Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Internet Architecture -- was: Re: We really mean it this time *FINAL* agenda for dhc WG meeting
Behcet Sarikaya <behcetsarikaya@yahoo.com> Thu, 19 March 2009 21:24 UTC
Return-Path: <behcetsarikaya@yahoo.com>
X-Original-To: dhcwg@core3.amsl.com
Delivered-To: dhcwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1101628C0E8 for <dhcwg@core3.amsl.com>; Thu, 19 Mar 2009 14:24:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[AWL=-0.025, BAYES_00=-2.599, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XXdAlrUq5R7Q for <dhcwg@core3.amsl.com>; Thu, 19 Mar 2009 14:24:31 -0700 (PDT)
Received: from web111406.mail.gq1.yahoo.com (web111406.mail.gq1.yahoo.com [67.195.15.162]) by core3.amsl.com (Postfix) with SMTP id AB30B3A6805 for <dhcwg@ietf.org>; Thu, 19 Mar 2009 14:24:31 -0700 (PDT)
Received: (qmail 12599 invoked by uid 60001); 19 Mar 2009 21:25:17 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1237497917; bh=L8sS78zTseJ9LZz9tT2XiNOuzBFAmmzpdmmoySWWVFU=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=5PSI+632H5yJhPeHah5FiNCZ6/DKw4w2YrlDLPi4OckuQe5cGAOGStIXYuSiKkVDFcNfJMmzlivKuyfB/zuOeofPinR04tgL8fhzsjSOGgypZq2dDpCfiDZcifXEu5ippFPwedFI85WNCRssO+jRv73O2KLJ9z1i2Rok3hEC1D4=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=nkhLJKsIOiwgo+ePUOmdZXkPDeDjL0wA/aDtsTDAr1rJNkKd9NOBGXfl/+4GE78dhiMHJspxO5YnMax1zwP9RcHf08pBIdc8L/SsZnFIShbJZjttMwWLqn7htB6+5Puz9KYHuckCZ0iXC2Tgdc2z1em1aKIqiiAI0mZV7vJv9v8=;
Message-ID: <453915.10829.qm@web111406.mail.gq1.yahoo.com>
X-YMail-OSG: 4jsuWSgVM1lwq9vzbmLrCjNlZubTLzpzntUMNvO.SCPz8_bLQJTPXeRmrk3uWXKkKEFwvdJFGTn450BKQF4LPOiwmMYFIvgk7kdYXmKoH639aon61CGd7KdaXADOcRdLJ0sZ4s3wIVWA88EEB_cUy8QI_.kTu2XhuB1IFqGTjUGIycIyhRwymgXfbnKHlja_j0L.0000wc1nvkLVpK9Vk1jEqTyuQaZfHpj0AcW5hj42r4zmBqzeEupGnkb4heTKaBb.tuTNqCHwi2HJjhICVyGXW3abGkj0
Received: from [206.16.17.212] by web111406.mail.gq1.yahoo.com via HTTP; Thu, 19 Mar 2009 14:25:17 PDT
X-Mailer: YahooMailRC/1277.32 YahooMailWebService/0.7.289.1
References: <200903191124.MAA26754@TR-Sys.de> <001f01c9a8bd$52ebf310$f8c3d930$@net>
Date: Thu, 19 Mar 2009 14:25:17 -0700
From: Behcet Sarikaya <behcetsarikaya@yahoo.com>
To: Glen Zorn <gwz@net-zen.net>, Alfred HÎnes <ah@tr-sys.de>
In-Reply-To: <001f01c9a8bd$52ebf310$f8c3d930$@net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1301210101-1237497917=:10829"
Cc: dhcwg@ietf.org
Subject: Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Internet Architecture -- was: Re: We really mean it this time *FINAL* agenda for dhc WG meeting
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Behcet Sarikaya <sarikaya@ieee.org>
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2009 21:24:33 -0000
The IAB draft draft-iab-ip-config-11 does take a position in this debate and it recommends 802.1X for controlling access to a link. The draft does not say that DHCP should not be used for authentication. In fact it does mention DHCP authentication in several places. Regards, Behcet ________________________________ From: Glen Zorn <gwz@net-zen.net> To: Alfred HÎnes <ah@tr-sys.de> Cc: dhcwg@ietf.org Sent: Thursday, March 19, 2009 1:05:44 PM Subject: Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Internet Architecture -- was: Re: We really mean it this time *FINAL* agenda for dhc WG meeting Alfred HÎnes [mailto:ah@tr-sys.de] writes: > Folks, > may I please recall some of the Architectural Principles > of the Internet. > > A recent interesting reading is the IAB statement in > draft-iab-ip-config-11, which will perhaps be out as an RFC > by the end of this month. Thank you for bringing this to my attention, Alfred; as usual, the breadth & scope of your reading amazes me (as well as the fact that you seem to be able to remain sane despite your exposure to so much hogwash ;-). > > That document contains a section: > > 2.5. Configuration is Not Access Control > > Network access authentication and authorization is a distinct > problem from Internet host configuration. Therefore network access > authentication and authorization is best handled independently of > the Internet and higher layer configuration mechanisms. > > [...] This is a very interesting assertion -- appropriately made without