Re: [dhcwg] Publication of draft-droms-agentopt-8021x-00.txt
Bernard Aboba <aboba@internaut.com> Thu, 22 November 2001 14:54 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA15628 for <dhcwg-archive@odin.ietf.org>; Thu, 22 Nov 2001 09:54:13 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id JAA23403 for dhcwg-archive@odin.ietf.org; Thu, 22 Nov 2001 09:54:14 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id JAA23109; Thu, 22 Nov 2001 09:48:50 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id JAA23088 for <dhcwg@optimus.ietf.org>; Thu, 22 Nov 2001 09:48:48 -0500 (EST)
Received: from internaut.com ([64.38.134.99]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA15478 for <dhcwg@ietf.org>; Thu, 22 Nov 2001 09:48:46 -0500 (EST)
Received: from localhost (aboba@localhost) by internaut.com (8.9.3/8.9.3) with ESMTP id GAA87617; Thu, 22 Nov 2001 06:37:57 -0800 (PST) (envelope-from aboba@internaut.com)
Date: Thu, 22 Nov 2001 06:37:56 -0800
From: Bernard Aboba <aboba@internaut.com>
To: Haines Wolfe <hainesie@hotmail.com>
cc: dhcwg@ietf.org
Subject: Re: [dhcwg] Publication of draft-droms-agentopt-8021x-00.txt
In-Reply-To: <F196ni11qJW3bip9EPq00014691@hotmail.com>
Message-ID: <Pine.BSF.4.21.0111220601130.87545-100000@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: <dhcwg.ietf.org>
X-BeenThere: dhcwg@ietf.org
As I'll describe, I believe that your proposal is not really appropriate for discussion in the DHC WG, since it makes very fundamental changes to the IEEE 802.1X specification, It should therefore be brought to the IEEE 802.1X revision PAR, lead by Tony Jeffree. > But in case of wireless LAN or long reach Ethernet(VDSL) access, PAE is > typically a Lay-2 device, which is very close to user > terminal. Obviously, it seems impossible to move the NAS function down > to this point, for that will bring much management burden. Thus, we > need to pass the 802.1x/EAP message to the NAS/DHCP relay agent, from > PAE or radius server. There is a very basic problem with this. IEEE 802.1X specificates states very specifically that 802.1X frames MUST NOT be forwarded by layer 2 devices. That is why an IEEE non-forwardable multicast address has been reserved for use with 802.1X. The logic behind this is explained in the 802.1X appendix. The issue here is the interaction between spanning tree, VLAN tagging and 802.1X that would occur if 802.1X were to be terminated in a core switch. As a result, 802.1X was designed very explicitly for edge authentication. Note that this does not specifically prohibit encapsulation of EAP packets over IP, as is achieved in RADIUS/EAP, described in RFC 2869. Note that because both 802.1X and RADIUS are light weight, layer 2 devices are very capable of functioning as NASen, as defined by the NASREQ WG. Often this can be handled as a firmware upgrade to existing switches or access points. So in practice, the "assistance" you refer to is not usually necessary. > above model need a little improvement. A good way to do this is to let the > NAS "stand in the middle of radius interaction", acting as a radius proxy. > All the PAEs send radius requests and receive replys throuth the NAS/DHCP > relay agent, then NAS relay the radius message to or from radius server. > > (AAA client)---------->(radius proxy/AAA client) > host--->PAE--->..Lan Switch..--->NAS/DHCP relay------->Server Implementing a RADIUS proxy/DHCP relay is fine, but the NAS function here is really implemented on the switch, since a NAS is by definition the device that terminates the layer 2 connection. Also, the PAE and the LAN Switch exist within the same entity. > Advantage is obvious: consistent with the model above, existing PAE need not > any change(only set the radius server address to the NAS's), less burden via > central access management. We can even see the PAEs as the extension of the > NAS AAA client module Within 802.1X the PAE MUST be implemented on the switch or access point. Since 802.1X frames MUST NOT be forwarded, and not all 802.1X frames are encapsulated within RADIUS, there isn't really an alternative. Of course, operating a RADIUS proxy/DHCP relay does have management benefits, but that's a separate discussion. > ii) If someone change his MAC address after authentication, it may cause DOS > attack via the address learning process of the middle LAN switch. So, the > port of PAE must be logical, each host under a physical port has its own > authentication session. After successful Auth, a dynamic filter is > installed, to discard frames which MAC address is not matched. In fact, > without 802.1x, solutions like PPPOE will cause such security problem also. Interaction of 802.1X and learning is one of the reasons why this kind of scenario is explicitly prohibited by the 802.1X specification. I'd also note that 802.1X also explicitly prohibits use in shared media, except where a separate "logical port" can be established for each connection (e.g. 802.11 with WEP). > iii) 802.1x has not defined any standard ways like echo-request/reply in PPP > LCP. Link layer signal detection is not enough, and do we need to enhance > it, to determinate more easily when the user is offline, and release the > resource? Addition of link layer echo is currently under discussion within the IEEE 802.1X revision PAR. Since the IEEE just recently met in Austin, TX the minutes of the meeting should be posted shortly on the 802.1 web page at http://grouper.ieee.org/groups/802/1/ _______________________________________________ dhcwg mailing list dhcwg@ietf.org http://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] Publication of draft-droms-agentopt-8021x… Ralph Droms
- Re: [dhcwg] Publication of draft-droms-agentopt-8… Haines Wolfe
- Re: [dhcwg] Publication of draft-droms-agentopt-8… Bernard Aboba
- Re: [dhcwg] Publication of draft-droms-agentopt-8… Haines Wolfe
- Re: [dhcwg] Publication of draft-droms-agentopt-8… Bernard Aboba