Well, Anything that we will come up with is a "hack" to the fact that Hardware addresses should be unique and stay unique (to the average person!) So, where do we start the long term planning?
It seems that layer3 should be used for Path Determination, and layer2 for Identification. But I may be outdated! By fixing layer2 (is it possible considering the amount of cards out there?) we wouldn't have to worry about IPv4, v6, v... Now, once the IP-spoofer is detected...how do you disconnect it? We disable the account and filter the MAC to force a re-auth that will fail. Can we add "disconnect" on the wish list (or have I missed a chapter in new 802.1x developments). Best, Philippe ---------------------------------- Philippe Hanset University of Tennessee, Knoxville Office of Information Technology Network Services 108 James D Hoskins Library 1400 Cumberland Ave Knoxville, TN 37996 Tel: 1-865-9746555 ---------------------------------- On Fri, 7 Mar 2008, Stefan Winter wrote: > Hi guys, > > > Another approach that I have been considering would be to implement > > DHCP-snooping on APs or Controllers! > > Cisco already does that for switches. > > (but enabling it on an AP switch-port would break connectivity for all > > users on that AP! This functionality needs to be moved to the AP. Moving > > it to the router leaves the entire layer2 domain unprotected) > > > > A host can generate traffic through an AP only if a DHCP lease has been > > detected for that hardware address. > > Logging will still be the principal tool for correlation. DHCP-snooping > > would alleviate the need for firewall locks. No manual IP addressing > > would be permitted. > > What you and the others in the thread say is a good way to this currently (and > maybe one or another vendor will take it further?). > > I just consider the necessity to apply vendor-specific (or > bash/iptables-script) "hacks" a conceptual shortcoming. If we'd ever get the > chance to get a *proper*, standardised way of doing it, the job of 802.1X > administration would get a lot easier. > > NB: how do the DHCP snooping methods perform with IPv6? There is not > necessarily a stateful DHCPv6 address lease to observe... > > I don't think this problem can really be stamped "solved". "worked-around", > maybe. > > Stefan > > -- > Stefan WINTER > > Stiftung RESTENA - R?seau T?l?informatique de l'Education Nationale et de > la Recherche > Ingenieur Forschung & Entwicklung > > 6, rue Richard Coudenhove-Kalergi > L-1359 Luxembourg > E-Mail: [EMAIL PROTECTED] ? ? Tel.: ? ?+352 424409-1 > http://www.restena.lu ? ? ? ? ? ? ? Fax: ? ? ?+352 422473 >
_______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
