Hi guys, > Another approach that I have been considering would be to implement > DHCP-snooping on APs or Controllers! > Cisco already does that for switches. > (but enabling it on an AP switch-port would break connectivity for all > users on that AP! This functionality needs to be moved to the AP. Moving > it to the router leaves the entire layer2 domain unprotected) > > A host can generate traffic through an AP only if a DHCP lease has been > detected for that hardware address. > Logging will still be the principal tool for correlation. DHCP-snooping > would alleviate the need for firewall locks. No manual IP addressing > would be permitted.
What you and the others in the thread say is a good way to this currently (and maybe one or another vendor will take it further?). I just consider the necessity to apply vendor-specific (or bash/iptables-script) "hacks" a conceptual shortcoming. If we'd ever get the chance to get a *proper*, standardised way of doing it, the job of 802.1X administration would get a lot easier. NB: how do the DHCP snooping methods perform with IPv6? There is not necessarily a stateful DHCPv6 address lease to observe... I don't think this problem can really be stamped "solved". "worked-around", maybe. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
