RE: [dhcwg] Discussion of subscriber authentication
"Bernie Volz \(volz\)" <volz@cisco.com> Thu, 29 March 2007 18:50 UTC
Return-path: <dhcwg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HWzhj-0002iS-I9; Thu, 29 Mar 2007 14:50:35 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HWzhj-0002iJ-1f for dhcwg@ietf.org; Thu, 29 Mar 2007 14:50:35 -0400
Received: from rtp-iport-2.cisco.com ([64.102.122.149]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HWzhg-0003vy-KU for dhcwg@ietf.org; Thu, 29 Mar 2007 14:50:35 -0400
Received: from rtp-dkim-1.cisco.com ([64.102.121.158]) by rtp-iport-2.cisco.com with ESMTP; 29 Mar 2007 14:50:32 -0400
Received: from rtp-core-2.cisco.com (rtp-core-2.cisco.com [64.102.124.13]) by rtp-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id l2TIoWLq029985; Thu, 29 Mar 2007 14:50:32 -0400
Received: from xbh-rtp-201.amer.cisco.com (xbh-rtp-201.cisco.com [64.102.31.12]) by rtp-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id l2TIoNlK016757; Thu, 29 Mar 2007 18:50:32 GMT
Received: from xmb-rtp-20a.amer.cisco.com ([64.102.31.15]) by xbh-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 29 Mar 2007 14:50:24 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [dhcwg] Discussion of subscriber authentication
Date: Thu, 29 Mar 2007 14:50:23 -0400
Message-ID: <8E296595B6471A4689555D5D725EBB2103A34015@xmb-rtp-20a.amer.cisco.com>
In-Reply-To: <C23173BD.3F365%rdroms@cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [dhcwg] Discussion of subscriber authentication
Thread-Index: AcdyKjLPcX+BtN4dEduGswARJOT6egABaWWQ
From: "Bernie Volz (volz)" <volz@cisco.com>
To: "Ralph Droms (rdroms)" <rdroms@cisco.com>, Int-area@lists.ietf.org, DHC WG <dhcwg@ietf.org>
X-OriginalArrivalTime: 29 Mar 2007 18:50:24.0883 (UTC) FILETIME=[1C681430:01C77233]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=4296; t=1175194232; x=1176058232; c=relaxed/simple; s=rtpdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=volz@cisco.com; z=From:=20=22Bernie=20Volz=20\(volz\)=22=20<volz@cisco.com> |Subject:=20RE=3A=20[dhcwg]=20Discussion=20of=20subscriber=20authenticati on |Sender:=20 |To:=20=22Ralph=20Droms=20\(rdroms\)=22=20<rdroms@cisco.com>, =20<Int-area @lists.ietf.org>, =0A=20=20=20=20=20=20=20=20=22DHC=20WG=22=20<dhcwg@ietf.o rg>; bh=mkByLXNsHmHszKDMDZocbjrS4ijaqoNPpD4PluEHYLM=; b=JkFaKgDmlW+XduFas9A6y/7v7fhqxlKqK/ygJinElBu8MzPqXmx7gnGSrxdDG78fXAGsR6sW J6FIeCDiR5iuzjhw8RttrUUI8ODq0QZH6X2GHPYxLGdwJWG2CuDPCy2j;
Authentication-Results: rtp-dkim-1; header.From=volz@cisco.com; dkim=pass (s ig from cisco.com/rtpdkim1001 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 6d95a152022472c7d6cdf886a0424dc6
Cc:
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Errors-To: dhcwg-bounces@ietf.org
Ralph: Isn't this discussion a bit late given that RFC 3118 exists and RFC 3315 contains Authentication? RFC 3118 abstract reads: This document defines a new Dynamic Host Configuration Protocol (DHCP) option through which authorization tickets can be easily generated and newly attached hosts with proper authorization can be automatically configured from an authenticated DHCP server. DHCP provides a framework for passing configuration information to hosts on a TCP/IP network. In some situations, network administrators may wish to constrain the allocation of addresses to authorized hosts. Additionally, some network administrators may wish to provide for authentication of the source and contents of DHCP messages. Other than the data used to authenticate (which in this case is a username and password, instead of a shared secret), what really is the difference? I guess it all depends on what "authorized" hosts means. RFC 3118 does have issues as it is difficult to handle client authentication without exposing the client's identity (since there's no good way to "delay" the authentication) -- this is discussed in draft-ietf-dhc-v4-threat-analysis-03.txt, section 5. One additional flaw with Rick draft's is that there's no provision to authenticate the server -- which means that if a client doing this is mobile and attaches to other networks, it may expose the username and password. I think Ted Lemon's point that Ric's draft should stick to the DHC client/server authentication communication and not mention how other network elements may use the end result of the DHCP exchange (i.e., the "authorization" to use the network). See http://www1.ietf.org/mail-archive/web/dhcwg/current/msg07138.html. If we could work this out within the RFC 3118 framework, it certainly would kick start DHCP authentication. - Bernie -----Original Message----- From: Ralph Droms (rdroms) Sent: Thursday, March 29, 2007 1:47 PM To: Int-area@lists.ietf.org Subject: [dhcwg] Discussion of subscriber authentication At the dhc WG meeting in Prague, there was a discussion of "subscriber authentication" and how that function might be provided through DHCP. Ric Pruss gave a presentation about a proposal for subscriber authentication through DHCP: http://www3.ietf.org/proceedings/07mar/slides/dhc-2.pdf http://www.ietf.org/internet-drafts/draft-pruss-dhcp-auth-dsl-00.txt There is a related draft that was not discussed at the dhc WG meeting: http://www.ietf.org/internet-drafts/draft-zhao-dhc-user-authentication-0 1.tx t There was also a discussion of "Principles of Internet Host Configuration". Dave Thaler gave a presentation about the draft he co-authored with Bernard Aboba: http://www3.ietf.org/proceedings/07mar/slides/dhc-7.pdf http://www.ietf.org/internet-drafts/draft-aboba-ip-config-00.txt During the discussion of subscriber authentication, it was noted that the proposed solutions assume that DHCP is the right vehicle through which subscriber authentication should take place. That assumption needs to be further examined; PANA, for example, provides an alternative solution which does not depend on DHCP. Before the IETF proceeds with a DHCP-based solution, we need to discuss the broader issue of where subscriber authentication should be implemented. Accordingly, the Internet Area directors and the WG chairs have decided to move the discussion of subscriber authentication to the int-area mailing list. This discussion will explore the subscriber authentication problem space and requirements, to come to some initial consensus about where a solution might belong. To kick off the discussion, we are trying to get permission to publish subscriber authentication requirements from the DSL Forum. I've included dhcwg@ietf.org as a BCC to this note, to inform the dhc WG members that further discussion of subscriber authentication will move to int-area@lists.ietf.org. I've also included secdir@mit.edu as a BCC, to make sure we have appropriate security clue in the discussion. - Ralph _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] Discussion of subscriber authentication Ralph Droms
- RE: [dhcwg] Discussion of subscriber authenticati… Bernie Volz (volz)
- Re: [dhcwg] Discussion of subscriber authenticati… Ralph Droms
- Re: [dhcwg] Discussion of subscriber authenticati… John Schnizlein
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Julien Bournelle
- Re: [dhcwg] Discussion of subscriber authenticati… Ralph Droms
- RE: [Int-area] RE: [dhcwg] Discussion of subscrib… Alper Yegin
- RE: [Int-area] RE: [dhcwg] Discussion of subscrib… Bernie Volz (volz)
- Re: [Int-area] RE: [dhcwg] Discussion of subscrib… Richard Pruss
- Re: [Int-area] RE: [dhcwg] Discussion of subscrib… Richard Pruss
- Re: [Int-area] RE: [dhcwg] Discussion of subscrib… Alan DeKok
- Re: [Int-area] RE: [dhcwg] Discussion of subscrib… Alan DeKok