Re: [dhcwg] draft-pruss-dhcp-auth-dsl-03

Hmm, im not quite sure on this.

To me, a subscriber being attached to a Physical DSL Line would need to
have the possibility to authenticate just this subscriber for a given IP
Service, this is not tied to NAT or ALG in any way. 

I agree Richard that for a bridged RGw this is not an issue since the
individual subscriber must be authenticated in this case, but for this
to work, DHCP_Auth is "Required to be supported by the clients"....and
this to me is a burden on the clients, is this something we want to push
Richard? This is what im asking. Now this is also similar in the "Routed
RGw" case, i dont just want to have line authentication, i "need per
subscriber authentication" and looking at the current draft we perhaps
need to put some additional use cases to handle these noted above, would
you agree?

BR
Alan K

-----Original Message-----
From: Richard Pruss [mailto:ric@cisco.com] 
Sent: July 28, 2008 5:27 AM
To: Alan Kavanagh
Cc: Yoshihiro Ohba; dhcwg@ietf.org
Subject: Re: [dhcwg] draft-pruss-dhcp-auth-dsl-03

I certainly  would be concerned with trying to drive deployed DSL Forum
architectures to somehow authentication sessions behind the residential
gateway, with a bridge it is all simple, but when you have a gateway
with NAT then things become complicated.

In DSL we have no equivalent of the tight coupled Media Access Control
layer in the cable model in the RG. So whenever the home network becomes
part of the authentication discussion and ideas start to take flight
about coupling ALG's in NAT with authentication in the RG, I run a mile.

- Ric

On 28/07/2008, at 6:06 AM, Alan Kavanagh wrote:

> I agree with what Yoshihiro has pointed out, in that there is no way 
> to indicate how a EAP Failure would be indicated to the client in 
> DHCP_Auth.
>
> Similarly, im a little bit worried here about how we would use 
> DHCP_Auth to authenticate individual IP Sessions behind the same 
> subscriber line?
>
> Alan K
>
> -----Original Message-----
> From: dhcwg-bounces@ietf.org [mailto:dhcwg-bounces@ietf.org] On Behalf

> Of Richard Pruss
> Sent: July 27, 2008 7:47 AM
> To: Yoshihiro Ohba
> Cc: dhcwg@ietf.org
> Subject: Re: [dhcwg] draft-pruss-dhcp-auth-dsl-03
>
> Thanks for your comments,
>
> On 27/07/2008, at 10:19 AM, Yoshihiro Ohba wrote:
>
>> I have a couple of comments on new dhcp-auth I-D.
>>
>> - It still does not seem to address the issue of the difference in 
>> retransmission directions.  Especially I am not sure how dhcp-auth 
>> works when EAP-Success/Failure gets lost.
>>
>> - Comment on fragmentation.  The current draft says that there is 
>> over
>
>> 200-octet space available more than the EAP MTU of 1020 octets.
>> However, I am not sure that if over 200-octet space is really 
>> sufficient for 1500-octet MTU considering that DHCP relay agent 
>> information option can be inserted by DHCP relay agent as well as 
>> there can be 'shim' layers below IP.
>
> Relay's typically add only port information so I think we can be quiet

> safe with our 200 bytes also considering the real world EAP packet 
> sizes.
>
> - Ric
>
>
>>
>>
>> - DHCP EAP request response message can be more confusing, 
>> considering
>
>> the new extension to EAP such as ERX (draft-ietf-hokey-erx) where two

>> new messages are defined that are neither request nor response.
>> Considering ERX, I would strongly discourage combining DHCP and EAP 
>> because ERX can make integration of DHCP and EAP even more difficult.
>> It is best if we separate IP address configuration from network 
>> access
>
>> authentication.
>>
>> Regards,
>> Yoshihiro Ohba
>>
>> On Fri, Jul 25, 2008 at 08:41:44AM +1000, Richard Pruss wrote:
>>> Hi,
>>>
>>> To help the discussion next week I was prompted to put out a summary

>>> of changes.
>>> http://tools.ietf.org/html/draft-pruss-dhcp-auth-dsl-03
>>>
>>> We have tried in this version to address concerns raised in IETF 70.
>>> Jari and Ralph's preso may remind you of those:
>>> http://www.ietf.org/proceedings/07dec/slides/intarea-2/sld1.htm
>>>
>>> We have added a first draft proposal for DHCPv6 messages for a 
>>> limited set of IPv6 deployments.
>>> http://tools.ietf.org/html/draft-pruss-dhcp-auth-dsl-03#section-5.2
>>>
>>> We now have added a DHCP relay model to the DHCP proxy/server model 
>>> that was the document model.
>>> (DHCP proxy is a term used in the DSL architectures, where the BRAS 
>>> acts as a server to the client.)
>>>
>>> We have added a section on fragmentation.
>>> http://tools.ietf.org/html/draft-pruss-dhcp-auth-dsl-03#section-8
>>>
>>> The DHCP EAP request response messages are now separate messages to 
>>> possibly make the flow clearer and hopefully make the discussion 
>>> around DHCP vs EAP retransmission responsibility easier for people 
>>> to
>
>>> understand.
>>>
>>> There is a section on backwards compatibility and a number of cases 
>>> considered, no updates to that but it addresses one of the bullets 
>>> on
>
>>> the slides in IETF-70.
>>>
>>> - Ric
>>>
>>> _______________________________________________
>>> dhcwg mailing list
>>> dhcwg@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dhcwg
>>>
>
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www.ietf.org/mailman/listinfo/dhcwg