Hi Alexandru, > It may also be interesting to look at how network-layer mobility fits > the authentication aspects you're dealing with. For example, if a > eduroam user uses Mobile IP to maintain ongoing sessions between > different campuses (maybe traveling through UMTS in between). This can > be achieved by modifying the network layer only (Mobile IP) instead of > going up to the application layer, having thus some advantages. > However, the authentication problems are also raised, for example: what > does the user authenticate - her Home Address or her Care-of Address? > Or both?
This is indeed another challenge we ran into in eduroam, and it comes even without Mobile IP: when authenticating with 802.1X, a layer 2 address is authenticated. The later provisioning of a layer 3 address is not tied into the authentication at all. However, if a user commits undesired action, he will be seen on the internet with the layer 3 address, which in turn needs to be tracked back to a user identity on layer 2. We have been struggling with this issue for quite a while. There are numerous, but incomplete, approaches to that so far. I'll list them for reference, but it would sure be very interesting having a chat about improving the l2-to-l3 binding of a user... * ARP sniffing: some Access Points keep track of their ARP chaches and look which address is using which IP address. Even if a malicious user changes his IP address after 802.1X authentication, it will be detected and his identity remains known under the new IP address. Drawback: requires vendor support, currently only implemented in IPv4. * DHCP logging: the IP addresses which are handed out can be logged and correlated to a layer 2 address. This works on every decent DHCP server. Drawback: users can change IP addresses manually later, which is not detectable with this method. * DHCP logging+firewall locks: some participants in eduroam go to great lengths: they issue IP addresses with DHCP *and* lock all currently unleased IP addresses so that a change of IP address by a malicious user will either be caught by the firewall or lead to a clash and thereby disturb connectivity for him. Drawback: the approach is quite sophisticated and depends on a seamless interaction between DHCP and firewall equipment. Mobile IP, and the fact that with IPv6, it is normal for a device to have multiple IP addresses, add another few facets to the mix. I'm looking forward to have a chat about that! Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
