Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt
Richard Pruss <ric@cisco.com> Wed, 07 March 2007 09:05 UTC
Return-path: <dhcwg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HOs5K-0007vi-F3; Wed, 07 Mar 2007 04:05:22 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HOj0J-0005Yx-T9 for dhcwg@ietf.org; Tue, 06 Mar 2007 18:23:35 -0500
Received: from sj-iport-6.cisco.com ([171.71.176.117]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HOh7k-0001Zf-Ha for dhcwg@ietf.org; Tue, 06 Mar 2007 16:23:28 -0500
Received: from ams-dkim-2.cisco.com ([144.254.224.139]) by sj-iport-6.cisco.com with ESMTP; 06 Mar 2007 13:23:07 -0800
X-IronPort-AV: i="4.14,255,1170662400"; d="scan'208"; a="118636869:sNHT49706703"
Received: from hkg-core-1.cisco.com (hkg-core-1.cisco.com [64.104.123.94]) by ams-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id l26LN5to029532; Tue, 6 Mar 2007 22:23:05 +0100
Received: from xbh-hkg-412.apac.cisco.com (xbh-hkg-412.cisco.com [64.104.123.69]) by hkg-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id l26LMwjQ018668; Tue, 6 Mar 2007 21:22:59 GMT
Received: from xfe-hkg-411.apac.cisco.com ([64.104.123.70]) by xbh-hkg-412.apac.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 7 Mar 2007 05:22:58 +0800
Received: from syd-rpruss-vpn1.cisco.com ([10.67.195.18]) by xfe-hkg-411.apac.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 7 Mar 2007 05:22:57 +0800
Message-ID: <45EDDBB0.8020204@cisco.com>
Date: Wed, 07 Mar 2007 07:22:56 +1000
From: Richard Pruss <ric@cisco.com>
Organization: Cisco Systems
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.8) Gecko/20061025 Thunderbird/1.5.0.8 Mnenhy/0.7.4.0
MIME-Version: 1.0
To: MORAND Lionel RD-CORE-ISS <lionel.morand@orange-ftgroup.com>
Subject: Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt
References: <7DBAFEC6A76F3E42817DF1EBE64CB026045B67BE@FTRDMEL2.rd.francetelecom.fr>
In-Reply-To: <7DBAFEC6A76F3E42817DF1EBE64CB026045B67BE@FTRDMEL2.rd.francetelecom.fr>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-OriginalArrivalTime: 06 Mar 2007 21:22:57.0503 (UTC) FILETIME=[9C4ACEF0:01C76035]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=4019; t=1173216186; x=1174080186; c=relaxed/simple; s=amsdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=ric@cisco.com; z=From:=20Richard=20Pruss=20<ric@cisco.com> |Subject:=20Re=3A=20[dhcwg]=20draft-pruss-dhcp-auth-dsl-00.txt |Sender:=20; bh=zfwe2mOHtvyCgWzWVSCnsd+7RDi2h7PM12vCzi8Yxmg=; b=WaV+VkIBYgsZCR4V7TBI1AaY4x4QzdsFa6pL0Lxs+oPkKHHRW8XPlsAEadjxf2bsnu7WMjBG 7uuz/ijUPchFqhM0OoHXGgP6eC5JHydL3ZbmOiCBxjHytg4e6p8fnoOx;
Authentication-Results: ams-dkim-2; header.From=ric@cisco.com; dkim=pass (si g from cisco.com/amsdkim2001 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f66b12316365a3fe519e75911daf28a8
Cc: dhcwg@ietf.org, Yoshihiro Ohba <yohba@tari.toshiba.com>
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: ric@cisco.com
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Errors-To: dhcwg-bounces@ietf.org
Hi Morand, MORAND Lionel RD-CORE-ISS wrote: > I will be also interested by the answer to this question ;) > Beyond never-ending discussions on optional alternative possible potential solutions for access authentication, it would be very helpful to understand where we are going, what should be done and what should not be done in this area within IETF. > Well there is a premise in section 2.4 of draft-aboba-ip-config-00 that because it is common for hosts to support more than one link layer the IP host configuration mechanisms be independent of the underlying lower layer. This is a little like saying it would be easier for houses to fly if there foundations where not dependent on the ground, it is very true but not very helpful. In truth IP host configuration is very dependent on things like what host it is, what it is authorised for and where on the network it is connected and so we need mechanisms to take those into account prior to allocating an IP address. In PPP the authentication was used to configure the host and the NAS. In DSL, without PPP, there is a split between the Layer 3 edge and the Layer 2 edge. During the initialization sequence of a client we need to configure and secure both of those. Also in DSL multiple layer 3 services can be deployed in the layer 2 area, while we still