[dhcwg] draft-pruss-dhcp-auth-dsl vs. Internet Architecture -- was: Re: We really mean it this time *FINAL* agenda for dhc WG meeting
Alfred Hönes <ah@tr-sys.de> Thu, 19 March 2009 11:26 UTC
Return-Path: <A.Hoenes@tr-sys.de>
X-Original-To: dhcwg@core3.amsl.com
Delivered-To: dhcwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D52883A6987 for <dhcwg@core3.amsl.com>; Thu, 19 Mar 2009 04:26:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.661
X-Spam-Level: *
X-Spam-Status: No, score=1.661 tagged_above=-999 required=5 tests=[AWL=0.410, BAYES_00=-2.599, CHARSET_FARAWAY_HEADER=3.2, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4v4wxW1fta84 for <dhcwg@core3.amsl.com>; Thu, 19 Mar 2009 04:26:02 -0700 (PDT)
Received: from WOTAN.TR-Sys.de (gateway.tr-sys.de [213.178.172.147]) by core3.amsl.com (Postfix) with ESMTP id D57E23A6800 for <dhcwg@ietf.org>; Thu, 19 Mar 2009 04:26:00 -0700 (PDT)
Received: from ZEUS.TR-Sys.de by w. with ESMTP ($Revision: 1.37.109.26 $/16.3) id AA037021887; Thu, 19 Mar 2009 12:24:47 +0100
Received: (from ah@localhost) by z.TR-Sys.de (8.9.3 (PHNE_25183)/8.7.3) id MAA26754; Thu, 19 Mar 2009 12:24:46 +0100 (MEZ)
From: Alfred Hönes <ah@tr-sys.de>
Message-Id: <200903191124.MAA26754@TR-Sys.de>
To: dhcwg@ietf.org
Date: Thu, 19 Mar 2009 12:24:46 +0100
X-Mailer: ELM [$Revision: 1.17.214.3 $]
Mime-Version: 1.0
Content-Type: text/plain; charset="hp-roman8"
Content-Transfer-Encoding: 8bit
Subject: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Internet Architecture -- was: Re: We really mean it this time *FINAL* agenda for dhc WG meeting
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2009 11:26:02 -0000
Folks, may I please recall some of the Architectural Principles of the Internet. A recent interesting reading is the IAB statement in draft-iab-ip-config-11, which will perhaps be out as an RFC by the end of this month. That document contains a section: 2.5. Configuration is Not Access Control Network access authentication and authorization is a distinct problem from Internet host configuration. Therefore network access authentication and authorization is best handled independently of the Internet and higher layer configuration mechanisms. [...] Further on in that document, the IAB emphasizes that simple and general, lightweight mechanisms are needed for IP host configuration, and that the number of such mechanisms needs to be very contained; the document recognizes DHCP as the major current Internet technology to this end. Additionally, the IAB draft elaborated on the disadvantages of coupling authorization / access control and Internet layer configuration within an integrated protocol as it had been done in the past in PPP. The Authentication-over-DHCP draft aims at carrying over this concept "from PPP to the IP and DHCP layer". Carrying over an anti-modular architecture that has been recognized as bad should not become a serious candidate of work adopted by any IETF WG. The Authentication-over-DHCP draft goes one significant step further in disavowing basic principles of the Internet Architecture: it introduces the misconcept of an "IP-Session" as its fundament. IP is a connectionless technology based on per-packet forwarding. Looking at the draft, it becomes evident that the model depicted in Figure 1 does not fit in the IP subnet model (please see the related IAB documents published over the last years!). It is painfully unclear where the subnet boundaries are intended to be located and whether this draft again tries to introduce the nightmare of multi-link subnets. It looks like the "Access Node" architecturally should be an IP router in the "replace PPP by IP" model of the draft, but apparently the draft did not recognize that -- otherwise it could not say that only the endpoints of the access network (CPE/HGW and NAS/BB-POP) need to be concerned by the proposal; to my knowledge, the typical DSLAM currently operates as a layer-2 switch, not as a router. A reasonable model for getting rid of PPPoE in the access network in favor of IP, and enhancing its security and robustness seems to be introducing an IPv6 Access network as its infrastructure and establishing IPsec tunnels between CPE/HGW and NAS. Doing so would indeed allow seemless IPv4/IPv6 coexistence and a 'session'-based connection model, with a single conceptional IP hop between the CPE access router and the NAS; parallel IPsec SAs (Child_SAs) controlled by a single IKE_SA would also allow to provide differentiated services in parallel (for QoS support and other added-value services). Summing up: The proposal in draft-pruss-dhcp-auth-dsl-04 seems to violate recognized principles of the Internet Architecture in so many aspects that I have very serious concerns with it. In its current shape, it is not worth the cycles of the DHC WG. Kind regards, Alfred Hönes. -- +------------------------+--------------------------------------------+ | TR-Sys Alfred Hoenes | Alfred Hoenes Dipl.-Math., Dipl.-Phys. | | Gerlinger Strasse 12 | Phone: (+49)7156/9635-0, Fax: -18 | | D-71254 Ditzingen | E-Mail: ah@TR-Sys.de | +------------------------+--------------------------------------------+
- [dhcwg] draft-pruss-dhcp-auth-dsl vs. Internet Ar… Alfred Hönes
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… Glen Zorn
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… Behcet Sarikaya
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… Alfred Hönes
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… Behcet Sarikaya
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… David W. Hankins
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl vs. Interne… Glen Zorn