IETF Logo Mail Archive

RE: [dhcwg] Discussion of subscriber authentication

"Bernie Volz \(volz\)" <volz@cisco.com> Thu, 29 March 2007 18:50 UTC

Return-path: <dhcwg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HWzhj-0002iS-I9; Thu, 29 Mar 2007 14:50:35 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HWzhj-0002iJ-1f for dhcwg@ietf.org; Thu, 29 Mar 2007 14:50:35 -0400
Received: from rtp-iport-2.cisco.com ([64.102.122.149]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HWzhg-0003vy-KU for dhcwg@ietf.org; Thu, 29 Mar 2007 14:50:35 -0400
Received: from rtp-dkim-1.cisco.com ([64.102.121.158]) by rtp-iport-2.cisco.com with ESMTP; 29 Mar 2007 14:50:32 -0400
Received: from rtp-core-2.cisco.com (rtp-core-2.cisco.com [64.102.124.13]) by rtp-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id l2TIoWLq029985; Thu, 29 Mar 2007 14:50:32 -0400
Received: from xbh-rtp-201.amer.cisco.com (xbh-rtp-201.cisco.com [64.102.31.12]) by rtp-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id l2TIoNlK016757; Thu, 29 Mar 2007 18:50:32 GMT
Received: from xmb-rtp-20a.amer.cisco.com ([64.102.31.15]) by xbh-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 29 Mar 2007 14:50:24 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [dhcwg] Discussion of subscriber authentication
Date: Thu, 29 Mar 2007 14:50:23 -0400
Message-ID: <8E296595B6471A4689555D5D725EBB2103A34015@xmb-rtp-20a.amer.cisco.com>
In-Reply-To: <C23173BD.3F365%rdroms@cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [dhcwg] Discussion of subscriber authentication
Thread-Index: AcdyKjLPcX+BtN4dEduGswARJOT6egABaWWQ
From: "Bernie Volz (volz)" <volz@cisco.com>
To: "Ralph Droms (rdroms)" <rdroms@cisco.com>, Int-area@lists.ietf.org, DHC WG <dhcwg@ietf.org>
X-OriginalArrivalTime: 29 Mar 2007 18:50:24.0883 (UTC) FILETIME=[1C681430:01C77233]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=4296; t=1175194232; x=1176058232; c=relaxed/simple; s=rtpdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=volz@cisco.com; z=From:=20=22Bernie=20Volz=20\(volz\)=22=20<volz@cisco.com> |Subject:=20RE=3A=20[dhcwg]=20Discussion=20of=20subscriber=20authenticati on |Sender:=20 |To:=20=22Ralph=20Droms=20\(rdroms\)=22=20<rdroms@cisco.com>, =20<Int-area @lists.ietf.org>, =0A=20=20=20=20=20=20=20=20=22DHC=20WG=22=20<dhcwg@ietf.o rg>; bh=mkByLXNsHmHszKDMDZocbjrS4ijaqoNPpD4PluEHYLM=; b=JkFaKgDmlW+XduFas9A6y/7v7fhqxlKqK/ygJinElBu8MzPqXmx7gnGSrxdDG78fXAGsR6sW J6FIeCDiR5iuzjhw8RttrUUI8ODq0QZH6X2GHPYxLGdwJWG2CuDPCy2j;
Authentication-Results: rtp-dkim-1; header.From=volz@cisco.com; dkim=pass (s ig from cisco.com/rtpdkim1001 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 6d95a152022472c7d6cdf886a0424dc6
Cc:
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Errors-To: dhcwg-bounces@ietf.org

Ralph:

Isn't this discussion a bit late given that RFC 3118 exists and RFC 3315
contains Authentication?

RFC 3118 abstract reads:

   This document defines a new Dynamic Host Configuration Protocol
   (DHCP) option through which authorization tickets can be easily
   generated and newly attached hosts with proper authorization can be
   automatically configured from an authenticated DHCP server.  DHCP
   provides a framework for passing configuration information to hosts
   on a TCP/IP network.  In some situations, network administrators may
   wish to constrain the allocation of addresses to authorized hosts.
   Additionally, some network administrators may wish to provide for
   authentication of the source and contents of DHCP messages.

Other than the data used to authenticate (which in this case is a
username and password, instead of a shared secret), what really is the
difference? I guess it all depends on what "authorized" hosts means.

RFC 3118 does have issues as it is difficult to handle client
authentication without exposing the client's identity (since there's no
good way to "delay" the authentication) -- this is discussed in
draft-ietf-dhc-v4-threat-analysis-03.txt, section 5.

One additional flaw with Rick draft's is that there's no provision to
authenticate the server -- which means that if a client doing this is
mobile and attaches to other networks, it may expose the username and
password.

I think Ted Lemon's point that Ric's draft should stick to the DHC
client/server authentication communication and not mention how other
network elements may use the end result of the DHCP exchange (i.e., the
"authorization" to use the network). See
http://www1.ietf.org/mail-archive/web/dhcwg/current/msg07138.html.

If we could work this out within the RFC 3118 framework, it certainly
would kick start DHCP authentication.

- Bernie

-----Original Message-----
From: Ralph Droms (rdroms) 
Sent: Thursday, March 29, 2007 1:47 PM
To: Int-area@lists.ietf.org
Subject: [dhcwg] Discussion of subscriber authentication

At the dhc WG meeting in Prague, there was a discussion of "subscriber
authentication" and how that function might be provided through DHCP.
Ric
Pruss gave a presentation about a proposal for subscriber authentication
through DHCP:

http://www3.ietf.org/proceedings/07mar/slides/dhc-2.pdf
http://www.ietf.org/internet-drafts/draft-pruss-dhcp-auth-dsl-00.txt

There is a related draft that was not discussed at the dhc WG meeting:

http://www.ietf.org/internet-drafts/draft-zhao-dhc-user-authentication-0
1.tx
t

There was also a discussion of "Principles of Internet Host
Configuration".
Dave Thaler gave a presentation about the draft he co-authored with
Bernard
Aboba:

http://www3.ietf.org/proceedings/07mar/slides/dhc-7.pdf
http://www.ietf.org/internet-drafts/draft-aboba-ip-config-00.txt

During the discussion of subscriber authentication, it was noted that
the
proposed solutions assume that DHCP is the right vehicle through which
subscriber authentication should take place.  That assumption needs to
be
further examined; PANA, for example, provides an alternative solution
which
does not depend on DHCP.  Before the IETF proceeds with a DHCP-based
solution, we need to discuss the broader issue of where subscriber
authentication should be implemented.

Accordingly, the Internet Area directors and the WG chairs have decided
to
move the discussion of subscriber authentication to the int-area mailing
list.  This discussion will explore the subscriber authentication
problem
space and requirements, to come to some initial consensus about where a
solution might belong.

To kick off the discussion, we are trying to get permission to publish
subscriber authentication requirements from the DSL Forum.

I've included dhcwg@ietf.org as a BCC to this note, to inform the dhc WG
members that further discussion of subscriber authentication will move
to
int-area@lists.ietf.org.  I've also included secdir@mit.edu as a BCC, to
make sure we have appropriate security clue in the discussion.

- Ralph




_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email