RE: [Int-area] Why IETF should not standardize dhcp-auth
"Bound, Jim" <Jim.Bound@hp.com> Tue, 04 December 2007 13:45 UTC
Return-path: <int-area-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IzY5l-0005vb-Pq; Tue, 04 Dec 2007 08:45:41 -0500
Received: from int-area by megatron.ietf.org with local (Exim 4.43) id 1IzY5k-0005vR-4z for int-area-confirm+ok@megatron.ietf.org; Tue, 04 Dec 2007 08:45:40 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IzY5j-0005vB-PV for int-area@ietf.org; Tue, 04 Dec 2007 08:45:39 -0500
Received: from g5t0007.atlanta.hp.com ([15.192.0.44]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IzY5j-0003mh-2r for int-area@ietf.org; Tue, 04 Dec 2007 08:45:39 -0500
Received: from g5t0007.atlanta.hp.com (localhost.localdomain [127.0.0.1]) by receive-from-antispam-filter (Postfix) with SMTP id 7A21814142; Tue, 4 Dec 2007 13:45:28 +0000 (UTC)
Received: from G3W0631.americas.hpqcorp.net (g3w0631.americas.hpqcorp.net [16.233.59.15]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by g5t0007.atlanta.hp.com (Postfix) with ESMTP id 6368E141B0; Tue, 4 Dec 2007 13:45:18 +0000 (UTC)
Received: from G5W0324.americas.hpqcorp.net (16.228.8.69) by G3W0631.americas.hpqcorp.net (16.233.59.15) with Microsoft SMTP Server (TLS) id 8.0.700.0; Tue, 4 Dec 2007 13:41:41 +0000
Received: from G5W0274.americas.hpqcorp.net ([16.228.8.60]) by G5W0324.americas.hpqcorp.net ([16.228.8.69]) with mapi; Tue, 4 Dec 2007 13:41:41 +0000
From: "Bound, Jim" <Jim.Bound@hp.com>
To: Alper Yegin <alper.yegin@yegin.org>, "int-area@ietf.org" <int-area@ietf.org>
Date: Tue, 04 Dec 2007 13:41:39 +0000
Subject: RE: [Int-area] Why IETF should not standardize dhcp-auth
Thread-Topic: [Int-area] Why IETF should not standardize dhcp-auth
Thread-Index: Acg2HlGFfjU8BmV1T0m3qimYtbQWnwAHx8bAAA9yGqA=
Message-ID: <1AB21F94DA6EEF459F107706554433392210F495E2@G5W0274.americas.hpqcorp.net>
References: <0MKp8S-1IzRWe3mNH-0007VC@mrelay.perfora.net>
In-Reply-To: <0MKp8S-1IzRWe3mNH-0007VC@mrelay.perfora.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 03169bfe4792634a390035a01a6c6d2f
Cc:
X-BeenThere: int-area@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/int-area>
List-Post: <mailto:int-area@lists.ietf.org>
List-Help: <mailto:int-area-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=subscribe>
Errors-To: int-area-bounces@lists.ietf.org
I support strongly Alper below and anytime we can avoid an IPR solution vs. IPR free we should always select the IPR free solution given they both resolve the problem. I am also not convinced DHCP should be used for net access authentication. Best, /jim > -----Original Message----- > From: Alper Yegin [mailto:alper.yegin@yegin.org] > Sent: Tuesday, December 04, 2007 1:45 AM > To: int-area@ietf.org > Subject: [Int-area] Why IETF should not standardize dhcp-auth > > > There are several concerns against standardizing > draft-pruss-dhcp-auth-dsl-02. > > > 1. Architectural > > When it comes to solving "distinct" fundamental problems > (e.g., access > auth, mobility, configuration, QoS), IETF defines > "distinct" protocols > for each. Piggybacking one over other for the sake of some > optimization > (product/performance/etc) conflicts with the strategy we have been > following at IETF. > > IAB document draft-iab-ip-config-00.txt is clear on that: > > Network access authentication is a distinct problem > from Internet > host configuration. Network access authentication is > best handled > independently of the configuration mechanisms in use > for the Internet > and higher layers. > > > 2. IETF principle > > IETF has already defined a solution for the problem: PANA. As a > principle, IETF should first make an attempt to see if it > really does not > > solve the problem and consider refining its protocol if necessary. > Defining a new protocol each time someone has another > solution is not > compliant with IETF's principle