have an architecture where one point is authoritative for the area, both in terms of authorizations and in terms of allocating IP addresses, we need make sure the other service on the layer 2 are reachable and secured from attack. Now in section 2.4 of the draft-aboba-ip-config-00 we come to the crux of the problem; " Avoidance of lower layer dependencies also applies even where the lower layer in question may be link independent. For example, while Extensible Authentication Protocol (EAP) [RFC3748] may be run over any link satisfying the requirements of [RFC3748] Section 3.1, many link layers do not support EAP and therefore Internet layer configuration mechanisms with EAP dependencies would not usable on all links that support IP. " In Ethernet the only current mechanism for transporting EAP is 802.1X and it does not get forwarded through the Home Gateway if run from a subscriber PC or through the Access Node if run from the Home Gateway. My draft is how we intend to implement this in the absence of EAP mechanism that traverses the path. > I have a specific question about the network configuration chosen as working assumption: > > why do you consider a DHCP server in the NAS while typical dsl network configurations rely on a DHCP relay agent in the NAS and an external DHCP server (distinct from the NAS) in DHCP-based environment? > Well caught. I use the word server for lack of knowing a better word for representing what Cisco, and I know Juniper do, which is more like a proxy than a relay function. The NAS looks like the DHCP server to the DHCP client but in truth we proxy all the DHCP transaction pieces to a real DHCP server. We do this for many reasons when we want to have all the DHCP messages addressed to the NAS. We also support the DHCP server function in the NAS but that is rarely deployed in anything but very small networks in Service Provider. > Could the proposed DHCP-based CHAP authentication work if the DHCP server is not in the NAS? > Yes. -Ric > BR, > > Lionel > > > >> -----Message d'origine----- >> De : Yoshihiro Ohba [mailto:yohba@tari.toshiba.com] >> Envoyé : lundi 5 mars 2007 23:02 >> À : Richard Pruss >> Cc : dhcwg@ietf.org; Yoshihiro Ohba >> Objet : Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt >> >> A direct question is, how does your draft fit Section 2.5 of >> draft-aboba-ip-config-00.txt? >> >> Yoshihiro Ohba >> >> _______________________________________________ >> dhcwg mailing list >> dhcwg@ietf.org >> https://www1.ietf.org/mailman/listinfo/dhcwg >> >> >> > > _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Yoshihiro Ohba
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Yoshihiro Ohba
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Yoshihiro Ohba
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Yoshihiro Ohba
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Alper Yegin
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Yoshihiro Ohba
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Alper Yegin
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt MORAND Lionel RD-CORE-ISS
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Maglione Roberta
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt MORAND Lionel RD-CORE-ISS
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Maglione Roberta
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt pavan_kurapati
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Maglione Roberta
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Alper Yegin
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt MORAND Lionel RD-CORE-ISS
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Bernie Volz (volz)
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Yoshihiro Ohba
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Derek Harkness
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Bernie Volz (volz)
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Bernie Volz (volz)
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Alper Yegin
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Markus Stenberg (mstenber)
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Yoshihiro Ohba
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Markus Stenberg (mstenber)
- FW: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Eric Voit (evoit)