RE: [Int-area] Re: [dhcwg] Discussion of dhc WGrecharteringforDHCPauthentication
"Alper Yegin" <alper.yegin@yegin.org> Fri, 16 November 2007 23:45 UTC
Return-path: <dhcwg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ItAsh-0006Us-Ca; Fri, 16 Nov 2007 18:45:51 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ItAsf-0006UM-Td; Fri, 16 Nov 2007 18:45:49 -0500
Received: from mout.perfora.net ([74.208.4.196]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ItAsa-0007Ew-VC; Fri, 16 Nov 2007 18:45:49 -0500
Received: from IBM52A5038A94F ([88.233.33.212]) by mrelay.perfora.net (node=mrus0) with ESMTP (Nemesis) id 0MKp8S-1ItAsT0w6V-00063J; Fri, 16 Nov 2007 18:45:43 -0500
From: Alper Yegin <alper.yegin@yegin.org>
To: ric@cisco.com
Subject: RE: [Int-area] Re: [dhcwg] Discussion of dhc WGrecharteringforDHCPauthentication
Date: Sat, 17 Nov 2007 01:45:32 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
In-Reply-To: <473BD623.8090300@cisco.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
Thread-Index: AcgnRrBaBNhanykTQOmUeWxuLS9eaABYbgpQ
Message-Id: <0MKp8S-1ItAsT0w6V-00063J@mrelay.perfora.net>
X-Provags-ID: V01U2FsdGVkX1+9egrY3kerG+4+zVgV4+f7j+47B1hlXPjm3q8 XxfFT7gsRsS21ZvzMYiAc67z5vtxFTpbrH2Ifx/g5WwtKmpOYs ZmdSbILQ+a65zvE/zRCfA==
X-Spam-Score: 0.3 (/)
X-Scan-Signature: 3a4bc66230659131057bb68ed51598f8
Cc: dhcwg@ietf.org, 'Internet Area' <int-area@ietf.org>, parberg@redback.com
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Errors-To: dhcwg-bounces@ietf.org
> > Alper> If you are using link-local IP address prior to PANA, that means > > you don't attempt to configure an IP address using DHCP prior to > > successful completion of PANA. That does not alter DHCP state machine. > > <RMP> Well do not run until after PANA state for DHCP is an alteration > of the DHCP state machine and of course a change in the DHCP client. Not starting the DHCP client is the simplest way. And that, obviously, has no change whatsoever on the DHCP SM or client. > > Secondly to run PANA with link local to the NAS, you need to re engineer > > all the layer 2 SAVA security because the link local addresses look like > > spoofed addresses to the layer 2 switches and would be dropped. > > > > Alper> This statement gives me the impression that L2 SAVA is based on > > snooping DHCP only and it cannot be touched at all. Well, this cannot be > > true if you consider IPv6. It has to deal with link-local IP addresses > > and a lot more. See > > http://ietf.org/internet-drafts/draft-baker-sava-implementation-00.txt. > > And btw, somehow I see IPv6 is being characterized as a "future" thing > > that does not exist today, but I know IPv6 is deployed in several DSL > > networks. > <RMP> Fred is proposing how SAVA for IPv6 could possibly work one day > in the future. There is a huge difference between that and the IPv4 > SAVA which is deployed. I know of no residential DSL services in the > work. This is one thing I would love to learn I am wrong about, please > name a provider doing residential IPv6 over DSL. NTT. Since 2001. > > If you couple that with all the rest of the extra mess of PANA discovery > > stuff then it is obvious that DHCP authentication it is much, much > > cleaner and leaner. > > > > Alper> If you can provide a technical point regarding the discovery, we > > can understand better. > <RMP> Provide a side to side comparison of PANA verse DHCP Auth > including L2 switches and SAVA security in L2 and it is very obvious. I > notice you have been careful just to cast smoke over the number Eric put > out but not provided your own. I already provided the numbers in response to Eric's email. Let me know if you have a specific question. Meanwhile, I hope you are seeing the fundamental problem: You cannot reduce DHCP "load" if you "overload" DHCP with EAP. > > If you run DHCP-assigned address prior to authentication. The whole > > layer 2 network is exposed to attack by unauthenticated IP end-point. > > The SAVA