RE: [Int-area] Why IETF should not standardize dhcp-auth
"Eric Voit (evoit)" <evoit@cisco.com> Tue, 04 December 2007 14:22 UTC
Return-path: <int-area-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IzYfZ-0004N6-LS; Tue, 04 Dec 2007 09:22:41 -0500
Received: from int-area by megatron.ietf.org with local (Exim 4.43) id 1IzYfY-0004Mo-VQ for int-area-confirm+ok@megatron.ietf.org; Tue, 04 Dec 2007 09:22:40 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IzYfY-0004Mf-JL for int-area@ietf.org; Tue, 04 Dec 2007 09:22:40 -0500
Received: from sj-iport-3-in.cisco.com ([171.71.176.72] helo=sj-iport-3.cisco.com) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IzYfX-0006pX-HW for int-area@ietf.org; Tue, 04 Dec 2007 09:22:40 -0500
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-3.cisco.com with ESMTP; 04 Dec 2007 06:22:38 -0800
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id lB4EMdXq011644; Tue, 4 Dec 2007 06:22:39 -0800
Received: from xbh-rtp-201.amer.cisco.com (xbh-rtp-201.cisco.com [64.102.31.12]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id lB4ELx7h004457; Tue, 4 Dec 2007 14:22:38 GMT
Received: from xmb-rtp-20a.amer.cisco.com ([64.102.31.15]) by xbh-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 4 Dec 2007 09:22:32 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [Int-area] Why IETF should not standardize dhcp-auth
Date: Tue, 04 Dec 2007 09:22:41 -0500
Message-ID: <EC1D3B60F1526848BF55E5AD3D391F8903C82C2E@xmb-rtp-20a.amer.cisco.com>
In-Reply-To: <1AB21F94DA6EEF459F107706554433392210F495E2@G5W0274.americas.hpqcorp.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Int-area] Why IETF should not standardize dhcp-auth
Thread-Index: Acg2HlGFfjU8BmV1T0m3qimYtbQWnwAHx8bAAA9yGqAAAFSGQA==
References: <0MKp8S-1IzRWe3mNH-0007VC@mrelay.perfora.net> <1AB21F94DA6EEF459F107706554433392210F495E2@G5W0274.americas.hpqcorp.net>
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: "Bound, Jim" <Jim.Bound@hp.com>, Alper Yegin <alper.yegin@yegin.org>
X-OriginalArrivalTime: 04 Dec 2007 14:22:32.0260 (UTC) FILETIME=[1BA5F040:01C83681]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=7643; t=1196778159; x=1197642159; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=evoit@cisco.com; z=From:=20=22Eric=20Voit=20(evoit)=22=20<evoit@cisco.com> |Subject:=20RE=3A=20[Int-area]=20Why=20IETF=20should=20not=20standardize= 20dhcp-auth |Sender:=20; bh=o6c2MGon73qfbG1/mY3wQjIS2zKrvTJqel7/6ff4PxQ=; b=PX22cU4kpL6HFTwH0EXSpF+SutoLwLwzWAnBajtvHY0qi85/uUct85Ktc90Eq7OQaXmtM+Md GrXLIGxvc5RRb0U3ZBjQINjXWX4QBNzBZ4aMo7b+QbVD28uufpv8u2Lz;
Authentication-Results: sj-dkim-3; header.From=evoit@cisco.com; dkim=pass (s ig from cisco.com/sjdkim3002 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 65bc4909d78e8b10349def623cf7a1d1
Cc: int-area@ietf.org
X-BeenThere: int-area@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/int-area>
List-Post: <mailto:int-area@lists.ietf.org>
List-Help: <mailto:int-area-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=subscribe>
Errors-To: int-area-bounces@lists.ietf.org
IPR free is better, yes. But Alper himself is the sole inventor of US Pre-grant 20070028092: "Method and system for enabling chap authentication over PANA without using EAP" http://tinyurl.com/38k62e If he has disclosed this on the IETF IPR site, I cannot find it. This is even after I directly emailed him about the problem in October (see below). It sickens me to see Alper claiming PANA as "IPR free". BTW: Alper's is not the only PANA patent submission you will see at: http://appft1.uspto.gov/netahtml/PTO/search-bool.html Eric -----Original Message----- From: Eric Voit (evoit) Sent: Friday, October 19, 2007 12:00 PM To: Pekka Savola; Alper Yegin Cc: 'Internet Area' Subject: RE: [Int-area] DCHP-based authentication for DSL? > From: Pekka Savola, October 19, 2007 5:10 AM > To: Alper Yegin > Cc: 'Internet Area' > > On Fri, 19 Oct 2007, Alper Yegin wrote: > > There does not appear to be a strong justification to hack DHCP the > > way you are proposing. Many people spoke against that already. > > FWIW, Cisco has claimed IPR on the DHCP solution: > > http://www1.ietf.org/ietf/IPR/cisco-ipr-draft-pruss-dhcp-auth- > dsl-00.txt > > I wonder if other solutions are similarly affected. > > Just something to chew on when looking at potentially applicable > solutions... > Well, since you brought it up... Binding of DHCP and PANA... http://tinyurl.com/yvjx9l Triggering DHCP actions from IEEE 802.1x state changes... http://tinyurl.com/2avgk2 If you spend ten minutes on the USPTO website, you will quickly see that all of this technology has claims on it, far more than on the IETF IPR website. http://www.uspto.gov/patft/ "Results of Search in US Patent Collection db for: (DSL AND Authentication): 953 patents." "Results of Search in US Patent Collection db for: ((EAP AND Network) AND Access): 146 patents." At least Cisco disclosed its IPR to the IETF. Eric > From: Bound, Jim, December 04, 2007 8:42 AM > > I support strongly Alper below and anytime we can avoid an > IPR solution vs. IPR free we should always select the IPR > free solution given they both resolve the problem. I am also > not convinced DHCP should be used for net access authentication. > > Best, > /jim > > > -----Original Message----- > > From: Alper Yegin [mailto:alper.yegin@yegin.org] > > Sent: Tuesday, December 04, 2007 1:45 AM > > To: int-area@ietf.org > > Subject: [Int-area] Why IETF should not standardize