[Int-area] Re: [dhcwg] Discussion of subscriber authentication
Ralph Droms <rdroms@cisco.com> Thu, 29 March 2007 19:20 UTC
Return-path: <int-area-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HX0Ao-0007e4-0K; Thu, 29 Mar 2007 15:20:38 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HX05t-0005SJ-G1 for Int-area@lists.ietf.org; Thu, 29 Mar 2007 15:15:33 -0400
Received: from rtp-iport-1.cisco.com ([64.102.122.148]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HX01f-0008Iq-7T for Int-area@lists.ietf.org; Thu, 29 Mar 2007 15:11:14 -0400
Received: from rtp-dkim-2.cisco.com ([64.102.121.159]) by rtp-iport-1.cisco.com with ESMTP; 29 Mar 2007 15:11:12 -0400
Received: from rtp-core-2.cisco.com (rtp-core-2.cisco.com [64.102.124.13]) by rtp-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id l2TJBBSN004721; Thu, 29 Mar 2007 15:11:11 -0400
Received: from xbh-rtp-201.amer.cisco.com (xbh-rtp-201.cisco.com [64.102.31.12]) by rtp-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id l2TJBAlG024030; Thu, 29 Mar 2007 19:11:10 GMT
Received: from xmb-rtp-211.amer.cisco.com ([64.102.31.118]) by xbh-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 29 Mar 2007 15:11:08 -0400
Received: from 10.86.242.69 ([10.86.242.69]) by xmb-rtp-211.amer.cisco.com ([64.102.31.118]) via Exchange Front-End Server email.cisco.com ([64.102.31.21]) with Microsoft Exchange Server HTTP-DAV ; Thu, 29 Mar 2007 19:11:07 +0000
User-Agent: Microsoft-Entourage/11.3.3.061214
Date: Thu, 29 Mar 2007 15:11:11 -0400
From: Ralph Droms <rdroms@cisco.com>
To: "Bernie Volz (volz)" <volz@cisco.com>, Int-area@lists.ietf.org, DHC WG <dhcwg@ietf.org>
Message-ID: <C231878F.3F3A5%rdroms@cisco.com>
Thread-Topic: [dhcwg] Discussion of subscriber authentication
Thread-Index: AcdyKjLPcX+BtN4dEduGswARJOT6egABaWWQAAGKsPk=
In-Reply-To: <8E296595B6471A4689555D5D725EBB2103A34015@xmb-rtp-20a.amer.cisco.com>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-OriginalArrivalTime: 29 Mar 2007 19:11:08.0149 (UTC) FILETIME=[01736A50:01C77236]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=4803; t=1175195471; x=1176059471; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=rdroms@cisco.com; z=From:=20Ralph=20Droms=20<rdroms@cisco.com> |Subject:=20Re=3A=20[dhcwg]=20Discussion=20of=20subscriber=20authenticati on |Sender:=20 |To:=20=22Bernie=20Volz=20(volz)=22=20<volz@cisco.com>, =20<Int-area@lists .ietf.org>,=0A=20=20=20=20=20=20=20=20DHC=20WG=20<dhcwg@ietf.org>; bh=O0pJR22Ze5mLo5WgZ1T+huNSRFZG71lBAHqhMtXaOxs=; b=YzQarhY4m0r4Y/v55XNAbuSr9Mp4VEdu1je7WRE/lb5Q5QT1TDYUtS35S2lP5ywqA6jEiWvL 3XuBYwBxvASmdnDRUkooKY3C0Lu22M/W0+Zjv3ZNsVrB2JrM7VOduhMH;
Authentication-Results: rtp-dkim-2; header.From=rdroms@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim2001 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 3a4bc66230659131057bb68ed51598f8
Cc:
Subject: [Int-area] Re: [dhcwg] Discussion of subscriber authentication
X-BeenThere: int-area@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/int-area>
List-Post: <mailto:int-area@lists.ietf.org>
List-Help: <mailto:int-area-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=subscribe>
Errors-To: int-area-bounces@lists.ietf.org
Bernie (private reply) - how did you "reply" to my original message? I'm trying to keep the discussion on the int-area mailing list. Did your reply automatically include dhcwg or did you add it manually? - Ralph On 3/29/07 2:50 PM, "Bernie Volz (volz)" <volz@cisco.com> wrote: > Ralph: > > Isn't this discussion a bit late given that RFC 3118 exists and RFC 3315 > contains Authentication? > > RFC 3118 abstract reads: > > This document defines a new Dynamic Host Configuration Protocol > (DHCP) option through which authorization tickets can be easily > generated and newly attached hosts with proper authorization can be > automatically configured from an authenticated DHCP server. DHCP > provides a framework for passing configuration information to hosts > on a TCP/IP network. In some situations, network administrators may > wish to constrain the allocation of addresses to authorized hosts. > Additionally, some network administrators may wish to provide for > authentication of the source and contents of DHCP messages. > > Other than the data used to authenticate (which in this case is a > username and password, instead of a shared secret), what really is the > difference? I guess it all depends on what "authorized" hosts means. > > RFC 3118 does have issues as it is difficult to handle client > authentication without exposing the client's identity (since there's no > good way to "delay" the authentication) -- this is discussed in > draft-ietf-dhc-v4-threat-analysis-03.txt, section 5. > > One additional flaw with Rick draft's is that there's no provision to > authenticate the server -- which means that if a client doing this is > mobile and attaches to other networks, it may expose the username and > password. > > I think Ted Lemon's point that Ric's draft should stick to the DHC > client/server authentication communication and not mention how other > network elements may use the end result of the DHCP exchange (i.e., the > "authorization" to use the network). See > http://www1.ietf.org/mail-archive/web/dhcwg/current/msg07138.html. > > If we could work this out within the RFC 3118 framework, it certainly > would kick start