supporting evidence, since there is none -- but I wonder on what planet it might be true. Here on Earth there is no case I can think of, from the highest level (IANA, APNIC, RIPE, etc.) to the lowest (e.g., the DHCP server in my home router) in which the allocation of one or more IP addresses is not also the result of an authorization decision. In fact, even in its most basic deployments, DHCP has always done both authentication and authorization: it just does authentication very poorly. > > Further on in that document, the IAB emphasizes that simple and > general, lightweight mechanisms are needed for IP host configuration, > and that the number of such mechanisms needs to be very contained; > the document recognizes DHCP as the major current Internet technology > to this end. > > Additionally, the IAB draft elaborated on the disadvantages of > coupling authorization / access control and Internet layer > configuration within an integrated protocol as it had been done > in the past in PPP. There's an awful lot of nonsense written about PPP in that draft; however, see section 4.1 where the authors write rather wistfully of "DHCP authentication". > > The Authentication-over-DHCP draft aims at carrying over this concept > "from PPP to the IP and DHCP layer". > Carrying over an anti-modular architecture that has been recognized > as bad should not become a serious candidate of work adopted by any > IETF WG. > > The Authentication-over-DHCP draft goes one significant step further > in disavowing basic principles of the Internet Architecture: > it introduces the misconcept of an "IP-Session" as its fundament. Actually, the BBF seems to have adopted this (admittedly somewhat vaporous) concept; our draft simply uses the already adopted idea as part of its rationale. In other words, we are not inventing the misconcept, merely admitting its existence and attempting to give it a more secure foundation since (as I understand it) the existence of an "IP session" is currently based purely upon circumstantial evidence. > IP is a connectionless technology based on per-packet forwarding. > > Looking at the draft, it becomes evident that the model depicted > in Figure 1 does not fit in the IP subnet model (please see the > related IAB documents published over the last years!). Note that the figure is titled "DSL Network Architecture". Please don't blame me for that! > It is painfully unclear where the subnet boundaries are intended > to be located and whether this draft again tries to introduce the > nightmare of multi-link subnets. It looks like the "Access Node" > architecturally should be an IP router in the "replace PPP by IP" > model of the draft, but apparently the draft did not recognize > that -- otherwise it could not say that only the endpoints of the > access network (CPE/HGW and NAS/BB-POP) need to be concerned > by the proposal; to my knowledge, the typical DSLAM currently > operates as a layer-2 switch, not as a router. > > A reasonable model for getting rid of PPPoE in the access network > in favor of IP, and enhancing its security and robustness seems > to be introducing an IPv6 Access network as its infrastructure > and establishing IPsec tunnels between CPE/HGW and NAS. > Doing so would indeed allow seemless IPv4/IPv6 coexistence and > a 'session'-based connection model, with a single conceptional > IP hop between the CPE access router and the NAS; parallel > IPsec SAs (Child_SAs) controlled by a single IKE_SA would also > allow to provide differentiated services in parallel (for QoS > support and other added-value services). You're preaching to the wrong choir, Alfred: tell the xDSL SPs, but be warned: I've already tried... ... _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] draft-pruss-dhcp-auth-dsl vs. Internet Ar… Alfred Hönes
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… Glen Zorn
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… Behcet Sarikaya
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… Alfred Hönes
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… Behcet Sarikaya
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… David W. Hankins
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… Glen Zorn