Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Internet Architecture
Behcet Sarikaya <behcetsarikaya@yahoo.com> Fri, 20 March 2009 15:34 UTC
Return-Path: <behcetsarikaya@yahoo.com>
X-Original-To: dhcwg@core3.amsl.com
Delivered-To: dhcwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A76333A6B81 for <dhcwg@core3.amsl.com>; Fri, 20 Mar 2009 08:34:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.992
X-Spam-Level:
X-Spam-Status: No, score=-1.992 tagged_above=-999 required=5 tests=[AWL=-0.028, BAYES_00=-2.599, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PcnHDyU-wRoH for <dhcwg@core3.amsl.com>; Fri, 20 Mar 2009 08:34:28 -0700 (PDT)
Received: from web111404.mail.gq1.yahoo.com (web111404.mail.gq1.yahoo.com [67.195.15.150]) by core3.amsl.com (Postfix) with SMTP id 8D8C53A67F5 for <dhcwg@ietf.org>; Fri, 20 Mar 2009 08:34:28 -0700 (PDT)
Received: (qmail 77862 invoked by uid 60001); 20 Mar 2009 15:35:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1237563312; bh=y5aSGMIP0VJt47X2RfPe9Jk64EjIEPHbWvyXG/7g2X0=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=eF7X2DA58mZxM4bKigfbXrbHc8tp1+D6acDBKaOFasgmuR2Cdfg4lEti6Pgdq3BTlQUhqKzDoodxIyqu7DuebUg1pOZHE1Dv0pn96is0JPeFygHZMjJ7/LN633ZQkfX/fTDAGXn6vSfyghcxl9P8i0Gw7Zel5HuKQ9tjnaXL0aA=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=MfCu5BKE3ttzDyOHfaBleozXCYIT1FAp57/z0FGGgevplD3iI17Ivb5RiIiiG6SrdSzYn1WtbTAh8wg6Ovm2IaHJ6oUGYTY2H7rFe0twtvGWvg9yXscoJ2qSeyGzMBWcGJsvfdSh5S21ahcJ/QuKHSaKXEmSs7Cnobm1psnuWWw=;
Message-ID: <117358.71393.qm@web111404.mail.gq1.yahoo.com>
X-YMail-OSG: Wvr4JDwVM1ngFq2g8912sA11R4R0in4ZyXKHm8ZoFqbnjECqLKzIiCZtZ_NWFpUpaiV1i__76rPzKiQqP7Dtg7e2FjJ6hEHkYB1w4mpa9rPCRj1OD_AZ6eBvg.e8IwFFW7KCB4wRtCq8XfZzJ_NI7r5r6jKr8IgCIF1G3Qz0J4Hyt_xtjxyCfquSL0OZ8iYCmzzDbIzD4OHtvP_0bL43U9ZEVnU3iTjO36h8hjvBJoPBa4Z.VhUfVq0ymFGIKRw_KduFGu7i.UKllEp7etbpkXqr4Eg-
Received: from [206.16.17.212] by web111404.mail.gq1.yahoo.com via HTTP; Fri, 20 Mar 2009 08:35:11 PDT
X-Mailer: YahooMailRC/1277.32 YahooMailWebService/0.7.289.1
References: <200903192334.AAA27465@TR-Sys.de>
Date: Fri, 20 Mar 2009 08:35:11 -0700
From: Behcet Sarikaya <behcetsarikaya@yahoo.com>
To: Alfred Hönes <ah@tr-sys.de>, gwz@net-zen.net
In-Reply-To: <200903192334.AAA27465@TR-Sys.de>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-168761933-1237563311=:71393"
Cc: dhcwg@ietf.org
Subject: Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Internet Architecture
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Behcet Sarikaya <sarikaya@ieee.org>
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2009 15:34:29 -0000
Here is an excerpt from Section 2.5: Having an Internet (or higher) layer protocol authenticate clients is appropriate to prevent resource exhaustion of a scarce resource on the server (such as IP addresses or prefixes), I did not mean DHCP message authentication, yes the draft talks about that too. I meant authenticating clients. Hope this clarifies, I think IAB draft should have used this kind of terminology to make things clearer. Regards, Behcet ________________________________ From: Alfred Hönes <ah@tr-sys.de> To: sarikaya@ieee.org; gwz@net-zen.net Cc: dhcwg@ietf.org Sent: Thursday, March 19, 2009 6:34:28 PM Subject: Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Internet Architecture At 19 Mar 2009 14:25:17 -0700 (PDT) Behcet Sarikaya wrote: > The IAB draft draft-iab-ip-config-11 does take a position in this > debate and it recommends 802.1X for controlling access to a link. Yes, it takes position, but that happens in application of the "separation principle" there: Perform link access authentication / authorization at Layer 2, and perform IP host configuration via DHCP. > The draft does not say that DHCP should not be used for > authentication. > In fact it does mention DHCP authentication in several places. > > Regards, > > Behcet Attention! Regarding "DHCP Athentication", draft-iab-ip-config-11 refers to RFC 3118, the main objective of which is /message/ authentication (a.k.a. message integrity protection) and protection of the client against spoofed/rogue DHCP servers, and these also are the main goals of the built-in DHCPv6 security. (... And note that draft-iab-ip-config-11 observes: However, DHCP authentication is not widely implemented for either DHCPv4 or DHCPv6. ) However, draft-pruss-dhcp-auth-dsl attempts to address a very different problem -- from its Abstract: This document defines DHCP extensions that provide for end-user authentication ... ^^^^^^^^^^^^^^^^^^^^^^^ Actually, the goal is service /authorization/ through an AAA infrastructure 'behind' the NAS. At first glance, it looks like the vastly extensible framework defined in RFC 3119 could be leveraged for this aim, in a much less intrusive manner to the DHCP protocol than draft-pruss-dhcp-auth-dsl does. But please keep in mind that doing so would still not address the basic IP architectural issues, IP subnet (broadcast domain) model, delineation between layer 2 functions and IP routing, etc. Another note on the problem space: In DSL deployments, the 'first mile' (i.e. wired telephone network) should make authentication of the subscriber trivial for the DSLAM -- the telephony service over the same line doesn't use end-user authentication either! So the problem here is one of the split- provider model typically enforced by regulation: provisioning the ISP of the subscriber at the "(Physical) Access Provider" components within the access network, and carrying the identity information of the subscriber over to his ISP. Glen Zorn Wrote: > You're preaching to the wrong choir, Alfred: tell the xDSL SPs, > but be warned: I've already tried... I do not intend to undertake that effort alone! In line with Jari Arkkos posting today, I would like to encourage the whole DHCP community in the IETF, and perhaps other parties in the INT Area as well, to evaluate the proposal with respect to fundamental architectural questions (and not immediately at the technical detail level), and then provide much more heavy-weight and sound 'preaches' to the originating SDO. Kind regards, Alfred. -- +------------------------+--------------------------------------------+ | TR-Sys Alfred Hoenes | Alfred Hoenes Dipl.-Math., Dipl.-Phys. | | Gerlinger Strasse 12 | Phone: (+49)7156/9635-0, Fax: -18 | | D-71254 Ditzingen | E-Mail: ah@TR-Sys.de | +------------------------+--------------------------------------------+
- [dhcwg] draft-pruss-dhcp-auth-dsl vs. Internet Ar… Alfred Hönes
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… Glen Zorn
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… Behcet Sarikaya
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… Alfred Hönes
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… Behcet Sarikaya
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… David W. Hankins
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… Glen Zorn