Stefan, Another approach that I have been considering would be to implement DHCP-snooping on APs or Controllers! Cisco already does that for switches. (but enabling it on an AP switch-port would break connectivity for all users on that AP! This functionality needs to be moved to the AP. Moving it to the router leaves the entire layer2 domain unprotected)
A host can generate traffic through an AP only if a DHCP lease has been detected for that hardware address. Logging will still be the principal tool for correlation. DHCP-snooping would alleviate the need for firewall locks. No manual IP addressing would be permitted. Philippe Univ. of Tennessee > * DHCP logging: the IP addresses which are handed out can be logged and > correlated to a layer 2 address. This works on every decent DHCP server. > Drawback: users can change IP addresses manually later, which is not > detectable with this method. > > * DHCP logging+firewall locks: some participants in eduroam go to great > lengths: they issue IP addresses with DHCP *and* lock all currently unleased > IP addresses so that a change of IP address by a malicious user will either > be caught by the firewall or lead to a clash and thereby disturb connectivity > for him. Drawback: the approach is quite sophisticated and depends on a > seamless interaction between DHCP and firewall equipment. > > Mobile IP, and the fact that with IPv6, it is normal for a device to have > multiple IP addresses, add another few facets to the mix. > > I'm looking forward to have a chat about that! > > Greetings, > > Stefan Winter > > -- > Stefan WINTER > > Stiftung RESTENA - R?seau T?l?informatique de l'Education Nationale et de > la Recherche > Ingenieur Forschung & Entwicklung > > 6, rue Richard Coudenhove-Kalergi > L-1359 Luxembourg > E-Mail: [EMAIL PROTECTED] ? ? Tel.: ? ?+352 424409-1 > http://www.restena.lu ? ? ? ? ? ? ? Fax: ? ? ?+352 422473 >
_______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
