IETF Logo Mail Archive

Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt

Richard Pruss <ric@cisco.com> Wed, 07 March 2007 09:05 UTC

Return-path: <dhcwg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HOs5K-0007vi-F3; Wed, 07 Mar 2007 04:05:22 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HOj0J-0005Yx-T9 for dhcwg@ietf.org; Tue, 06 Mar 2007 18:23:35 -0500
Received: from sj-iport-6.cisco.com ([171.71.176.117]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HOh7k-0001Zf-Ha for dhcwg@ietf.org; Tue, 06 Mar 2007 16:23:28 -0500
Received: from ams-dkim-2.cisco.com ([144.254.224.139]) by sj-iport-6.cisco.com with ESMTP; 06 Mar 2007 13:23:07 -0800
X-IronPort-AV: i="4.14,255,1170662400"; d="scan'208"; a="118636869:sNHT49706703"
Received: from hkg-core-1.cisco.com (hkg-core-1.cisco.com [64.104.123.94]) by ams-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id l26LN5to029532; Tue, 6 Mar 2007 22:23:05 +0100
Received: from xbh-hkg-412.apac.cisco.com (xbh-hkg-412.cisco.com [64.104.123.69]) by hkg-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id l26LMwjQ018668; Tue, 6 Mar 2007 21:22:59 GMT
Received: from xfe-hkg-411.apac.cisco.com ([64.104.123.70]) by xbh-hkg-412.apac.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 7 Mar 2007 05:22:58 +0800
Received: from syd-rpruss-vpn1.cisco.com ([10.67.195.18]) by xfe-hkg-411.apac.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 7 Mar 2007 05:22:57 +0800
Message-ID: <45EDDBB0.8020204@cisco.com>
Date: Wed, 07 Mar 2007 07:22:56 +1000
From: Richard Pruss <ric@cisco.com>
Organization: Cisco Systems
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.8) Gecko/20061025 Thunderbird/1.5.0.8 Mnenhy/0.7.4.0
MIME-Version: 1.0
To: MORAND Lionel RD-CORE-ISS <lionel.morand@orange-ftgroup.com>
Subject: Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt
References: <7DBAFEC6A76F3E42817DF1EBE64CB026045B67BE@FTRDMEL2.rd.francetelecom.fr>
In-Reply-To: <7DBAFEC6A76F3E42817DF1EBE64CB026045B67BE@FTRDMEL2.rd.francetelecom.fr>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
X-OriginalArrivalTime: 06 Mar 2007 21:22:57.0503 (UTC) FILETIME=[9C4ACEF0:01C76035]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=4019; t=1173216186; x=1174080186; c=relaxed/simple; s=amsdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=ric@cisco.com; z=From:=20Richard=20Pruss=20<ric@cisco.com> |Subject:=20Re=3A=20[dhcwg]=20draft-pruss-dhcp-auth-dsl-00.txt |Sender:=20; bh=zfwe2mOHtvyCgWzWVSCnsd+7RDi2h7PM12vCzi8Yxmg=; b=WaV+VkIBYgsZCR4V7TBI1AaY4x4QzdsFa6pL0Lxs+oPkKHHRW8XPlsAEadjxf2bsnu7WMjBG 7uuz/ijUPchFqhM0OoHXGgP6eC5JHydL3ZbmOiCBxjHytg4e6p8fnoOx;
Authentication-Results: ams-dkim-2; header.From=ric@cisco.com; dkim=pass (si g from cisco.com/amsdkim2001 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f66b12316365a3fe519e75911daf28a8
Cc: dhcwg@ietf.org, Yoshihiro Ohba <yohba@tari.toshiba.com>
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: ric@cisco.com
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Errors-To: dhcwg-bounces@ietf.org

Hi Morand,

MORAND Lionel RD-CORE-ISS wrote:
> I will be also interested by the answer to this question ;)
> Beyond never-ending discussions on optional alternative possible potential solutions for access authentication, it would be very helpful to understand where we are going, what should be done and what should not be done in this area within IETF.
>   
Well there is a premise in section 2.4 of draft-aboba-ip-config-00 that 
because it is common for hosts to support more than one link layer the 
IP host configuration mechanisms be independent of the underlying lower 
layer.  This is a little like saying it would be easier for houses to 
fly if there foundations where not dependent on the ground, it is very 
true but not very helpful.  In truth IP host configuration is very 
dependent on things like what host it is, what it is authorised for and 
where on the network it is connected and so we need mechanisms to take 
those into account prior to allocating an IP address.

In PPP the authentication was used to configure the host and the NAS.  
In DSL, without PPP,  there is a split between the Layer 3 edge and the 
Layer 2 edge.  During the initialization sequence of a client we need to 
configure and secure both of those.  Also in DSL multiple layer 3 
services can be deployed in the layer 2 area, while we still have an 
architecture where one point is authoritative for the area, both in 
terms of authorizations and in terms of allocating IP addresses, we need 
make sure the other service on the layer 2 are reachable and secured 
from attack.

Now in section 2.4 of the draft-aboba-ip-config-00 we come to the crux 
of the problem;
"

Avoidance of lower layer dependencies also applies even where the
   lower layer in question may be link independent. For example, while

   Extensible Authentication Protocol (EAP) [RFC3748] may be run over
   any link satisfying the requirements of [RFC3748] Section 3.1, many
   link layers do not support EAP and therefore Internet layer
   configuration mechanisms with EAP dependencies would not usable on
   all links that support IP.

"
In Ethernet the only current mechanism for transporting EAP is 802.1X 
and it does not get forwarded through the Home Gateway if run from a 
subscriber PC or through the Access Node if run from the Home Gateway.
My draft is how we intend to implement this in the absence of EAP 
mechanism that traverses the path.
> I have a specific question about the network configuration chosen as working assumption:
>
> why do you consider a DHCP server in the NAS while typical dsl network configurations rely on a DHCP relay agent in the NAS and an external DHCP server (distinct from the NAS) in DHCP-based environment?
>   
Well caught.  I use the word server for lack of knowing a better word 
for representing what  Cisco, and I know Juniper do, which is more like 
a proxy than a relay function.  The NAS looks like the DHCP server to 
the DHCP client but in truth we proxy all the DHCP transaction pieces to 
a real DHCP server.  We do this for many reasons when we want to have 
all the DHCP messages addressed to the NAS.

We also support the DHCP server function in the NAS but that is rarely 
deployed in anything but very small networks in Service Provider.
> Could the proposed DHCP-based CHAP authentication work if the DHCP server is not in the NAS? 
>   
Yes.

-Ric
> BR,
>
> Lionel
>
>
>   
>> -----Message d'origine-----
>> De : Yoshihiro Ohba [mailto:yohba@tari.toshiba.com] 
>> Envoyé : lundi 5 mars 2007 23:02
>> À : Richard Pruss
>> Cc : dhcwg@ietf.org; Yoshihiro Ohba
>> Objet : Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt
>>
>> A direct question is, how does your draft fit Section 2.5 of 
>> draft-aboba-ip-config-00.txt?
>>
>> Yoshihiro Ohba
>>
>> _______________________________________________
>> dhcwg mailing list
>> dhcwg@ietf.org
>> https://www1.ietf.org/mailman/listinfo/dhcwg
>>
>>
>>     
>
>   

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email