IETF Logo Mail Archive

Re: [dhcwg] draft-pruss-dhcp-auth-dsl-03

Richard Pruss <ric@cisco.com> Tue, 29 July 2008 08:31 UTC

Return-Path: <dhcwg-bounces@ietf.org>
X-Original-To: dhcwg-archive@megatron.ietf.org
Delivered-To: ietfarch-dhcwg-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9471828C130; Tue, 29 Jul 2008 01:31:46 -0700 (PDT)
X-Original-To: dhcwg@core3.amsl.com
Delivered-To: dhcwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 753ED3A67F8 for <dhcwg@core3.amsl.com>; Tue, 29 Jul 2008 01:31:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eL0UetSqJ13D for <dhcwg@core3.amsl.com>; Tue, 29 Jul 2008 01:31:44 -0700 (PDT)
Received: from rtp-iport-1.cisco.com (rtp-iport-1.cisco.com [64.102.122.148]) by core3.amsl.com (Postfix) with ESMTP id 16E343A6923 for <dhcwg@ietf.org>; Tue, 29 Jul 2008 01:31:44 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.31,271,1215388800"; d="scan'208";a="15852428"
Received: from rtp-dkim-2.cisco.com ([64.102.121.159]) by rtp-iport-1.cisco.com with ESMTP; 29 Jul 2008 08:31:55 +0000
Received: from rtp-core-1.cisco.com (rtp-core-1.cisco.com [64.102.124.12]) by rtp-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m6T8VtZ2030687; Tue, 29 Jul 2008 04:31:55 -0400
Received: from xbh-rtp-201.amer.cisco.com (xbh-rtp-201.cisco.com [64.102.31.12]) by rtp-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id m6T8Vtvg016218; Tue, 29 Jul 2008 08:31:55 GMT
Received: from xfe-rtp-202.amer.cisco.com ([64.102.31.21]) by xbh-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 29 Jul 2008 04:31:55 -0400
Received: from [130.129.20.49] ([10.82.240.161]) by xfe-rtp-202.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 29 Jul 2008 04:31:54 -0400
Message-Id: <B124A013-53C7-4768-AA81-534BACB57F21@cisco.com>
From: Richard Pruss <ric@cisco.com>
To: Alan Kavanagh <alan.kavanagh@ericsson.com>
In-Reply-To: <35815C929B41D2479A224FE098A272270606DC50@ecamlmw720.eamcs.ericsson.se>
Mime-Version: 1.0 (Apple Message framework v928.1)
Date: Tue, 29 Jul 2008 09:31:49 +0100
References: <7EF5D845-4CA3-4100-AC40-5D760F8FCB40@cisco.com><20080727091906.GN1338@steelhead.localdomain> <52CF1BCD-9BEF-4A01-869B-F20A2C72B4C6@cisco.com> <35815C929B41D2479A224FE098A272270603C841@ecamlmw720.eamcs.ericsson.se> <1B47BE88-187A-4B10-B318-D26FEE5B825D@cisco.com> <35815C929B41D2479A224FE098A272270606DC50@ecamlmw720.eamcs.ericsson.se>
X-Mailer: Apple Mail (2.928.1)
X-OriginalArrivalTime: 29 Jul 2008 08:31:54.0514 (UTC) FILETIME=[8E7D2720:01C8F155]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=6392; t=1217320315; x=1218184315; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=ric@cisco.com; z=From:=20Richard=20Pruss=20<ric@cisco.com> |Subject:=20Re=3A=20[dhcwg]=20draft-pruss-dhcp-auth-dsl-03 |Sender:=20 |To:=20Alan=20Kavanagh=20<alan.kavanagh@ericsson.com>; bh=DXdvXje0OoLNoht+LA1MIlV8DDtdJ5iPwTIUDcB4zVQ=; b=v12fItxV15H/mUBT07zEnWUrOpRfch6txbyaRrW71Zg1Ry1SAzlI05QD/q sSpDooZ8qZutGYAgq5F7Wv4DUVHestj9kmgTvLUEgBBcTc7dxuqYpqhNB5FY LClUW5iPth;
Authentication-Results: rtp-dkim-2; header.From=ric@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim2001 verified; );
Cc: dhcwg@ietf.org, Yoshihiro Ohba <yohba@tari.toshiba.com>
Subject: Re: [dhcwg] draft-pruss-dhcp-auth-dsl-03
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/dhcwg>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: dhcwg-bounces@ietf.org
Errors-To: dhcwg-bounces@ietf.org

Hi Alan,

I agree with you that we need add use cases to the base architecture  
for this.

Possibly a place to start is clarify in the service definitions that  
we have cases that have
separate administrative domains servicing the bridge RG case.   
Addressing design seems key
as this will dictate to whom we address the authentication requests.  
Once we know whom is supplying
the addresses and it clears up who would want to authenticate.

A key factor to consider here is of architecture difference between   
the US & Asia-Pac providers and as opposed to the European providers  
due to regulatory requirements for wholesale.

