[Int-area] Why IETF should not standardize dhcp-auth
"Alper Yegin" <alper.yegin@yegin.org> Tue, 04 December 2007 06:45 UTC
Return-path: <int-area-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IzRWm-0001cO-SD; Tue, 04 Dec 2007 01:45:08 -0500
Received: from int-area by megatron.ietf.org with local (Exim 4.43) id 1IzRWm-0001cF-Bz for int-area-confirm+ok@megatron.ietf.org; Tue, 04 Dec 2007 01:45:08 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IzRWl-0001c5-Vd for int-area@ietf.org; Tue, 04 Dec 2007 01:45:07 -0500
Received: from mout.perfora.net ([74.208.4.196]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IzRWl-0000kZ-Bv for int-area@ietf.org; Tue, 04 Dec 2007 01:45:07 -0500
Received: from IBM52A5038A94F ([207.236.117.226]) by mrelay.perfora.net (node=mrus0) with ESMTP (Nemesis) id 0MKp8S-1IzRWe3mNH-0007VC; Tue, 04 Dec 2007 01:45:06 -0500
From: Alper Yegin <alper.yegin@yegin.org>
To: int-area@ietf.org
Date: Tue, 04 Dec 2007 08:44:49 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
Thread-Index: Acg2HlGFfjU8BmV1T0m3qimYtbQWnwAHx8bA
Message-Id: <0MKp8S-1IzRWe3mNH-0007VC@mrelay.perfora.net>
X-Provags-ID: V01U2FsdGVkX19tk+xAMTFV0BrC2kd01HnTCTtGKoJPyKfsqFx nPa7X7xbxByXNvPC02rZSYIoVh5a/Z673+KOP9fxNwvQQdiwVs VicRo6MTOgj3BSFXjh0VA==
X-Spam-Score: -0.0 (/)
X-Scan-Signature: c83ccb5cc10e751496398f1233ca9c3a
Cc:
Subject: [Int-area] Why IETF should not standardize dhcp-auth
X-BeenThere: int-area@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/int-area>
List-Post: <mailto:int-area@lists.ietf.org>
List-Help: <mailto:int-area-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=subscribe>
Errors-To: int-area-bounces@lists.ietf.org
There are several concerns against standardizing draft-pruss-dhcp-auth-dsl-02. 1. Architectural When it comes to solving "distinct" fundamental problems (e.g., access auth, mobility, configuration, QoS), IETF defines "distinct" protocols for each. Piggybacking one over other for the sake of some optimization (product/performance/etc) conflicts with the strategy we have been following at IETF. IAB document draft-iab-ip-config-00.txt is clear on that: Network access authentication is a distinct problem from Internet host configuration. Network access authentication is best handled independently of the configuration mechanisms in use for the Internet and higher layers. 2. IETF principle IETF has already defined a solution for the problem: PANA. As a principle, IETF should first make an attempt to see if it really does not solve the problem and consider refining its protocol if necessary. Defining a new protocol each time someone has another solution is not compliant with IETF's principle goal of achieving interoperability. PANA already satisfies the requirements we received from DSLF. 3. Breaking DHCP EAP and DHCP do not stack up well because none of the end points, state machines, call flows match. And the proposal ends up breaking DHCP. Specifically: - DHCPOFFER does not deliver IP address, despite RFC2131 saying: The server MUST return to the client: o The client's network address, as determined by the rules given earlier in this section, - DHCP relay is inserting DHCP options (CHAP, EAP) when relaying messages to the DHCP client. Relay is not supposed to do that. - DHCP server receives the DHCPREQUEST but it does not respond to it. Instead, DHCP relay generates the DHCPACK/DHCPNAK (See Figure 3). - DHCP relay is generating DHCP messages (see Figure 5). Relays are not supposed to do that. Although not documented yet, same misbehavior is needed for EAP retransmissions, and re-authentication. This is turning DHCP into a 3-party protocol. - RFC3118 cannot be used when DHCP relay inserts options towards DHCP client, removes options towards DHCP server, consumes some messages, generates some messages. Basically, this is breaking the end2end model. - DHCP server does not see the DHCPREQUEST, as it is consumed by the relay (see Figure 5). 4. Failing DSLF requirements Despite the clear statements in the DSLF requirements, this proposal is not supporting authentication of the devices behind the HGW (CPE). Instead, authors are denying the requirements: IPAuth-8 Must handle L3 CPE device authentication and end-device (PC) user based authentication (likely with L2 CPEs in the latter case) IPAuth-9 Should be simple to implement on client (PC or CPE) This is because it is not possible to modify deployed PC stacks with that solution as DHCP is an internal part of the operating systems. On the other hand, PANA can be supported at the application layer and it does not require change to the IP stack. 5. IETF's IPR strategy IETF has already produced an IPR-free solution to this problem: PANA. Why should IETF not recommend use of PANA but instead rubber stamp an IPR-encumbered solution? 6. Community pushback Several people (excluding all PANA-related people) already spoke against it. Under the light of these issues, it is not clear why IETF is even considering standardizing such a solution at this point. DSLF in its liaison letter said they were "seriously considering" using this solution, not like "demanding it be standardized." It's perfectly fine if IETF analyzes the solution and concludes it has serious issues, and responds with another alternative for DSLF's consideration. Regards, Alper _______________________________________________ Int-area mailing list Int-area@lists.ietf.org https://www1.ietf.org/mailman/listinfo/int-area
- [Int-area] Why IETF should not standardize dhcp-a… Alper Yegin
- Re: [Int-area] Why IETF should not standardize dh… Yoshihiro Ohba
- RE: [Int-area] Why IETF should not standardize dh… Bound, Jim
- RE: [Int-area] Why IETF should not standardize dh… Eric Voit (evoit)
- Re: [Int-area] Why IETF should not standardize dh… Bernard_Aboba
- dhcp-auth IPR (was RE: [Int-area] Why IETF should… Alper Yegin
- RE: [Int-area] Why IETF should not standardize dh… Bound, Jim
- [Int-area] RE: dhcp-auth IPR (was RE: [Int-a] Why… Bound, Jim
- [Int-area] RE: dhcp-auth IPR (was RE: [Int-a] Why… Eric Voit (evoit)
- Re: [Int-area] RE: dhcp-auth IPR (was RE: [Int-a]… Yoshihiro Ohba
- [Int-area] IPR discussions Jari Arkko
- RE: [Int-area] RE: dhcp-auth IPR (was RE: [Int-a]… Alper Yegin