dhcp-auth > > > > > > There are several concerns against standardizing > > draft-pruss-dhcp-auth-dsl-02. > > > > > > 1. Architectural > > > > When it comes to solving "distinct" fundamental problems (e.g., > > access > > auth, mobility, configuration, QoS), IETF defines "distinct" > > protocols > > for each. Piggybacking one over other for the sake of some > > optimization > > (product/performance/etc) conflicts with the strategy we > have been > > following at IETF. > > > > IAB document draft-iab-ip-config-00.txt is clear on that: > > > > Network access authentication is a distinct problem from > > Internet > > host configuration. Network access authentication is best > > handled > > independently of the configuration mechanisms in > use for the > > Internet > > and higher layers. > > > > > > 2. IETF principle > > > > IETF has already defined a solution for the problem: PANA. As a > > principle, IETF should first make an attempt to see if it really > > does not > > > > solve the problem and consider refining its protocol if > necessary. > > Defining a new protocol each time someone has another > solution is > > not > > compliant with IETF's principle goal of achieving > interoperability. > > > > PANA already satisfies the requirements we received from DSLF. > > > > > > 3. Breaking DHCP > > > > EAP and DHCP do not stack up well because none of the > end points, > > state > > machines, call flows match. And the proposal ends up > breaking DHCP. > > Specifically: > > > > - DHCPOFFER does not deliver IP address, despite RFC2131 saying: > > > > The server MUST return to the client: > > > > o The client's network address, as determined by the > rules given > > earlier in this section, > > > > - DHCP relay is inserting DHCP options (CHAP, EAP) when relaying > > messages to the DHCP client. Relay is not supposed to do that. > > > > - DHCP server receives the DHCPREQUEST but it does not respond to > > it. Instead, DHCP relay generates the DHCPACK/DHCPNAK > (See Figure > > 3). > > > > - DHCP relay is generating DHCP messages (see Figure 5). Relays > > are not supposed to do that. Although not documented yet, same > > misbehavior is needed for EAP retransmissions, and > > re-authentication. > > This is turning DHCP into a 3-party protocol. > > > > - RFC3118 cannot be used when DHCP relay inserts options towards > > DHCP > > client, removes options towards DHCP server, consumes some > > messages, > > generates some messages. Basically, this is breaking > the end2end > > model. > > > > - DHCP server does not see the DHCPREQUEST, as it is consumed by > > the relay (see Figure 5). > > > > > > 4. Failing DSLF requirements > > > > Despite the clear statements in the DSLF requirements, this > > proposal is > > not supporting authentication of the devices behind the > HGW (CPE). > > Instead, authors are denying the requirements: > > > > IPAuth-8 Must handle L3 CPE device authentication and > > end-device > > (PC) > > user based authentication (likely with L2 > CPEs in the > > latter > > case) > > > > IPAuth-9 Should be simple to implement on client (PC or CPE) > > > > This is because it is not possible to modify deployed PC stacks > > with > > that solution as DHCP is an internal part of the > operating systems. > > On > > the other hand, PANA can be supported at the application > layer and > > it > > does not require change to the IP stack. > > > > > > 5. IETF's IPR strategy > > > > IETF has already produced an IPR-free solution to this > > problem: PANA. Why > > > > should IETF not recommend use of PANA but instead rubber stamp an > > IPR-encumbered solution? > > > > > > 6. Community pushback > > > > Several people (excluding all PANA-related people) already spoke > > against > > it. > > > > > > Under the light of these issues, it is not clear why IETF is even > > considering standardizing such a solution at this point. > > > > DSLF in its liaison letter said they were "seriously considering" > > using this solution, not like "demanding it be standardized." It's > > perfectly fine if IETF analyzes the solution and concludes it has > > serious issues, and responds with another alternative for DSLF's > > consideration. > > > > Regards, > > > > Alper > > > > > > > > > > _______________________________________________ > > Int-area mailing list > > Int-area@lists.ietf.org > > https://www1.ietf.org/mailman/listinfo/int-area > > > > > _______________________________________________ > Int-area mailing list > Int-area@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/int-area > _______________________________________________ Int-area mailing list Int-area@lists.ietf.org https://www1.ietf.org/mailman/listinfo/int-area
- [Int-area] Why IETF should not standardize dhcp-a… Alper Yegin
- Re: [Int-area] Why IETF should not standardize dh… Yoshihiro Ohba
- RE: [Int-area] Why IETF should not standardize dh… Bound, Jim
- RE: [Int-area] Why IETF should not standardize dh… Eric Voit (evoit)
- Re: [Int-area] Why IETF should not standardize dh… Bernard_Aboba
- dhcp-auth IPR (was RE: [Int-area] Why IETF should… Alper Yegin
- RE: [Int-area] Why IETF should not standardize dh… Bound, Jim
- [Int-area] RE: dhcp-auth IPR (was RE: [Int-a] Why… Bound, Jim
- [Int-area] RE: dhcp-auth IPR (was RE: [Int-a] Why… Eric Voit (evoit)
- Re: [Int-area] RE: dhcp-auth IPR (was RE: [Int-a]… Yoshihiro Ohba
- [Int-area] IPR discussions Jari Arkko
- RE: [Int-area] RE: dhcp-auth IPR (was RE: [Int-a]… Alper Yegin