RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt
"Alper Yegin" <alper.yegin@yegin.org> Tue, 06 March 2007 01:24 UTC
Return-path: <dhcwg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HOOQ5-000800-PJ; Mon, 05 Mar 2007 20:24:49 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HOOQ4-0007xe-8k for dhcwg@ietf.org; Mon, 05 Mar 2007 20:24:48 -0500
Received: from mout.perfora.net ([217.160.230.41]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HOOQ2-0004aV-Mr for dhcwg@ietf.org; Mon, 05 Mar 2007 20:24:48 -0500
Received: from [85.97.177.66] (helo=IBM52A5038A94F) by mrelay.perfora.net (node=mrelayus1) with ESMTP (Nemesis), id 0MKp2t-1HOOPx1gju-0006Cp; Mon, 05 Mar 2007 20:24:46 -0500
From: Alper Yegin <alper.yegin@yegin.org>
To: ric@cisco.com, 'Yoshihiro Ohba' <yohba@tari.toshiba.com>
Subject: RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt
Date: Tue, 06 Mar 2007 03:24:35 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
Thread-Index: AcdfYIsvKq07Tbh7RgWjWSuskSq/hAALRTRQ
In-Reply-To: <45EC7601.20502@cisco.com>
Message-ID: <0MKp2t-1HOOPx1gju-0006Cp@mrelay.perfora.net>
X-Provags-ID: perfora.net abuse@perfora.net login:abf7a4bb310ea4dfc9b6841113e2970f
X-Provags-ID2: V01U2FsdGVkX1+xfuZgqD2eEhVhvR8j9LXgEuDFPv+UMf+lEdi jGA3cuLwQXiGuGRlf/yLzCxIxMUm4vc8OwGZddOWvC/OF6aGIl hipywy46m3ru/5HDkrjHw==
X-Spam-Score: 0.0 (/)
X-Scan-Signature: fec852dbea6d068499ed3250edf328e2
Cc: dhcwg@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Errors-To: dhcwg-bounces@ietf.org
Apparently this thread is not meant to be technically constructive. There is no point in getting sucked into confusion by trying to explain things. Alper > -----Original Message----- > From: Richard Pruss [mailto:ric@cisco.com] > Sent: Monday, March 05, 2007 9:57 PM > To: Yoshihiro Ohba > Cc: dhcwg@ietf.org > Subject: Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt > > Yoshihiro Ohba wrote: > > Thank you for the URLs. But what is missing in my statement while > > especially I mentioned "some level of L3 access control"? For > > example, "all IP traffic on the port is blocked except for DHCP > > packets" is a form of L3 access control. > > > So in what you saying is that in addition to the 7 steps of complexity > that your proposal also needs a whole new layer of L3 access control > signalling so that once you have achieved the panacea of being PANA > authenticated the L3 access control, which is currently being controled > by DHCP messages. > Sounds to me as if you are just desperately trying to find some real > application for PANA. > > Possibly you should consider national border controls for IP as the > perfect PANA application. It seems ill suited to other applications but > for putting up a random check-point in the middle of the internet where > you need to present your L3 national passport, PANA seems perfect. > > > > > I am not sure what is your definition of the term "elegant", but IMO, > > if it is so elegant, then it should work with stateless IPv6 address > > autoconfiguration as well. > > > A future revision of this ID will work with DHCPv6, and, yes, I am only > targeting DHCP-based environments as this is a DHCP-based extension. > Stateless autoconfig is out of scope, though of course DHCP-PD with > stateless autoconfig behind an RG would still work here. > > Regards, > Ric > > > Regards, > > Yoshihiro Ohba > > > > On Mon, Mar 05, 2007 at 01:10:08PM +1000, Richard Pruss wrote: > > > >> I do not think anything your response addresses the elegance difference > >> but the security point warrants some extra education, your comment was: > >> > >>> With regard to security authorizations, both a) and b) are the same in > >>> the sense that L2 is fully available for unauthorized subscriber > >>> devices and hence some level of L3 access control is needed to keep > >>> unauthorized subscriber devices from inevitable abuse, as anyone can > >>> statically configure an IP address in both cases. > >>> > >> On the contrary we see that almost all SP's and most Enterprise > ethernet > >> networks do not allow static IP address allocation as they simply use > >> DHCP and enforce that users use the address assigned to them. This is > >> enforced by a host of network features from vendors, the common Cisco > >> one in routers is DHCP Secured IP Address Assignment. > >> > http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/1 > 22t/122t15/ftdsiaa.htm > >> > >> At the layer 2 edge and in switches the same operation is commonly part > >> of the DHCP snooping security package and we call it IP Source Guard. > >> > http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configurat > ion_guide_chapter09186a00801cddbc.html#1083306 > >> To save you ready the URL's the operation in switches is described as: > >> " > >> Initially, all IP traffic on the port is blocked except for DHCP > packets > >> that are captured by the DHCP snooping process. When a client receives > a > >> valid IP address from the DHCP server, or when a static IP source > >> binding is configured by the user, a per-port and VLAN Access Control > >> List (PVACL) is installed on the port. This process restricts the > client > >> IP traffic to those source IP addresses configured in the binding; any > >> IP traffic with a source IP address other than that in the IP source > >> binding will be filtered out. This filtering limits