goal of achieving interoperability. > > PANA already satisfies the requirements we received from DSLF. > > > 3. Breaking DHCP > > EAP and DHCP do not stack up well because none of the end > points, state > machines, call flows match. And the proposal ends up breaking DHCP. > Specifically: > > - DHCPOFFER does not deliver IP address, despite RFC2131 saying: > > The server MUST return to the client: > > o The client's network address, as determined by the rules given > earlier in this section, > > - DHCP relay is inserting DHCP options (CHAP, EAP) when relaying > messages to the DHCP client. Relay is not supposed to do that. > > - DHCP server receives the DHCPREQUEST but it does not respond to > it. Instead, DHCP relay generates the DHCPACK/DHCPNAK > (See Figure 3). > > - DHCP relay is generating DHCP messages (see Figure 5). Relays > are not supposed to do that. Although not documented yet, same > misbehavior is needed for EAP retransmissions, and > re-authentication. > This is turning DHCP into a 3-party protocol. > > - RFC3118 cannot be used when DHCP relay inserts options > towards DHCP > client, removes options towards DHCP server, consumes > some messages, > generates some messages. Basically, this is breaking the > end2end model. > > - DHCP server does not see the DHCPREQUEST, as it is consumed by > the relay (see Figure 5). > > > 4. Failing DSLF requirements > > Despite the clear statements in the DSLF requirements, > this proposal is > not supporting authentication of the devices behind the HGW (CPE). > Instead, authors are denying the requirements: > > IPAuth-8 Must handle L3 CPE device authentication and > end-device > (PC) > user based authentication (likely with L2 CPEs > in the latter > case) > > IPAuth-9 Should be simple to implement on client (PC or CPE) > > This is because it is not possible to modify deployed PC > stacks with > that solution as DHCP is an internal part of the operating > systems. On > the other hand, PANA can be supported at the application > layer and it > does not require change to the IP stack. > > > 5. IETF's IPR strategy > > IETF has already produced an IPR-free solution to this > problem: PANA. Why > > should IETF not recommend use of PANA but instead rubber stamp an > IPR-encumbered solution? > > > 6. Community pushback > > Several people (excluding all PANA-related people) already > spoke against > it. > > > Under the light of these issues, it is not clear why IETF is > even considering standardizing such a solution at this point. > > DSLF in its liaison letter said they were "seriously > considering" using this solution, not like "demanding it be > standardized." It's perfectly fine if IETF analyzes the > solution and concludes it has serious issues, and responds > with another alternative for DSLF's consideration. > > Regards, > > Alper > > > > > _______________________________________________ > Int-area mailing list > Int-area@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/int-area > _______________________________________________ Int-area mailing list Int-area@lists.ietf.org https://www1.ietf.org/mailman/listinfo/int-area
- [Int-area] Why IETF should not standardize dhcp-a… Alper Yegin
- Re: [Int-area] Why IETF should not standardize dh… Yoshihiro Ohba
- RE: [Int-area] Why IETF should not standardize dh… Bound, Jim
- RE: [Int-area] Why IETF should not standardize dh… Eric Voit (evoit)
- Re: [Int-area] Why IETF should not standardize dh… Bernard_Aboba
- dhcp-auth IPR (was RE: [Int-area] Why IETF should… Alper Yegin
- RE: [Int-area] Why IETF should not standardize dh… Bound, Jim
- [Int-area] RE: dhcp-auth IPR (was RE: [Int-a] Why… Bound, Jim
- [Int-area] RE: dhcp-auth IPR (was RE: [Int-a] Why… Eric Voit (evoit)
- Re: [Int-area] RE: dhcp-auth IPR (was RE: [Int-a]… Yoshihiro Ohba
- [Int-area] IPR discussions Jari Arkko
- RE: [Int-area] RE: dhcp-auth IPR (was RE: [Int-a]… Alper Yegin