- Ric



On 29/07/2008, at 12:39 AM, Alan Kavanagh wrote:

> Hmm, im not quite sure on this.
>
> To me, a subscriber being attached to a Physical DSL Line would need  
> to
> have the possibility to authenticate just this subscriber for a  
> given IP
> Service, this is not tied to NAT or ALG in any way.
>
> I agree Richard that for a bridged RGw this is not an issue since the
> individual subscriber must be authenticated in this case, but for this
> to work, DHCP_Auth is "Required to be supported by the clients"....and
> this to me is a burden on the clients, is this something we want to  
> push
> Richard? This is what im asking. Now this is also similar in the  
> "Routed
> RGw" case, i dont just want to have line authentication, i "need per
> subscriber authentication" and looking at the current draft we perhaps
> need to put some additional use cases to handle these noted above,  
> would
> you agree?
>
> BR
> Alan K
>
> -----Original Message-----
> From: Richard Pruss [mailto:ric@cisco.com]
> Sent: July 28, 2008 5:27 AM
> To: Alan Kavanagh
> Cc: Yoshihiro Ohba; dhcwg@ietf.org
> Subject: Re: [dhcwg] draft-pruss-dhcp-auth-dsl-03
>
> I certainly  would be concerned with trying to drive deployed DSL  
> Forum
> architectures to somehow authentication sessions behind the  
> residential
> gateway, with a bridge it is all simple, but when you have a gateway
> with NAT then things become complicated.
>
> In DSL we have no equivalent of the tight coupled Media Access Control
> layer in the cable model in the RG. So whenever the home network  
> becomes
> part of the authentication discussion and ideas start to take flight
> about coupling ALG's in NAT with authentication in the RG, I run a  
> mile.
>
> - Ric
>
>
> On 28/07/2008, at 6:06 AM, Alan Kavanagh wrote:
>
>> I agree with what Yoshihiro has pointed out, in that there is no way
>> to indicate how a EAP Failure would be indicated to the client in
>> DHCP_Auth.
>>
>> Similarly, im a little bit worried here about how we would use
>> DHCP_Auth to authenticate individual IP Sessions behind the same
>> subscriber line?
>>
>> Alan K
>>
>> -----Original Message-----
>> From: dhcwg-bounces@ietf.org [mailto:dhcwg-bounces@ietf.org] On  
>> Behalf
>
>> Of Richard Pruss
>> Sent: July 27, 2008 7:47 AM
>> To: Yoshihiro Ohba
>> Cc: dhcwg@ietf.org
>> Subject: Re: [dhcwg] draft-pruss-dhcp-auth-dsl-03
>>
>> Thanks for your comments,
>>
>> On 27/07/2008, at 10:19 AM, Yoshihiro Ohba wrote:
>>
>>> I have a couple of comments on new dhcp-auth I-D.
>>>
>>> - It still does not seem to address the issue of the difference in
>>> retransmission directions.  Especially I am not sure how dhcp-auth
>>> works when EAP-Success/Failure gets lost.
>>>
>>> - Comment on fragmentation.  The current draft says that there is
>>> over
>>
>>> 200-octet space available more than the EAP MTU of 1020 octets.
>>> However, I am not sure that if over 200-octet space is really
>>> sufficient for 1500-octet MTU considering that DHCP relay agent
>>> information option can be inserted by DHCP relay agent as well as
>>> there can be 'shim' layers below IP.
>>
>> Relay's typically add only port information so I think we can be  
>> quiet
>
>> safe with our 200 bytes also considering the real world EAP packet
>> sizes.
>>
>> - Ric
>>
>>
>>>
>>>
>>> - DHCP EAP request response message can be more confusing,
>>> considering
>>
>>> the new extension to EAP such as ERX (draft-ietf-hokey-erx) where  
>>> two
>
>>> new messages are defined that are neither request nor response.
>>> Considering ERX, I would strongly discourage combining DHCP and EAP
>>> because ERX can make integration of DHCP and EAP even more  
>>> difficult.
>>> It is best if we separate IP address configuration from network
>>> access
>>
>>> authentication.
>>>
>>> Regards,
>>> Yoshihiro Ohba
>>>
>>> On Fri, Jul 25, 2008 at 08:41:44AM +1000, Richard Pruss wrote:
>>>> Hi,
>>>>
>>>> To help the discussion next week I was prompted to put out a  
>>>> summary
>
>>>> of changes.
>>>> http://tools.ietf.org/html/draft-pruss-dhcp-auth-dsl-03
>>>>
>>>> We have tried in this version to address concerns raised in IETF  
>>>> 70.
>>>> Jari and Ralph's preso may remind you of those:
>>>> http://www.ietf.org/proceedings/07dec/slides/intarea-2/sld1.htm
>>>>
>>>> We have added a first draft proposal for DHCPv6 messages for a
>>>> limited set of IPv6 deployments.
>>>> http://tools.ietf.org/html/draft-pruss-dhcp-auth-dsl-03#section-5.2
>>>>
>>>> We now have added a DHCP relay model to the DHCP proxy/server model
>>>> that was the document model.
>>>> (DHCP proxy is a term used in the DSL architectures, where the BRAS
>>>> acts as a server to the client.)
>>>>
>>>> We have added a section on fragmentation.
>>>> http://tools.ietf.org/html/draft-pruss-dhcp-auth-dsl-03#section-8
>>>>
>>>> The DHCP EAP request response messages are now separate messages to
>>>> possibly make the flow clearer and hopefully make the discussion
>>>> around DHCP vs EAP retransmission responsibility easier for people
>>>> to
>>
>>>> understand.
>>>>
>>>> There is a section on backwards compatibility and a number of cases
>>>> considered, no updates to that but it addresses one of the bullets
>>>> on
>>
>>>> the slides in IETF-70.
>>>>
>>>> - Ric
>>>>
>>>> _______________________________________________
>>>> dhcwg mailing list
>>>> dhcwg@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dhcwg
>>>>
>>
>> _______________________________________________
>> dhcwg mailing list
>> dhcwg@ietf.org
>> https://www.ietf.org/mailman/listinfo/dhcwg
>

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email