Re: [Int-area] [mobility] Re: Discussion about Federated Roaming

To: Stefan Winter <stefan.winter at restena.lu>
Subject: Re: [Int-area] [mobility] Re: Discussion about Federated Roaming
From: Philippe Hanset <phanset at utk.edu>
Date: Fri, 7 Mar 2008 08:33:01 -0500 (EST)
Cc: GN2-JRA5 <gn2-jra5 at dante.org.uk>, mobility at terena.org, int-area at ietf.org
Delivered-to: ietfarch-int-area-web-archive at core3.amsl.com
Delivered-to: int-area at core3.amsl.com
In-reply-to: <200803070826.07829.stefan.winter at restena.lu>
List-archive: <http://www.ietf.org/pipermail/int-area>
List-help: <mailto:int-area-request@ietf.org?subject=help>
List-id: IETF Internet Area Mailing List <int-area.ietf.org>
List-post: <mailto:int-area@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
References: <200802291014.36362.stefan.winter at restena.lu> <47C9AEAD.9040006 at gmail.com> <200803070826.07829.stefan.winter at restena.lu>
Sender: int-area-bounces at ietf.org

Stefan,

Another approach that I have been considering would be to implement
DHCP-snooping on APs or Controllers!
Cisco already does that for switches.
(but enabling it on an AP switch-port would break connectivity for all
users on that AP! This functionality needs to be moved to the AP. Moving
it to the router leaves the entire layer2 domain unprotected)

A host can generate traffic through an AP only if a DHCP lease has been
detected for that hardware address.
Logging will still be the principal tool for correlation. DHCP-snooping
would alleviate the need for firewall locks. No manual IP addressing
would be permitted.

Philippe
Univ. of Tennessee

> * DHCP logging: the IP addresses which are handed out can be logged and
> correlated to a layer 2 address. This works on every decent DHCP server.
> Drawback: users can change IP addresses manually later, which is not
> detectable with this method.
>
> * DHCP logging+firewall locks: some participants in eduroam go to great
> lengths: they issue IP addresses with DHCP *and* lock all currently unleased
> IP addresses so that a change of IP address by a malicious user will either
> be caught by the firewall or lead to a clash and thereby disturb connectivity
> for him. Drawback: the approach is quite sophisticated and depends on a
> seamless interaction between DHCP and firewall equipment.
>
> Mobile IP, and the fact that with IPv6, it is normal for a device to have
> multiple IP addresses, add another few facets to the mix.
>
> I'm looking forward to have a chat about that!
>
> Greetings,
>
> Stefan Winter
>
> --
> Stefan WINTER
>
> Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
> la Recherche
> Ingenieur Forschung & Entwicklung
>
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
> E-Mail: stefan.winter at restena.lu     Tel.:     +352 424409-1
> http://www.restena.lu                Fax:      +352 422473
>

_______________________________________________
Int-area mailing list
Int-area at ietf.org
https://www.ietf.org/mailman/listinfo/int-area

Follow-Ups:
- Re: [Int-area] [mobility] Re: Discussion about Federated Roaming
  - From: Stefan Winter

References:
- [Int-area] Discussion about Federated Roaming
  - From: Stefan Winter
- Re: [Int-area] Discussion about Federated Roaming
  - From: Alexandru Petrescu
- Re: [Int-area] Discussion about Federated Roaming
  - From: Stefan Winter

Prev by Date: Re: [Int-area] [mobility] Re: Discussion about Federated Roaming
Next by Date: Re: [Int-area] [mobility] Re: Discussion about Federated Roaming
Previous by thread: Re: [Int-area] Discussion about Federated Roaming
Next by thread: Re: [Int-area] [mobility] Re: Discussion about Federated Roaming
Index(es):
- Date
- Thread

Re: [Int-area] [mobility] Re: Discussion about Federated Roaming

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.