Erik Nordmark wrote: > Darren Reed wrote: > >> Separately, should we also be thinking about implementing support >> for 802.1x? > > I agree that that is something to consider separately. Did you mean to > imply that it is somehow related to link protection?
Probably and because I was thinking about equipment that supports 802.1X with MAC layer filtering to restrict the sender to just being the authenticated system. Probably a bad assumption to make. >> The challenge for us is that I'm not aware of any client support >> for 802.1X in Solaris, so Solaris domU's could be challenged if >> that path was taken. > > But even if the dom0 required 802.1X from the domU it doesn't tie in > with which IP address or DHCP identifier the domU can use; it merely > means that the domU has some secret which allows it to connect its > virtual port to the Ethernet. > > Hence 802.1X isn't helpful for the three notions of link protection > that I think we need in virtual environments. I was envisaging that 802.1X would be coupled together with DHCP, such that the IP address allowed for a port was controlled by its ability to authenticate itself for that port. But even if that was done, something needs to be built to restrict the packets on that port to the correct addresses. Darren