a host's ability to > >> attack the network by claiming a neighbor host's IP address. > >> " > >> > >> With our customers' networks under constant attack we are under > constant > >> pressure to deliver features that ensure and audit behaviour that was > >> once accepted on trust. > >> > >> Cheers, > >> Ric > >> > >> Yoshihiro Ohba wrote: > >> > >>> On Mon, Mar 05, 2007 at 10:33:28AM +1000, Richard Pruss wrote: > >>> > >>> > >>>> On one hand; > >>>> a) we can authenticate before allocating an subscriber IP address, > host > >>>> configuration and network edge configuration and security > authorizations. > >>>> > >>>> Or. > >>>> b1)On the other we can allocate a temporary subscriber IP address, > host > >>>> configuration for a temporary context and network edge configuration > for > >>>> a totally unknown user and security authorizations for someone who > know > >>>> nothing about and somehow secure the layer 2 multi-point network they > >>>> are on from the inevitable abuse. > >>>> > >>>> > >>> Temporal host configuration and network edge configuration happens > >>> locally between the HGW and NAS without AAA interaction. Also, I > >>> think that the network edge configuration for unauthorized subscriber > >>> devices can be statically configured on the NAS (e.g., always > >>> disabling IP forwarding for a pool of temporal IP addresses.) > >>> > >>> With regard to security authorizations, both a) and b) are the same in > >>> the sense that L2 is fully available for unauthorized subscriber > >>> devices and hence some level of L3 access control is needed to keep > >>> unauthorized subscriber devices from inevitable abuse, as anyone can > >>> statically configure an IP address in both cases. > >>> > >>> > >>> > >>>> b2)Then you can renew the DHCP lease every 60 seconds putting an > extra > >>>> load on everything involved. > >>>> > >>>> > >>> This is not needed if the client is authenticated within 60 seconds. > >>> > >>> > >>> > >>>> b3) You authenticate with PANA > >>>> b4) You remove all the network edge configuration for now known user > and > >>>> security authorizations and install new network edge configuration > and > >>>> security authorizations. > >>>> > >>>> > >>> The installation part is commont to a) and b). As I mentioned above, > >>> I think that the network edge configuration for an unauthorized > >>> subsciber device can be statically configured and does not have to be > >>> removed. > >>> > >>> > >>> > >>>> b5) You wait for the user to renew. > >>>> b6) You reject that. > >>>> b7) Wait for the user to discover > >>>> > >>>> > >>> b5), b6) and b7) can be replaced with server-initiated DHCP force > >>> renew procedure. > >>> > >>> > >>> > >>>> b8) You allocating an subscriber IP address and host configuration > based > >>>> on what you installed in B4 and the MAC address in DHCP Discover. > >>>> > >>>> > >>> This is common to a) and b). > >>> > >>> > >>> > >>>> I think the elegance of approach a) verses b1-7) is pretty clear, > >>>> > >>>> > >>> It is not clear to me if a) is elegant. The only difference I can see > >>> (modulo the difference in authentication protocols) is one additonal > >>> DHCP before authentication and without AAA interaction in b). This > >>> difference seems trivial to me. Also, I am not sure how a) works when > >>> stateless IPv6 address autoconfiguration for IP address configuration. > >>> > >>> Regards, > >>> Yoshihiro Ohba > >>> > >>> > >>> > >>> > >>> > >>> > >>>> Ric > >>>> > >>>> Yoshihiro Ohba wrote: > >>>> > >>>> > >>>>> Before authentication, it is possible for the NAS to assign a > >>>>> temporary IP address (for which IP forwarding is restricted) to the > >>>>> subscriber device using DHCP. Once PANA authentication succeeds, > the > >>>>> NAS has obtained subscriber-specific client configuration > information > >>>>> and other authorization parameters from the AAA infrastructure. > After > >>>>> that, DHCP reconfiguration can be made using the subscriber-specific > >>>>> client configuration information to allow the subscriber device to > >>>>> change its IP address from the temporary one to the fully authorized > >>>>> one. Please refer to draft-morand-pana-panaoverdsl for more > >>>>> information. > >>>>> > >>>>> Yoshihiro Ohba > >>>>> > >>>>> > >>>>> On Mon, Mar 05, 2007 at 09:04:17AM +1000, Richard Pruss wrote: > >>>>> > >>>>> > >>>>> > >>>>>> Possibly it would help you understand if you though of why the NAS > >>>>>> authenticates the subscriber; from section 3.1 of the draft > >>>>>> " > >>>>>> The NAS obtains per-subscriber client > >>>>>> configuration information either locally or from the AAA > >>>>>> infrastructure (which itself may consult external DHCP servers if > >>>>>> necessary) after authentication is successfully completed. > >>>>>> " > >>>>>> In wholesale DSL networks it is common to use the @domain portion > of the > >>>>>> username to find retail ISP of the subscriber, they are then > >>>>>> authenticated by that ISP's AAA. This authentication returns > >>>>>> authorizations which in conjunction with the wholesale > configuration in > >>>>>> the NAS determines the subscriber IP address, host configuration > and > >>>>>> network edge configuration and security authorizations which is all > >>>>>> closely coupled to the retail domain. > >>>>>> From this perspective, PANA happens to late as the