Re: [dhcwg] DHCP interconnected to RADIUS for AAA
Yoshihiro Ohba <yohba@tari.toshiba.com> Thu, 13 March 2003 19:48 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA14994; Thu, 13 Mar 2003 14:48:48 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h2DK06O25618; Thu, 13 Mar 2003 15:00:06 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h2DJxVO25553 for <dhcwg@optimus.ietf.org>; Thu, 13 Mar 2003 14:59:31 -0500
Received: from thumper.research.telcordia.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA14843 for <dhcwg@ietf.org>; Thu, 13 Mar 2003 14:44:25 -0500 (EST)
Received: from tari.research.telcordia.com (tari [207.3.232.66]) by thumper.research.telcordia.com (8.12.8/8.12.1) with ESMTP id h2DJjFuG001284; Thu, 13 Mar 2003 14:45:16 -0500 (EST)
Received: from localhost (ohba@tari-dhcp162.research.telcordia.com [207.3.232.162]) by tari.research.telcordia.com (8.8.8/8.8.8) with ESMTP id OAA11973; Thu, 13 Mar 2003 14:45:25 -0500 (EST)
Date: Thu, 13 Mar 2003 14:45:14 -0500
To: Ralph Droms <rdroms@cisco.com>
Cc: Erik Nordmark <Erik.Nordmark@sun.com>, Prakash Jayaraman <prakash_jayaraman@net.com>, Shankar Agarwal <shankar_agarwal@net.com>, rbhibbs@pacbell.net, Dhcwg <dhcwg@ietf.org>, "Chen, Weijing" <wchen@tri.sbc.com>
Subject: Re: [dhcwg] DHCP interconnected to RADIUS for AAA
Message-ID: <20030313194514.GJ781@catfish>
References: <3E6E0DDF.260B2394@net.com> <4.3.2.7.2.20030313133433.01fce288@funnel.cisco.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-2022-jp"
Content-Disposition: inline
In-Reply-To: <4.3.2.7.2.20030313133433.01fce288@funnel.cisco.com>
User-Agent: Mutt/1.5.3i
From: Yoshihiro Ohba <yohba@tari.toshiba.com>
X-Dispatcher: imput version 20021213(IM143)
Lines: 56
X-Virus-Scanned: by AMaViS - amavis-milter (http://www.amavis.org/)
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Id: <dhcwg.ietf.org>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
The latest version of PANA requirements draft says: (it missed the submission deadline, but it is available on http://www.toshiba.com/tari/pana/draft-ietf-pana-requirements-05.txt) 4.2. IP Address Assignment Providing address assignment functionality is outside the scope of PANA. PANA protocol design MAY require the PaC to configure an IP address before using this protocol. Allocating an IP address to unauthenticated PaCs may enable security vulnerabilities, such as IP address depletion attacks on the access network [SECTHREAT]. This threat may not be an issue for IPv6 because of the large address space, but it can effect IPv4 deployments. Such a threat can be mitigated by allowing the protocol to run without an IP address on the PaC (e.g., using unspecified source address), but this choice might limit the re-use of existing security mechanisms, and impose additional implementation complexity. This trade off should be taken into consideration in designing PANA. Yoshihiro Ohba On Thu, Mar 13, 2003 at 01:35:50PM -0500, Ralph Droms wrote: > I don't understand how PANA can be used first - the requirements doc says: > > PANA does not perform any address assignment functions > but MUST only be invoked after the client has a usable > IP address (e.g., a link-local address in IPv6 or a > DHCP-learned address in IPv4) > > - Ralph > > At 09:45 PM 3/11/2003 +0100, Erik Nordmark wrote: > >> Is there work currently in progress on such an alternative? (triggering a > >> PANA transaction upon a DHCP message from the client or something > >similar). > >> Would this be an appropriate forum to start a discussion? > > > >The simplest thing would be to have them operate independently > >e.g. PANA authentication first then DHC address assignment etc. > >That doesn't allow you to assign different addresses for different classes > >of authenticated devices though. > > > > Erik > > > >_______________________________________________ > >dhcwg mailing list > >dhcwg@ietf.org > >https://www1.ietf.org/mailman/listinfo/dhcwg > > _______________________________________________ > dhcwg mailing list > dhcwg@ietf.org > https://www1.ietf.org/mailman/listinfo/dhcwg > _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] DHCP interconnected to RADIUS for AAA Chen, Weijing
- RE: [dhcwg] DHCP interconnected to RADIUS for AAA Barr Hibbs
- RE: [dhcwg] DHCP interconnected to RADIUS for AAA Barr Hibbs
- Re: [dhcwg] DHCP interconnected to RADIUS for AAA Shankar Agarwal
- Re: [dhcwg] DHCP interconnected to RADIUS for AAA Erik Nordmark
- Re: [dhcwg] DHCP interconnected to RADIUS for AAA John Schnizlein
- Re: [dhcwg] DHCP interconnected to RADIUS for AAA Markus Schabel
- RE: [dhcwg] DHCP interconnected to RADIUS for AAA Chen, Weijing
- Re: [dhcwg] DHCP interconnected to RADIUS for AAA Prakash Jayaraman
- Re: [dhcwg] DHCP interconnected to RADIUS for AAA Erik Nordmark
- Re: [dhcwg] DHCP interconnected to RADIUS for AAA Ralph Droms
- RE: [dhcwg] DHCP interconnected to RADIUS for AAA Chen, Weijing
- Re: [dhcwg] DHCP interconnected to RADIUS for AAA Yoshihiro Ohba
- RE: [dhcwg] DHCP interconnected to RADIUS for AAA Gilles, Philippe Bernard