Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Internet Architecture -- was: Re: We really mean it this time *FINAL* agenda for dhc WG meeting

Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Internet Architecture -- was: Re: We really mean it this time FINAL agenda for dhc WG meeting

"Glen Zorn" <gwz@net-zen.net> Thu, 19 March 2009 18:09 UTC

From: Glen Zorn <gwz@net-zen.net>
To: 'Alfred HÎnes' <ah@tr-sys.de>
References: <200903191124.MAA26754@TR-Sys.de>
In-Reply-To: <200903191124.MAA26754@TR-Sys.de>
Date: Thu, 19 Mar 2009 11:05:44 -0700
Organization: Network Zen
Message-ID: <001f01c9a8bd$52ebf310$f8c3d930$@net>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
thread-index: AcmohZiIDwQV+oIMQx2bPTEFuas1+QALK1KA
Content-Language: en-us
Cc: dhcwg@ietf.org
Subject: Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Internet Architecture -- was: Re: We really mean it this time *FINAL* agenda for dhc WG meeting
Precedence: list

Alfred HÎnes [mailto:ah@tr-sys.de] writes:

> Folks,
> may I please recall some of the Architectural Principles
> of the Internet.
> 
> A recent interesting reading is the IAB statement in
> draft-iab-ip-config-11, which will perhaps be out as an RFC
> by the end of this month.

Thank you for bringing this to my attention, Alfred; as usual, the breadth &
scope of your reading amazes me (as well as the fact that you seem to be
able to remain sane despite your exposure to so much hogwash ;-).

> 
> That document contains a section:
> 
>   2.5.  Configuration is Not Access Control
> 
>     Network access authentication and authorization is a distinct
>     problem from Internet host configuration.  Therefore network access
>     authentication and authorization is best handled independently of
>     the Internet and higher layer configuration mechanisms.
> 
>     [...]

This is a very interesting assertion -- appropriately made without
supporting evidence, since there is none -- but I wonder on what planet it
might be true.  Here on Earth there is no case I can think of, from the
highest level (IANA, APNIC, RIPE, etc.) to the lowest (e.g., the DHCP server
in my home router) in which the allocation of one or more IP addresses is
not also the result of an authorization decision.  In fact, even in its most
basic deployments, DHCP has always done both authentication and
authorization: it just does authentication very poorly.

> 
> Further on in that document, the IAB emphasizes that simple and
> general, lightweight mechanisms are needed for IP host configuration,
> and that the number of such mechanisms needs to be very contained;
> the document recognizes DHCP as the major current Internet technology
> to this end.
> 
> Additionally, the IAB draft elaborated on the disadvantages of
> coupling authorization / access control and Internet layer
> configuration within an integrated protocol as it had been done
> in the past in PPP.

There's an awful lot of nonsense written about PPP in that draft; however,
see section 4.1 where the authors write rather wistfully of "DHCP
authentication".

> 
> The Authentication-over-DHCP draft aims at carrying over this concept
> "from PPP to the IP and DHCP layer".
> Carrying over an anti-modular architecture that has been recognized
> as bad should not become a serious candidate of work adopted by any
> IETF WG.
> 
> The Authentication-over-DHCP draft goes one significant step further
> in disavowing basic principles of the Internet Architecture:
> it introduces the misconcept of an "IP-Session" as its fundament.

Actually, the BBF seems to have adopted this (admittedly somewhat vaporous)
concept; our draft simply uses the already adopted idea as part of its
rationale.  In other words, we are not inventing the misconcept, merely
admitting its existence and attempting to give it a more secure foundation
since (as I understand it) the existence of an "IP session" is currently
based purely upon circumstantial evidence.

> IP is a connectionless technology based on per-packet forwarding.
> 
> Looking at the draft, it becomes evident that the model depicted
> in Figure 1 does not fit in the IP subnet model (please see the
> related IAB documents published over the last years!).

Note that the figure is titled "DSL Network Architecture".  Please don't
blame me for that!

> It is painfully unclear where the subnet boundaries are intended
> to be located and whether this draft again tries to introduce the
> nightmare of multi-link subnets.  It looks like the "Access Node"
> architecturally should be an IP router in the "replace PPP by IP"
> model of the draft, but apparently the draft did not recognize
> that -- otherwise it could not say that only the endpoints of the
> access network (CPE/HGW and NAS/BB-POP) need to be concerned
> by the proposal; to my knowledge, the typical DSLAM currently
> operates as a layer-2 switch, not as a router.
> 
> A reasonable model for getting rid of PPPoE in the access network
> in favor of IP, and enhancing its security and robustness seems
> to be introducing an IPv6 Access network as its infrastructure
> and establishing IPsec tunnels between CPE/HGW and NAS.
> Doing so would indeed allow seemless IPv4/IPv6 coexistence and
> a 'session'-based connection model, with a single conceptional
> IP hop between the CPE access router and the NAS; parallel
> IPsec SAs (Child_SAs) controlled by a single IKE_SA would also
> allow to provide differentiated services in parallel (for QoS
> support and other added-value services).

You're preaching to the wrong choir, Alfred: tell the xDSL SPs, but be
warned: I've already tried...

...

[dhcwg] draft-pruss-dhcp-auth-dsl vs. Internet Ar… Alfred Hönes
Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… Glen Zorn
Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… Behcet Sarikaya
Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… Alfred Hönes
Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… Behcet Sarikaya
Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… David W. Hankins
Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… Glen Zorn