done by DSLAMs and first hop switches is eliminated because > > unauthenticated users have DHCP assigned addresses. > > > > Alper> I don't see anything wrong with SAVA there. Up until the host > > reconfigures its IP address using second DHCP after successful PANA, > > there is the pre-PANA address that SAVA system checks. > > > > Alper> And. unauthenticated IP end-point does not have be a thread, > > because the network can limit that host's traffic to just "running PANA > > with the PAA." > <RMP> How? Please specify which elements need to run what shiny new > protocols and how this done. There is no protocol in there. It's all filtering. > > Not to mention thet obvious point that every renew during the > > unauthenticated period is extra messaging which for 60K-500K subscriber > > access networks are effectively huge extra message loads on everything > > in the DHCP path. > > > > Alper> As I have explained to Eric, if you are concerned about "load on > > DHCP path", loading more things to DHCP like access authentication is > > not going to help with reducing that load. This is fundamentally > > contradicting. > > > > Plus the point that you are now saying that 60 seconds is too short for > > the renew, which means that from around 10-15 second logins, which we > > have today, the latency is going to 60 seconds +. > > > > Alper> Sorry I couldn't follow this. What latency is that 60+? DHCP > > lease for the pre-PANA address shall be long enough to accommodate > > typical access authentication latency in order to reduce the possibility > > of renewals. > <RMP>Latency from user line up until services is now some unspecified > large number. I didn't understand your point (or conclusion?). > > Worse than that, the worst time for access is after a massive power > > outage where we have heard of is 20 minutes during recoveries due to AAA > > server loads and for this vulnerable time with PANA the DHCP has 20 > > extra renew per client which is millions of extra messages smashing > > things up. > > > > Alper> Have you considered how many EAP/DHCP retransmissions are going > > to occur due to EAP retranmissions during that 20 minutes? Assuming no > > crazy EAP implementation or configuration would have a 60-second timeout > > for retranmissions, the answer is at least "more", if not "a lot more". > > <RMP>Assuming both proposals use the same EAP method through the AAA > path, main difference is all the extra messages on the DHCP path to the > server from PANA. Unless of course you fully couple PANA to the DHCP > relay stack and do local caching for the relay responses as you have > said in the past. I never said such a thing. I suspect you are confusing someone else's statement about some other scenario/proposal. > Which when one gets down to the real implementation > impact of PANA has to do exactly the same things as DHCP Auth in the CPE > and the BRAS DHCP stacks, and has the additional impacts to other > elements that DHCP auth leaves untouched. Disagree, as explained throughout this thread. Alper _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- RE: [Int-area] Re: [dhcwg] Discussion of dhc WG r… Alper Yegin
- RE: [Int-area] Re: [dhcwg] Discussion of dhc WGre… Alper Yegin
- Re: [Int-area] Re: [dhcwg] Discussion of dhc WGre… Richard Pruss
- RE: [Int-area] Re: [dhcwg] Discussion of dhc WGre… Peter Arberg
- RE: [Int-area] Re: [dhcwg] Discussion of dhc WGre… Alper Yegin
- Re: [Int-area] Re: [dhcwg] Discussion of dhc WGre… Richard Pruss
- RE: [Int-area] Re: [dhcwg] Discussion of dhc WGre… Alper Yegin
- Re: [Int-area] Re: [dhcwg] Discussion of dhc WGre… Alexandru Petrescu
- RE: [Int-area] Re: [dhcwg] Discussion of dhc WGre… Alper Yegin
- Re: [Int-area] Re: [dhcwg] Discussion of dhc WGre… Shin Miyakawa
- Re: [Int-area] Re: [dhcwg] Discussion of dhc WGre… Shin Miyakawa
- SAVA arguments (Was: Re: [Int-area] Re: [dhcwg] D… Jari Arkko
- Re: SAVA arguments (Was: Re: [Int-area] Re: [dhcw… Richard Pruss