IETF Logo Mail Archive

Re: [Int-area] DCHP-based authentication for DSL?

Iljitsch van Beijnum <iljitsch@muada.com> Wed, 07 November 2007 08:26 UTC

Return-path: <int-area-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IpgEk-0004KN-Oi; Wed, 07 Nov 2007 03:26:10 -0500
Received: from int-area by megatron.ietf.org with local (Exim 4.43) id 1IpgEk-0004KI-0a for int-area-confirm+ok@megatron.ietf.org; Wed, 07 Nov 2007 03:26:10 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IpgEe-0004Hd-KG for int-area@lists.ietf.org; Wed, 07 Nov 2007 03:26:04 -0500
Received: from sequoia.muada.com ([83.149.65.1]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IpgEZ-0006hn-H6 for int-area@lists.ietf.org; Wed, 07 Nov 2007 03:26:04 -0500
Received: from [IPv6:2001:720:410:1001:21b:63ff:fe92:9fbb] ([IPv6:2001:720:410:1001:21b:63ff:fe92:9fbb]) (authenticated bits=0) by sequoia.muada.com (8.13.3/8.13.3) with ESMTP id lA78Ka5r095486 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 7 Nov 2007 09:21:26 +0100 (CET) (envelope-from iljitsch@muada.com)
Message-Id: <75CAE88A-1DD2-4E6D-81C7-59BD40DED4C8@muada.com>
From: Iljitsch van Beijnum <iljitsch@muada.com>
To: Yoshihiro Ohba <yohba@tari.toshiba.com>
In-Reply-To: <20071106152851.GC20711@steelhead.localdomain>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v912)
Subject: Re: [Int-area] DCHP-based authentication for DSL?
Date: Wed, 07 Nov 2007 00:02:29 +0100
References: <EEEF19C5-1577-41CE-85DE-AC3376601CCE@cisco.com> <EC1D3B60F1526848BF55E5AD3D391F8903A7BC41@xmb-rtp-20a.amer.cisco.com> <20071106152851.GC20711@steelhead.localdomain>
X-Mailer: Apple Mail (2.912)
X-Spam-Status: No, score=-1.9 required=3.5 tests=AWL, BAYES_00, ILJQX_SUBJ_HUH autolearn=no version=3.0.2
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on sequoia.muada.com
X-Spam-Score: -2.1 (--)
X-Scan-Signature: 8f374d0786b25a451ef87d82c076f593
Cc: Internet Area <int-area@lists.ietf.org>
X-BeenThere: int-area@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/int-area>
List-Post: <mailto:int-area@lists.ietf.org>
List-Help: <mailto:int-area-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=subscribe>
Errors-To: int-area-bounces@lists.ietf.org

On 6 nov 2007, at 16:28, Yoshihiro Ohba wrote:

>> Since random duration global IP address assignment delays of up to 30
>> seconds is not acceptable, I am expect that PANA has fixed this.   
>> Could
>> one of the PANA people explain how?

> I am not sure what exact PANA deployment scenario is being discussed
> here, but 30 seconds delay mentioned in the old PANA thread is between
> the time when DHCP is started and the time when an IPv4 link-local
> address is configured after DHCP timeouts.

Apparently my message from earlier today (yesterday by the time this  
reaches the net) didn't make it, so once again:

A lot of this complexity can be avoided by using IPv6 link-local  
addresses, because those are created independently from "real" address  
assignment. This is of course only helpful if IPv6 is spoken on both  
ends, so that would leave the Windows 98 case out in the cold.

I believe it would be orders of magnitude easier to add PANA  
capability to a commercial OS because PANA doesn't need special access  
to the network and doesn't clash with existing capabilities. You could  
probably even run it from a browser as a java applet.

DHCP delays could be avoided by the DSLAM caching DHCP requests from  
unauthenticated hosts and only responding to those when the  
authentication has completed. However, if a short delay is unavoidable  
I don't think that's a show stopper, usually people connect after  
rebooting or some such, a process that takes a lot more time than  
having to wait for a DHCP retransmit or two.

And last but not least: I'm still waiting to hear how the DSL Forum or  
others intend to address IPv6. Apart from simply needing this  
capability in the near future, the prospect of having to rehash all of  
this in short order to add IPv6 isn't very atractive.




>
>
>>
>> BTW: even with the DHCP message for the 1st IP address, there are  
>> PANA
>> drafts which require DHCP client modifications.  For example:
>> ftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-ietf-dhc-paa-opt
>> ion-05.txt
>> "defines new DHCPv4 and DHCPv6 options that contain a list of IP
>> addresses to locate one or more of PANA Authentication Agents (PAA)."
>
> This is the default method for obtaining PAA's IP address.  This does
> not mean this is the only way.  PANA allows other methods for
> configuring PAA's IP address if defined.  Also, a particular
> deployment where PAA always resides in access router may simply use
> default gateway address as PAA's address and I believe all DHCP
> clients understands Router option.
>
>>> Presumably whatever mechanism is used to allow IP traffic
>>> after PANA authentication could also trigger the relay agent
>>> to allow DHCP forwarding.
>>
>> This would again result in DHCP Timeouts unless coordination of the
>> client state machine is occurring.  (And even if there is  
>> coordination
>> with the client, there is ugly system behavior if the 2nd client DHCP
>> message is initiated before the relay agent has completed updating  
>> its
>> filters!)
>
> I am not sure what coordination of the client state machine exactly
> means, but to avoid the ugly behavior, a PAA implementation can delay
> returning PANA authentication result until relay agent completes
> filtering installation.
>
> Yoshihiro Ohba
>
>
>
>>
>> Eric
>>
>>> Of course, I'm speculating wildly here about implementation
>>> details without the benefit of any system architecture docs...
>>>
>>> - Ralph
>>>
>>> On Nov 5, 2007, at Nov 5, 2007,8:33 PM, Richard Pruss wrote:
>>>
>>>>
>>>>
>>>> Bernard Aboba wrote, around 6/11/07 11:11 AM:
>>>>>> But let's have a fair evaluation.  If we decide that PANA
>>> fits the
>>>>>> requirements perfectly, the above objections apply
>>> equally well to
>>>>>> it.
>>>>>
>>>>> Actually, I'm not clear that the objections apply equally well to
>>>>> PANA.
>>>>>
>>>>> On the Windows platform at least, there is an API that permits
>>>>> integration of new EAP lower layers.  That means that PANA support
>>>>> can be added by a third party with no required changes to the
>>>>> operating system.
>>>>>
>>>>> Since DHCP/EAP requires change to the DHCP state machine, the work
>>>>> required would be considerably greater.
>>>>>
>>>>>
>>>>>
>>>> Does PANA not also require changes to the DHCP state
>>> machine to stop
>>>> it running until PANA has authenticated on the link local address?
>>>>
>>>>
>>>> _______________________________________________
>>>> Int-area mailing list
>>>> Int-area@lists.ietf.org
>>>> https://www1.ietf.org/mailman/listinfo/int-area
>>>
>>>
>>> _______________________________________________
>>> Int-area mailing list
>>> Int-area@lists.ietf.org
>>> https://www1.ietf.org/mailman/listinfo/int-area
>>>
>>
>>
>> _______________________________________________
>> Int-area mailing list
>> Int-area@lists.ietf.org
>> https://www1.ietf.org/mailman/listinfo/int-area
>>
>>
>
>
> _______________________________________________
> Int-area mailing list
> Int-area@lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/int-area



_______________________________________________
Int-area mailing list
Int-area@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/int-area

v2.23.0 | Report a Bug | By Email