Re: [dhcwg] Discussion of subscriber authentication
John Schnizlein <jschnizl@cisco.com> Thu, 29 March 2007 20:19 UTC
Return-path: <dhcwg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HX15w-0006nS-Vo; Thu, 29 Mar 2007 16:19:40 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HX15v-0006nD-P0 for dhcwg@ietf.org; Thu, 29 Mar 2007 16:19:39 -0400
Received: from rtp-iport-1.cisco.com ([64.102.122.148]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HX15u-0001rV-5e for dhcwg@ietf.org; Thu, 29 Mar 2007 16:19:39 -0400
Received: from rtp-dkim-2.cisco.com ([64.102.121.159]) by rtp-iport-1.cisco.com with ESMTP; 29 Mar 2007 16:19:39 -0400
Received: from rtp-core-2.cisco.com (rtp-core-2.cisco.com [64.102.124.13]) by rtp-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id l2TKJc51009451; Thu, 29 Mar 2007 16:19:38 -0400
Received: from [68.49.215.245] (che-vpn-cluster-1-317.cisco.com [10.86.241.62]) by rtp-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id l2TKJblG015835; Thu, 29 Mar 2007 20:19:37 GMT
In-Reply-To: <8E296595B6471A4689555D5D725EBB2103A34015@xmb-rtp-20a.amer.cisco.com>
References: <8E296595B6471A4689555D5D725EBB2103A34015@xmb-rtp-20a.amer.cisco.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <CE64EC79-FA87-40F8-8731-0E346A4DBB27@cisco.com>
Content-Transfer-Encoding: 7bit
From: John Schnizlein <jschnizl@cisco.com>
Subject: Re: [dhcwg] Discussion of subscriber authentication
Date: Thu, 29 Mar 2007 16:19:36 -0400
To: "Bernie Volz (volz)" <volz@cisco.com>
X-Mailer: Apple Mail (2.752.2)
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=5581; t=1175199578; x=1176063578; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jschnizl@cisco.com; z=From:=20John=20Schnizlein=20<jschnizl@cisco.com> |Subject:=20Re=3A=20[dhcwg]=20Discussion=20of=20subscriber=20authenticati on |Sender:=20 |To:=20=22Bernie=20Volz=20\(volz\)=22=20<volz@cisco.com>; bh=j2GnuQgt8L8BDnnpNPGGn/FsfNPF7E1pOrUf1wbIe4g=; b=MI9/5l+onFO+nyAOboCAyZCw/5nP3umK42DjpU1vktJdYC7lLUitQyaLy1fZlTSACp+Dlji/ bSNpeVI3e9u/uziq37gHcDuCGQkqiidoiAgD6gVsSWVV3edsr9bflPnW;
Authentication-Results: rtp-dkim-2; header.From=jschnizl@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim2001 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 29dc808194f5fb921c09d0040806d6eb
Cc: DHC WG <dhcwg@ietf.org>, Int-area@lists.ietf.org, "Ralph Droms (rdroms)" <rdroms@cisco.com>
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Errors-To: dhcwg-bounces@ietf.org
The authentication in RFC 3118 (for DHCPv4) and RFC 3315 (for DHCPv6)
is message authentication, not subscriber authentication.
Message authentication is all about ensuring that the contents are
not fake, assuming that there is enough shared trust between client
and server host computers. The shared trust also serves to control
authorization to exchange DHCP messages.
Subscriber authentication is about the user of network access, and
the user is often the person who has credentials rather than the
host, although storing user credentials on the host happens.
The point of section 2.5 of draft-aboba-ip-config-00.txt is that
these are different:
2.5. Configuration is Not Access Control
Network access authentication is a distinct problem from Internet
host configuration.
John
On Mar 29, 2007, at 2:50 PM, Bernie Volz ((volz)) wrote:
> Ralph:
>
> Isn't this discussion a bit late given that RFC 3118 exists and RFC
> 3315
> contains Authentication?
>
> RFC 3118 abstract reads:
>
> This document defines a new Dynamic Host Configuration Protocol
> (DHCP) option through which authorization tickets can be easily
> generated and newly attached hosts with proper authorization can be
> automatically configured from an authenticated DHCP server. DHCP
> provides a framework for passing configuration information to hosts
> on a TCP/IP network. In some situations, network administrators
> may
> wish to constrain the allocation of addresses to authorized hosts.
> Additionally, some network administrators may wish to provide for
> authentication of the source and contents of DHCP messages.
