Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt
Yoshihiro Ohba <yohba@tari.toshiba.com> Sun, 04 March 2007 23:58 UTC
Return-path: <dhcwg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HO0ab-0008UK-QS; Sun, 04 Mar 2007 18:58:05 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HO0aa-0008OF-L0 for dhcwg@ietf.org; Sun, 04 Mar 2007 18:58:04 -0500
Received: from [2001:418:1403:0:212:17ff:fe52:7811] (helo=toshi17.tari.toshiba.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HO0aZ-0000aQ-6W for dhcwg@ietf.org; Sun, 04 Mar 2007 18:58:04 -0500
Received: from localhost (toshi17.tari.toshiba.com [172.30.24.10]) by toshi17.tari.toshiba.com (8.13.1/8.13.1) with ESMTP id l24NubaX063545; Sun, 4 Mar 2007 18:56:37 -0500 (EST) (envelope-from yohba@tari.toshiba.com)
Date: Sun, 04 Mar 2007 18:56:37 -0500
To: Richard Pruss <ric@cisco.com>
Subject: Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt
Message-ID: <20070304235637.GG23285@steelhead>
References: <20070302202844.GC8479@steelhead> <45EB5071.7000601@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-2022-jp"
Content-Disposition: inline
In-Reply-To: <45EB5071.7000601@cisco.com>
User-Agent: Mutt/1.5.13 (2006-08-11)
From: Yoshihiro Ohba <yohba@tari.toshiba.com>
X-Dispatcher: imput version 20050308(IM148)
Lines: 94
X-Spam-Score: -2.4 (--)
X-Scan-Signature: a2c12dacc0736f14d6b540e805505a86
Cc: dhcwg@ietf.org, Yoshihiro Ohba <yohba@tari.toshiba.com>
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Errors-To: dhcwg-bounces@ietf.org
Before authentication, it is possible for the NAS to assign a temporary IP address (for which IP forwarding is restricted) to the subscriber device using DHCP. Once PANA authentication succeeds, the NAS has obtained subscriber-specific client configuration information and other authorization parameters from the AAA infrastructure. After that, DHCP reconfiguration can be made using the subscriber-specific client configuration information to allow the subscriber device to change its IP address from the temporary one to the fully authorized one. Please refer to draft-morand-pana-panaoverdsl for more information. Yoshihiro Ohba On Mon, Mar 05, 2007 at 09:04:17AM +1000, Richard Pruss wrote: > Possibly it would help you understand if you though of why the NAS > authenticates the subscriber; from section 3.1 of the draft > " > The NAS obtains per-subscriber client > configuration information either locally or from the AAA > infrastructure (which itself may consult external DHCP servers if > necessary) after authentication is successfully completed. > " > In wholesale DSL networks it is common to use the @domain portion of the > username to find retail ISP of the subscriber, they are then > authenticated by that ISP's AAA. This authentication returns > authorizations which in conjunction with the wholesale configuration in > the NAS determines the subscriber IP address, host configuration and > network edge configuration and security authorizations which is all > closely coupled to the retail domain. > From this perspective, PANA happens to late as the host already has it's > IP address, it would be in the correct IP forwarding context, the > network would already need to have some mechanisms for securing the > domain from layer 3 attacks independent of PANA and so on. > > Regards, > Ric > > Yoshihiro Ohba wrote: > > Hi, > > > > Let me ask the same fundamental question that I asked before for a > > similar draft related to DHCP and authentication. > > > > Is this WG chartered for developing a solution for network access > > authentication and authorization other than developing authentication > > mechanisms for DHCP? > > > > I am asking this because Introduction of > > draft-pruss-dhcp-auth-dsl-00.txt says: > > > > " > > This document defines DHCP Options and procedures that allow for a > > CHAP-based authentication exchange to occur in DHCP in order to > > enable smooth migration from PPP sessions to IP sessions in a DSL > > Broadband network environment. Primary goals are integration of > > authentication in such a way that it will operate seamlessly with > > existing RADIUS-based AAA infrastructure and ATM or Ethernet based > > DSL Networks. As such, only the termination points of PPP in the DSL > > network are affected, both of which are devices that would logically > > need to be updated in any transition from PPP to IP sessions. > > " > > > > Also, I fail to see a reason for IETF to work on combining DHCP and > > network access authentication even as experimental and for the purpose > > of the primary goals stated above. I believe that the primary goals > > can be achieved by simply using PANA running EAP-MD5 between HGW and > > NAS. In this case, NAS is acting as EAP authenticator co-located with > > EAP server for EAP-MD5, where the EAP server is acting as a protocol > > translator that converts credentials carried in EAP-MD5 into RADIUS > > attributes or field (i.e., CHAP-Password and CHAP-Challenge or RADIUS > > Request Authenticator field) used for carrying CHAP credentials, and > > vise versa. If an algorithm other than MD5 is used for CHAP, it is > > also possible to define an experimental EAP method to interwork with > > non-MD5 CHAP algorithms and again let the EAP server on the NAS act as > > a protocol translator. I think these workarounds are sufficient to > > work with existing RADIUS-based AAA infrastructure and ATM or Ethernet > > based DSL Networks and still allows smooth migration from PPP session > > to IP session with EAP. > > > > The bottomline is, host configuration and network access > > authentication are two different problems that are better solved by > > separate protocols. > > > > Regards, > > Yoshihiro Ohba > > > > _______________________________________________ > > dhcwg mailing list > > dhcwg@ietf.org > > https://www1.ietf.org/mailman/listinfo/dhcwg > > > > > _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Yoshihiro Ohba
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Yoshihiro Ohba
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Yoshihiro Ohba
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Yoshihiro Ohba
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Alper Yegin
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Yoshihiro Ohba
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Alper Yegin
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt MORAND Lionel RD-CORE-ISS
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Maglione Roberta
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt MORAND Lionel RD-CORE-ISS
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Maglione Roberta
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt pavan_kurapati
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Maglione Roberta
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Alper Yegin
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt MORAND Lionel RD-CORE-ISS
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Bernie Volz (volz)
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Yoshihiro Ohba
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Derek Harkness
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Bernie Volz (volz)
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Bernie Volz (volz)
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Alper Yegin
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Markus Stenberg (mstenber)
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Yoshihiro Ohba
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Markus Stenberg (mstenber)
- FW: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Eric Voit (evoit)