This issue is an artefact of the lack of a binding between the link and network addresses and the authenticated EAP Identity.
The obvious place to establish the binding is at the access device, particularly given the possibilities offered by access devices supporting 802.1ae & af. The various vendor-specific DHCP-snooping stuff is a good start, some standardisation here would be useful though. josh. > -----Original Message----- > From: Philippe Hanset [mailto:[EMAIL PROTECTED] > Sent: 07 March 2008 13:33 > To: Stefan Winter > Cc: GN2-JRA5; Alexandru Petrescu; [EMAIL PROTECTED]; > [email protected] > Subject: Re: [mobility] Re: Discussion about Federated Roaming > > Stefan, > > Another approach that I have been considering would be to > implement DHCP-snooping on APs or Controllers! > Cisco already does that for switches. > (but enabling it on an AP switch-port would break > connectivity for all users on that AP! This functionality > needs to be moved to the AP. Moving it to the router leaves > the entire layer2 domain unprotected) > > A host can generate traffic through an AP only if a DHCP > lease has been detected for that hardware address. > Logging will still be the principal tool for correlation. > DHCP-snooping would alleviate the need for firewall locks. No > manual IP addressing would be permitted. > > Philippe > Univ. of Tennessee > > > * DHCP logging: the IP addresses which are handed out can be logged > > and correlated to a layer 2 address. This works on every > decent DHCP server. > > Drawback: users can change IP addresses manually later, > which is not > > detectable with this method. > > > > * DHCP logging+firewall locks: some participants in eduroam go to > > great > > lengths: they issue IP addresses with DHCP *and* lock all currently > > unleased IP addresses so that a change of IP address by a malicious > > user will either be caught by the firewall or lead to a clash and > > thereby disturb connectivity for him. Drawback: the > approach is quite > > sophisticated and depends on a seamless interaction between > DHCP and firewall equipment. > > > > Mobile IP, and the fact that with IPv6, it is normal for a > device to > > have multiple IP addresses, add another few facets to the mix. > > > > I'm looking forward to have a chat about that! > > > > Greetings, > > > > Stefan Winter > > > > -- > > Stefan WINTER > > > > Stiftung RESTENA - Réseau Téléinformatique de l'Education > Nationale et > > de la Recherche Ingenieur Forschung & Entwicklung > > > > 6, rue Richard Coudenhove-Kalergi > > L-1359 Luxembourg > > E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 > > http://www.restena.lu Fax: +352 422473 > > > > JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