host already has > it's > >>>>>> IP address, it would be in the correct IP forwarding context, the > >>>>>> network would already need to have some mechanisms for securing the > >>>>>> domain from layer 3 attacks independent of PANA and so on. > >>>>>> > >>>>>> Regards, > >>>>>> Ric > >>>>>> > >>>>>> Yoshihiro Ohba wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>>> Hi, > >>>>>>> > >>>>>>> Let me ask the same fundamental question that I asked before for a > >>>>>>> similar draft related to DHCP and authentication. > >>>>>>> > >>>>>>> Is this WG chartered for developing a solution for network access > >>>>>>> authentication and authorization other than developing > authentication > >>>>>>> mechanisms for DHCP? > >>>>>>> > >>>>>>> I am asking this because Introduction of > >>>>>>> draft-pruss-dhcp-auth-dsl-00.txt says: > >>>>>>> > >>>>>>> " > >>>>>>> This document defines DHCP Options and procedures that allow > for a > >>>>>>> CHAP-based authentication exchange to occur in DHCP in order to > >>>>>>> enable smooth migration from PPP sessions to IP sessions in a > DSL > >>>>>>> Broadband network environment. Primary goals are integration > of > >>>>>>> authentication in such a way that it will operate seamlessly > with > >>>>>>> existing RADIUS-based AAA infrastructure and ATM or Ethernet > based > >>>>>>> DSL Networks. As such, only the termination points of PPP in > the DSL > >>>>>>> network are affected, both of which are devices that would > logically > >>>>>>> need to be updated in any transition from PPP to IP sessions. > >>>>>>> " > >>>>>>> > >>>>>>> Also, I fail to see a reason for IETF to work on combining DHCP > and > >>>>>>> network access authentication even as experimental and for the > purpose > >>>>>>> of the primary goals stated above. I believe that the primary > goals > >>>>>>> can be achieved by simply using PANA running EAP-MD5 between HGW > and > >>>>>>> NAS. In this case, NAS is acting as EAP authenticator co-located > with > >>>>>>> EAP server for EAP-MD5, where the EAP server is acting as a > protocol > >>>>>>> translator that converts credentials carried in EAP-MD5 into > RADIUS > >>>>>>> attributes or field (i.e., CHAP-Password and CHAP-Challenge or > RADIUS > >>>>>>> Request Authenticator field) used for carrying CHAP credentials, > and > >>>>>>> vise versa. If an algorithm other than MD5 is used for CHAP, it > is > >>>>>>> also possible to define an experimental EAP method to interwork > with > >>>>>>> non-MD5 CHAP algorithms and again let the EAP server on the NAS > act as > >>>>>>> a protocol translator. I think these workarounds are sufficient > to > >>>>>>> work with existing RADIUS-based AAA infrastructure and ATM or > Ethernet > >>>>>>> based DSL Networks and still allows smooth migration from PPP > session > >>>>>>> to IP session with EAP. > >>>>>>> > >>>>>>> The bottomline is, host configuration and network access > >>>>>>> authentication are two different problems that are better solved > by > >>>>>>> separate protocols. > >>>>>>> > >>>>>>> Regards, > >>>>>>> Yoshihiro Ohba > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> dhcwg mailing list > >>>>>>> dhcwg@ietf.org > >>>>>>> https://www1.ietf.org/mailman/listinfo/dhcwg > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>> > >>>>> > >>>>> > >>> > >>> > > > > > > _______________________________________________ > dhcwg mailing list > dhcwg@ietf.org > https://www1.ietf.org/mailman/listinfo/dhcwg _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Yoshihiro Ohba
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Yoshihiro Ohba
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Yoshihiro Ohba
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Yoshihiro Ohba
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Alper Yegin
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Yoshihiro Ohba
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Alper Yegin
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt MORAND Lionel RD-CORE-ISS
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Maglione Roberta
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt MORAND Lionel RD-CORE-ISS
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Maglione Roberta
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt pavan_kurapati
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Maglione Roberta
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Alper Yegin
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt MORAND Lionel RD-CORE-ISS
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Bernie Volz (volz)
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Yoshihiro Ohba
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Derek Harkness
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Bernie Volz (volz)
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Bernie Volz (volz)
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Richard Pruss
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Alper Yegin
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Markus Stenberg (mstenber)
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Yoshihiro Ohba
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Ted Lemon
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Markus Stenberg (mstenber)
- FW: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt Eric Voit (evoit)