Problem I see with ipv6

[Syclone_A]

For those of you who don't look down on A+ certification and repect the fact that i just want more interesting threads have a look and tell me what you think...

Mobile clients roaming between networks must have a way to configure themselves to the new network and the network must have a way to authenticate and give authorization to the client. IP version6 and Mobile IP have currently no way to accomplish this. Now having said this what if.....

1. you configure the client with appropriate addresses (global addresses) and 2. Determine if the mobile client is authorized to the network and thus can obtain the address information.

Here is an idea:
A client, when entering a new network, will be asked to present username and password. The network will contact the client's original network and ask if the client can obtain access to the network. The client will respond and access will be granted or denied.

[Syclone_A]

i see people are viewing this but no replies, don't worry this is a new technology and i am very interested in hearing different views. I am also not going to bash you just because you have a different opinion (which is more than i can say for other people on here).

[eddiec]

I'll take a walk on the thin ice of your patience. Having a tad more than zip for understanding of IPv6, I wonder how you could access the network without some kind of network ID. I am refering specifically to mobile access. Currently you hit the DNS server through the gateway corresponding to your IP address. So it would seem there would be a need for a starting point in the addressing scheme before internet access could be granted.

(Private to Syclone_A+: You seem to have some decent contributions to make. But as an old guy, please let me recommend you drop the sarcasm. There are quite a few professionals in here, mixed in with some newer people who, just like you, have a desire to learn more. An environment full of insults is not productive. Let's all help one another to grow. Thanks.)

[Syclone_A]

So what you mean to say is how would you access the internet when mobile which implies that you are not conected to your default gateway which points you to the dns server? I am just trying to fully understand before i give a detailed reply.

[YeOldeStonecat]

For my setups....DHCP runs on all networks. Pre-Windows 2000 days...a good utility for road warriors and their laptops with Win9X was NetSwitcher. With Windows 2000 and it's local caching....well, works great, long as DHCP is on every network.

[eddiec]

Your honor, I wish to withdraw my previous comment regarding remote access. After staring at it in disbelief, I have to blame cerebral flatuance. (brain fart)

[Syclone_A]

ha ha, i thought i was just to shallow to understand your question! Don't worry we all have our moments especially when we are low on sleep!

[PhyberOptix]

Hey Syclone
I'll respond to your original post...

The problem you bring up has nothing to do IPv6. Recall that IP is a network layer protocol (L3) that doesn't have the slightest concern for security - by design. This design wasn't something overlooked, but rather is left to higher layer protocols. In this instance, you are referring to dynamic IP address assignment so the burden of providing security would be placed on the DHCP server -not on the protocol it is servicing.

[Syclone_A]

So your saying that this burden would fall solely on the layer 3 device or network layer device namely a router and the protocol wouldn't have to bother with it? hmmmm...........sounds logical, but i thought that ipv6 addressed known security issues below the application layer in this manner. The IP Authentication Header, is an extension header which provides authentication and integrity to IP datagrams. While the extension supports many different authentication techniques, the use of keyed MD5 is proposed to help ensure interoperability within the worldwide Internet. This can be used to eliminate a significant class of network attacks, including host masquerading attacks. The use of the IP Authentication Header is particularly important when source routing is used with IP because of the known risks in IP source routing. Its placement at the internet layer can help provide host origin authentication to those upper layer protocols and services that currently lack meaningful protections. Note that the internet layer is a layer in the DoD model which corresponds to the network layer of the osi reference model. I see your point in a way, but explain this to me before i go back on what i previously stated.

[PhyberOptix]

"So your saying that this burden would fall solely on the layer 3 device or network layer device namely a router and the protocol wouldn't have to bother with it? "

Nope. If you are wanting to authenticate IP address assignment, that burden would fall on the device handing out IP's - namely the DHCP server (L7, not L3). You wouldn't expect IP to handle the security requirements of NT login, Novell, or Unix...Why would you want it to handle the security reequirements of DHCP?

"but i thought that ipv6 addressed known security issues below the application layer in this manner. The IP Authentication Header, is an extension header which provides authentication and integrity to IP datagrams. While the extension supports many different authentication techniques, the use of keyed MD5 ....."

L3 authentication is used to provide security to L3 processes, which is mainly routing updates. OSPF, BGP, RIPv2, and EIGRP all support plain text and MD5 (IS-IS supports plain text only). This is used to validate routing sources to protect against bogus routes being leaked into a network.


"Note that the internet layer is a layer in the DoD model which corresponds to the network layer of the osi reference model."

Yes, internet of DoD model (which is never used outside of cert classes, but I had to learn it too) does correspond to network layer of OSI but that doesn't change the responsability. L3 is responsable for routing packets through an internetwork, not for providing security measures to the application layer.


One more thing...No offense intended, but you really should put things you read into your own words.

[Syclone_A]

ahhh, this is a little clearer to me now. I am glad someone on here besides me is into this newer technology and can conversate with me on it. Some of it is still a little un clear but with more reading i should have it down. thanks for the replies and explanation, and yes i usually do put things into my own words, but when i read online or a book and quote the source i don't like to paraphrase to avoid mis-quoting or taking things out of context ect ect.

[PhyberOptix]

"I am glad someone on here besides me is into this newer technology and can conversate with me on it"

Actually, I've read very little on v6. I'm a CCNP and studying for CCIE lab so I spend quite a bit of time reading....

I probably won't get in depth into v6 for a while. My current plans are CCIE, then security (PIX, Checkpoint), followed by VoIP. The latter two are getting more and more in demand all the time and there is a serious lack of qualified people - you may want to consider investing some reading time on these topics.

Later

[Phantom-Vortex]

I like broccoli and carrots...........

[PhyberOptix]

Phantom???? You ok?

[Syclone_A]

Phantom is just screwing around, i personally think it is a nice day today. Anyway, i am studying for network + which i take the test in a couple of weeks. Then i guess its on to mcse, but i already have the books for ccna and ccnp and have started reading the ccna one. Its got some good stuff in it, but i will be honest and say some of the stuff i don't fully understand yet. I take two more networking classes next semester maybe that will help some.

[PhyberOptix]

Quick update....RFC 3118 has been approved. This defines DHCP authentication through an exchange of encrypted passwords btwn configured hosts and dhcp servers. This allows a dhcp server to authenticate users and users to authenticate the server.

Here's a link....
http://www.faqs.org/rfcs/rfc3118.html