IETF Logo Mail Archive

[dhcwg] draft-pruss-dhcp-auth-dsl vs. Internet Architecture -- was: Re: We really mean it this time *FINAL* agenda for dhc WG meeting

Alfred Hönes <ah@tr-sys.de> Thu, 19 March 2009 11:26 UTC

Return-Path: <A.Hoenes@tr-sys.de>
X-Original-To: dhcwg@core3.amsl.com
Delivered-To: dhcwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D52883A6987 for <dhcwg@core3.amsl.com>; Thu, 19 Mar 2009 04:26:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.661
X-Spam-Level: *
X-Spam-Status: No, score=1.661 tagged_above=-999 required=5 tests=[AWL=0.410, BAYES_00=-2.599, CHARSET_FARAWAY_HEADER=3.2, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4v4wxW1fta84 for <dhcwg@core3.amsl.com>; Thu, 19 Mar 2009 04:26:02 -0700 (PDT)
Received: from WOTAN.TR-Sys.de (gateway.tr-sys.de [213.178.172.147]) by core3.amsl.com (Postfix) with ESMTP id D57E23A6800 for <dhcwg@ietf.org>; Thu, 19 Mar 2009 04:26:00 -0700 (PDT)
Received: from ZEUS.TR-Sys.de by w. with ESMTP ($Revision: 1.37.109.26 $/16.3) id AA037021887; Thu, 19 Mar 2009 12:24:47 +0100
Received: (from ah@localhost) by z.TR-Sys.de (8.9.3 (PHNE_25183)/8.7.3) id MAA26754; Thu, 19 Mar 2009 12:24:46 +0100 (MEZ)
From: Alfred Hönes <ah@tr-sys.de>
Message-Id: <200903191124.MAA26754@TR-Sys.de>
To: dhcwg@ietf.org
Date: Thu, 19 Mar 2009 12:24:46 +0100
X-Mailer: ELM [$Revision: 1.17.214.3 $]
Mime-Version: 1.0
Content-Type: text/plain; charset="hp-roman8"
Content-Transfer-Encoding: 8bit
Subject: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Internet Architecture -- was: Re: We really mean it this time *FINAL* agenda for dhc WG meeting
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2009 11:26:02 -0000

Folks,
may I please recall some of the Architectural Principles
of the Internet.

A recent interesting reading is the IAB statement in
draft-iab-ip-config-11, which will perhaps be out as an RFC
by the end of this month.

That document contains a section:

  2.5.  Configuration is Not Access Control

    Network access authentication and authorization is a distinct
    problem from Internet host configuration.  Therefore network access
    authentication and authorization is best handled independently of
    the Internet and higher layer configuration mechanisms.

    [...]

Further on in that document, the IAB emphasizes that simple and
general, lightweight mechanisms are needed for IP host configuration,
and that the number of such mechanisms needs to be very contained;
the document recognizes DHCP as the major current Internet technology
to this end.

Additionally, the IAB draft elaborated on the disadvantages of
coupling authorization / access control and Internet layer
configuration within an integrated protocol as it had been done
in the past in PPP.

The Authentication-over-DHCP draft aims at carrying over this concept
"from PPP to the IP and DHCP layer".
Carrying over an anti-modular architecture that has been recognized
as bad should not become a serious candidate of work adopted by any
IETF WG.

The Authentication-over-DHCP draft goes one significant step further
in disavowing basic principles of the Internet Architecture:
it introduces the misconcept of an "IP-Session" as its fundament.
IP is a connectionless technology based on per-packet forwarding.

Looking at the draft, it becomes evident that the model depicted
in Figure 1 does not fit in the IP subnet model (please see the
related IAB documents published over the last years!).
It is painfully unclear where the subnet boundaries are intended
to be located and whether this draft again tries to introduce the
nightmare of multi-link subnets.  It looks like the "Access Node"
architecturally should be an IP router in the "replace PPP by IP"
model of the draft, but apparently the draft did not recognize
that -- otherwise it could not say that only the endpoints of the
access network (CPE/HGW and NAS/BB-POP) need to be concerned
by the proposal; to my knowledge, the typical DSLAM currently
operates as a layer-2 switch, not as a router.

A reasonable model for getting rid of PPPoE in the access network
in favor of IP, and enhancing its security and robustness seems
to be introducing an IPv6 Access network as its infrastructure
and establishing IPsec tunnels between CPE/HGW and NAS.
Doing so would indeed allow seemless IPv4/IPv6 coexistence and
a 'session'-based connection model, with a single conceptional
IP hop between the CPE access router and the NAS; parallel
IPsec SAs (Child_SAs) controlled by a single IKE_SA would also
allow to provide differentiated services in parallel (for QoS
support and other added-value services).


Summing up:

  The proposal in draft-pruss-dhcp-auth-dsl-04 seems to violate
  recognized principles of the Internet Architecture in so many
  aspects that I have very serious concerns with it.

  In its current shape, it is not worth the cycles of the DHC WG.


Kind regards,
  Alfred Hönes.

-- 

+------------------------+--------------------------------------------+
| TR-Sys Alfred Hoenes   |  Alfred Hoenes   Dipl.-Math., Dipl.-Phys.  |
| Gerlinger Strasse 12   |  Phone: (+49)7156/9635-0, Fax: -18         |
| D-71254  Ditzingen     |  E-Mail:  ah@TR-Sys.de                     |
+------------------------+--------------------------------------------+

v2.23.0 | Report a Bug | By Email