DHCP authentication. > > - Bernie > > -----Original Message----- > From: Ralph Droms (rdroms) > Sent: Thursday, March 29, 2007 1:47 PM > To: Int-area@lists.ietf.org > Subject: [dhcwg] Discussion of subscriber authentication > > At the dhc WG meeting in Prague, there was a discussion of "subscriber > authentication" and how that function might be provided through DHCP. > Ric > Pruss gave a presentation about a proposal for subscriber authentication > through DHCP: > > http://www3.ietf.org/proceedings/07mar/slides/dhc-2.pdf > http://www.ietf.org/internet-drafts/draft-pruss-dhcp-auth-dsl-00.txt > > There is a related draft that was not discussed at the dhc WG meeting: > > http://www.ietf.org/internet-drafts/draft-zhao-dhc-user-authentication-0 > 1.tx > t > > There was also a discussion of "Principles of Internet Host > Configuration". > Dave Thaler gave a presentation about the draft he co-authored with > Bernard > Aboba: > > http://www3.ietf.org/proceedings/07mar/slides/dhc-7.pdf > http://www.ietf.org/internet-drafts/draft-aboba-ip-config-00.txt > > During the discussion of subscriber authentication, it was noted that > the > proposed solutions assume that DHCP is the right vehicle through which > subscriber authentication should take place. That assumption needs to > be > further examined; PANA, for example, provides an alternative solution > which > does not depend on DHCP. Before the IETF proceeds with a DHCP-based > solution, we need to discuss the broader issue of where subscriber > authentication should be implemented. > > Accordingly, the Internet Area directors and the WG chairs have decided > to > move the discussion of subscriber authentication to the int-area mailing > list. This discussion will explore the subscriber authentication > problem > space and requirements, to come to some initial consensus about where a > solution might belong. > > To kick off the discussion, we are trying to get permission to publish > subscriber authentication requirements from the DSL Forum. > > I've included dhcwg@ietf.org as a BCC to this note, to inform the dhc WG > members that further discussion of subscriber authentication will move > to > int-area@lists.ietf.org. I've also included secdir@mit.edu as a BCC, to > make sure we have appropriate security clue in the discussion. > > - Ralph > > > > > _______________________________________________ > dhcwg mailing list > dhcwg@ietf.org > https://www1.ietf.org/mailman/listinfo/dhcwg _______________________________________________ Int-area mailing list Int-area@lists.ietf.org https://www1.ietf.org/mailman/listinfo/int-area
- [Int-area] Re: [dhcwg] Discussion of subscriber a… Ralph Droms
- [Int-area] Discussion of subscriber authentication Ralph Droms
- [Int-area] Re: [dhcwg] Discussion of subscriber a… John Schnizlein
- RE: [Int-area] Re: [dhcwg] Discussion of subscrib… Hesham Soliman
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Julien Bournelle
- [Int-area] Re: [dhcwg] Discussion of subscriber a… Ralph Droms
- RE: [Int-area] Re: [dhcwg] Discussion of subscrib… Behcet Sarikaya
- RE: [Int-area] Re: [dhcwg] Discussion of subscrib… Behcet Sarikaya
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Alan DeKok
- Re: [Int-area] Discussion of subscriber authentic… Behcet Sarikaya
- Re: [Int-area] Discussion of subscriber authentic… Ralph Droms
- Re: [Int-area] Discussion of subscriber authentic… Alan DeKok
- Re: [Int-area] Discussion of subscriber authentic… Behcet Sarikaya
- RE: [Int-area] Discussion of subscriber authentic… Curtis Sherbo
- RE: [Int-area] Discussion of subscriber authentic… Alper Yegin
- Re: [Int-area] Discussion of subscriber authentic… Alan DeKok
- RE: [Int-area] Discussion of subscriber authentic… Narayanan, Vidya
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Richard Pruss
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Alan DeKok
- Re: [Int-area] Discussion of subscriber authentic… Ralph Droms
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Richard Pruss
- Re: [Int-area] Discussion of subscriber authentic… Richard Pruss
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Alan DeKok
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Richard Pruss
- RE: [Int-area] Discussion of subscriber authentic… Alper Yegin
- RE: [Int-area] Re: [dhcwg] Discussion of subscrib… Alper Yegin
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Alan DeKok
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Ralph Droms
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Soininen Jonne (NSN FI/Espoo)
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Ralph Droms
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Richard Pruss
- Re: [Int-area] Re: [dhcwg] Discussion of subscrib… Richard Pruss
- RE: [Int-area] RE: [dhcwg] Discussion of subscrib… Alper Yegin
- RE: [Int-area] RE: [dhcwg] Discussion of subscrib… Bernie Volz (volz)
- Re: [Int-area] RE: [dhcwg] Discussion of subscrib… Alan DeKok
- Re: [Int-area] RE: [dhcwg] Discussion of subscrib… Richard Pruss
- Re: [Int-area] RE: [dhcwg] Discussion of subscrib… Alan DeKok
- Re: [Int-area] RE: [dhcwg] Discussion of subscrib… Richard Pruss
- Re: [Int-area] RE: [dhcwg] Discussion of subscrib… Alan DeKok
- Re: [Int-area] Discussion of subscriber authentic… Richard Pruss
- Re: [Int-area] Discussion of subscriber authentic… Ralph Droms