>
> Other than the data used to authenticate (which in this case is a
> username and password, instead of a shared secret), what really is the
> difference? I guess it all depends on what "authorized" hosts means.
>
> RFC 3118 does have issues as it is difficult to handle client
> authentication without exposing the client's identity (since
> there's no
> good way to "delay" the authentication) -- this is discussed in
> draft-ietf-dhc-v4-threat-analysis-03.txt, section 5.
>
> One additional flaw with Rick draft's is that there's no provision to
> authenticate the server -- which means that if a client doing this is
> mobile and attaches to other networks, it may expose the username and
> password.
>
> I think Ted Lemon's point that Ric's draft should stick to the DHC
> client/server authentication communication and not mention how other
> network elements may use the end result of the DHCP exchange (i.e.,
> the
> "authorization" to use the network). See
> http://www1.ietf.org/mail-archive/web/dhcwg/current/msg07138.html.
>
> If we could work this out within the RFC 3118 framework, it certainly
> would kick start DHCP authentication.
>
> - Bernie
>
> -----Original Message-----
> From: Ralph Droms (rdroms)
> Sent: Thursday, March 29, 2007 1:47 PM
> To: Int-area@lists.ietf.org
> Subject: [dhcwg] Discussion of subscriber authentication
>
> At the dhc WG meeting in Prague, there was a discussion of "subscriber
> authentication" and how that function might be provided through DHCP.
> Ric
> Pruss gave a presentation about a proposal for subscriber
> authentication
> through DHCP:
>
> http://www3.ietf.org/proceedings/07mar/slides/dhc-2.pdf
> http://www.ietf.org/internet-drafts/draft-pruss-dhcp-auth-dsl-00.txt
>
> There is a related draft that was not discussed at the dhc WG meeting:
>
> http://www.ietf.org/internet-drafts/draft-zhao-dhc-user-
> authentication-0
> 1.tx
> t
>
> There was also a discussion of "Principles of Internet Host
> Configuration".
> Dave Thaler gave a presentation about the draft he co-authored with
> Bernard
> Aboba:
>
> http://www3.ietf.org/proceedings/07mar/slides/dhc-7.pdf
> http://www.ietf.org/internet-drafts/draft-aboba-ip-config-00.txt
>
> During the discussion of subscriber authentication, it was noted that
> the
> proposed solutions assume that DHCP is the right vehicle through which
> subscriber authentication should take place. That assumption needs to
> be
> further examined; PANA, for example, provides an alternative solution
> which
> does not depend on DHCP. Before the IETF proceeds with a DHCP-based
> solution, we need to discuss the broader issue of where subscriber
> authentication should be implemented.
>
> Accordingly, the Internet Area directors and the WG chairs have
> decided
> to
> move the discussion of subscriber authentication to the int-area
> mailing
> list. This discussion will explore the subscriber authentication
> problem
> space and requirements, to come to some initial consensus about
> where a
> solution might belong.
>
> To kick off the discussion, we are trying to get permission to publish
> subscriber authentication requirements from the DSL Forum.
>
> I've included dhcwg@ietf.org as a BCC to this note, to inform the
> dhc WG
> members that further discussion of subscriber authentication will move
> to
> int-area@lists.ietf.org. I've also included secdir@mit.edu as a
> BCC, to
> make sure we have appropriate security clue in the discussion.
>
> - Ralph
>
>
>
>
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www1.ietf.org/mailman/listinfo/dhcwg
>
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www1.ietf.org/mailman/listinfo/dhcwg
_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] Discussion of subscriber authentication Ralph Droms
- RE: [dhcwg] Discussion of subscriber authenticati… Bernie Volz (volz)
- Re: [dhcwg] Discussion of subscriber authenticati… Ralph Droms
- Re: [dhcwg] Discussion of subscriber authenticati… John Schnizlein
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Julien Bournelle
- Re: [dhcwg] Discussion of subscriber authenticati… Ralph Droms
- RE: [Int-area] RE: [dhcwg] Discussion of subscrib… Alper Yegin
- RE: [Int-area] RE: [dhcwg] Discussion of subscrib… Bernie Volz (volz)
- Re: [Int-area] RE: [dhcwg] Discussion of subscrib… Richard Pruss
- Re: [Int-area] RE: [dhcwg] Discussion of subscrib… Richard Pruss
- Re: [Int-area] RE: [dhcwg] Discussion of subscrib… Alan DeKok
- Re: [Int-area] RE: [dhcwg] Discussion of subscrib… Alan DeKok