---------------+----------------------------+ |1111111011| 0 | subnet ID | interface ID | +----------+---------+---------------+----------------------------+" and RFC 2073 - An IPv6 Provider-Based Unicast Address Format - http://www.faqs.org/rfcs/rfc2073.html " | 64 bits | 16 bits | 48 bits | +--------------------------------+-----------+------------------+ | Subscriber Prefix | Subnet ID | Interface ID | +--------------------------------+-----------+------------------+" It seems like you can allow only specific IPv6 addresses based on specific MAC addresses and restrict everything else. Of course, this doesn't fix MAC address spoofing. If you can't get your 802.1x per-port authentication to work, you could do per-port VLAN's. But that would add another configuration step and opportunity for error, not to mention pretty complex switch configurations. The problem with 802.1x that I've had is finding good troubleshooting tools to figure out what's breaking and what's working. -David
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- IPv6 comes in the game Lorand Jakab (May 04)
- Re: IPv6 comes in the game Paul D. Robertson (May 04)
- RE: IPv6 comes in the game Victor Williams (May 04)
- Re: IPv6 comes in the game Michael Brown (May 05)
- 802.1x was: IPv6 comes in the game Andras Kis-Szabo (May 05)
- Re: 802.1x was: IPv6 comes in the game Victor B. Williams (May 05)
- RE: 802.1x was: IPv6 comes in the game Victor Williams (May 05)
- RE: IPv6 comes in the game Victor Williams (May 04)
- Re: IPv6 comes in the game Lorand Jakab (May 04)
- Re: IPv6 comes in the game Paul D. Robertson (May 04)
- <Possible follow-ups>
- RE: IPv6 comes in the game Sloane, David (May 04)
- RE: IPv6 comes in the game Lorand Jakab (May 04)
- RE: IPv6 comes in the game Eduardo Jacob (May 05)