RE: [Int-area] Why IETF should not standardize dhcp-auth
"Bound, Jim" <Jim.Bound@hp.com> Tue, 04 December 2007 15:25 UTC
Return-path: <int-area-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IzZeV-0003K1-9k; Tue, 04 Dec 2007 10:25:39 -0500
Received: from int-area by megatron.ietf.org with local (Exim 4.43) id 1IzZeT-0003Jh-L3 for int-area-confirm+ok@megatron.ietf.org; Tue, 04 Dec 2007 10:25:37 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IzZeT-0003JY-9D for int-area@ietf.org; Tue, 04 Dec 2007 10:25:37 -0500
Received: from g1t0029.austin.hp.com ([15.216.28.36]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IzZeS-0002BX-6r for int-area@ietf.org; Tue, 04 Dec 2007 10:25:37 -0500
Received: from g1t0029.austin.hp.com (localhost.localdomain [127.0.0.1]) by receive-from-antispam-filter (Postfix) with SMTP id C814838347; Tue, 4 Dec 2007 15:25:35 +0000 (UTC)
Received: from G1W0401.americas.hpqcorp.net (g1w0401.americas.hpqcorp.net [16.236.31.6]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by g1t0029.austin.hp.com (Postfix) with ESMTP id BAF2D38345; Tue, 4 Dec 2007 15:25:35 +0000 (UTC)
Received: from G5W0325.americas.hpqcorp.net (16.228.8.67) by G1W0401.americas.hpqcorp.net (16.236.31.6) with Microsoft SMTP Server (TLS) id 8.0.744.1; Tue, 4 Dec 2007 15:23:23 +0000
Received: from G5W0274.americas.hpqcorp.net ([16.228.8.60]) by G5W0325.americas.hpqcorp.net ([16.228.8.67]) with mapi; Tue, 4 Dec 2007 15:23:22 +0000
From: "Bound, Jim" <Jim.Bound@hp.com>
To: "Eric Voit (evoit)" <evoit@cisco.com>, Alper Yegin <alper.yegin@yegin.org>
Date: Tue, 04 Dec 2007 15:23:20 +0000
Subject: RE: [Int-area] Why IETF should not standardize dhcp-auth
Thread-Topic: [Int-area] Why IETF should not standardize dhcp-auth
Thread-Index: Acg2HlGFfjU8BmV1T0m3qimYtbQWnwAHx8bAAA9yGqAAAFSGQAADJ7xQ
Message-ID: <1AB21F94DA6EEF459F107706554433392210FA3970@G5W0274.americas.hpqcorp.net>
References: <0MKp8S-1IzRWe3mNH-0007VC@mrelay.perfora.net> <1AB21F94DA6EEF459F107706554433392210F495E2@G5W0274.americas.hpqcorp.net> <EC1D3B60F1526848BF55E5AD3D391F8903C82C2E@xmb-rtp-20a.amer.cisco.com>
In-Reply-To: <EC1D3B60F1526848BF55E5AD3D391F8903C82C2E@xmb-rtp-20a.amer.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 93b4f10b2112e1468b61e19ea6180478
Cc: "int-area@ietf.org" <int-area@ietf.org>
X-BeenThere: int-area@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/int-area>
List-Post: <mailto:int-area@lists.ietf.org>
List-Help: <mailto:int-area-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=subscribe>
Errors-To: int-area-bounces@lists.ietf.org
Eric thanks for sending this and that says a lot and good you said it. I believe ERic no IPR should be permitted in the IETF at all. I know I will never win that battle and don't want to start it again. I think with all the IPR here eventually the IETF will loose yet another founding principle that is not written down but open systems standardization environment. Alper I think you need to respond to this now in the community ???????????? /jim > -----Original Message----- > From: Eric Voit (evoit) [mailto:evoit@cisco.com] > Sent: Tuesday, December 04, 2007 9:23 AM > To: Bound, Jim; Alper Yegin > Cc: int-area@ietf.org > Subject: RE: [Int-area] Why IETF should not standardize dhcp-auth > > IPR free is better, yes. > > But Alper himself is the sole inventor of US Pre-grant 20070028092: > "Method and system for enabling chap authentication over PANA > without using EAP" > http://tinyurl.com/38k62e > If he has disclosed this on the IETF IPR site, I cannot find > it. This is even after I directly emailed him about the > problem in October (see below). > > It sickens me to see Alper claiming PANA as "IPR free". > > BTW: Alper's is not the only PANA patent submission you will see at: > http://appft1.uspto.gov/netahtml/PTO/search-bool.html > > Eric > > -----Original Message----- > From: Eric Voit (evoit) > Sent: Friday, October 19, 2007 12:00 PM > To: Pekka Savola; Alper Yegin > Cc: 'Internet Area' > Subject: RE: [Int-area] DCHP-based authentication for DSL? > > > > From: Pekka Savola, October 19, 2007 5:10 AM > > To: Alper Yegin > > Cc: 'Internet Area' > > > > On Fri, 19 Oct 2007, Alper Yegin wrote: > > > There does not appear to be a strong justification to > hack DHCP the > > > way you are proposing. Many people spoke against that already. > > > > FWIW, Cisco has claimed IPR on the DHCP solution: > > > > http://www1.ietf.org/ietf/IPR/cisco-ipr-draft-pruss-dhcp-auth- > > dsl-00.txt > > > > I wonder if other solutions are similarly affected. > > > > Just something to chew on when looking at potentially applicable > > solutions... > > > > Well, since you brought it up... > > Binding of DHCP and PANA... > http://tinyurl.com/yvjx9l > > Triggering DHCP actions from IEEE 802.1x state changes... > http://tinyurl.com/2avgk2 > > If you spend ten minutes on the USPTO website, you will > quickly see that all of this technology has claims on it, far > more than on the IETF IPR website. > > http://www.uspto.gov/patft/ > > "Results of Search in US Patent Collection db for: > (DSL AND Authentication): 953 patents." > > "Results of Search in US Patent Collection db for: > ((EAP AND Network) AND Access): 146 patents." > > At least Cisco disclosed its IPR to the IETF. > > Eric > > > > > From: Bound, Jim, December 04, 2007 8:42 AM > > > > I support strongly Alper below and anytime we can avoid an IPR > > solution vs. IPR free we should always select the IPR free solution > > given they both resolve the problem. I am also not convinced DHCP > > should be used for net access authentication. > > > > Best, > > /jim > > > > > -----Original Message----- > > > From: Alper Yegin [mailto:alper.yegin@yegin.org] > > > Sent: Tuesday, December 04, 2007 1:45 AM > > > To: int-area@ietf.org > > > Subject: [Int-area] Why IETF should not standardize dhcp-auth > > > > > > > > > There are several concerns against standardizing > > > draft-pruss-dhcp-auth-dsl-02. > > > > > > > > > 1. Architectural > > > > > > When it comes to solving "distinct" fundamental > problems (e.g., > > > access > > > auth, mobility, configuration, QoS), IETF defines "distinct" > > > protocols > > > for each. Piggybacking one over other for the sake of some > > > optimization > > > (product/performance/etc) conflicts with the strategy we > > have been > > > following at IETF. > > > > > > IAB document draft-iab-ip-config-00.txt is clear on that: > > > > > > Network access authentication is a distinct problem from > > > Internet > > > host configuration. Network access > authentication is best > > > handled > > > independently of the configuration mechanisms in > > use for the > > > Internet > > > and higher layers. > > > > > > > > > 2. IETF principle > > > > > > IETF has already defined a solution for the problem: PANA. As a > > > principle, IETF should first make an attempt to see if > it really > > > does not > > > > > > solve the problem and consider refining its protocol if > > necessary. > > > Defining a new protocol each time someone has another > > solution is > > > not > > > compliant with IETF's principle goal of achieving > > interoperability. > > > > > > PANA already satisfies the requirements we received from DSLF. > > > > > > > > > 3. Breaking DHCP > > > > > > EAP and DHCP do not stack up well because none of the > > end points, > > > state > > > machines, call flows match. And the proposal ends up > > breaking DHCP. > > > Specifically: > > > > > > - DHCPOFFER does not deliver IP address, despite > RFC2131 saying: > > > > > > The server MUST return to the client: > > > > > > o The client's network address, as determined by the > > rules given > > > earlier in this section, > > > > > > - DHCP relay is inserting DHCP options (CHAP, EAP) > when relaying > > > messages to the DHCP client. Relay is not supposed > to do that. > > > > > > - DHCP server receives the DHCPREQUEST but it does not > respond to > > > it. Instead, DHCP relay generates the DHCPACK/DHCPNAK > > (See Figure > > > 3). > > > > > > - DHCP relay is generating DHCP messages (see Figure 5). Relays > > > are not supposed to do that. Although not documented > yet, same > > > misbehavior is needed for EAP retransmissions, and > > > re-authentication. > > > This is turning DHCP into a 3-party protocol. > > > > > > - RFC3118 cannot be used when DHCP relay inserts > options towards > > > DHCP > > > client, removes options towards DHCP server, consumes some > > > messages, > > > generates some messages. Basically, this is breaking > > the end2end > > > model. > > > > > > - DHCP server does not see the DHCPREQUEST, as it is > consumed by > > > the relay (see Figure 5). > > > > > > > > > 4. Failing DSLF requirements > > > > > > Despite the clear statements in the DSLF requirements, this > > > proposal is > > > not supporting authentication of the devices behind the > > HGW (CPE). > > > Instead, authors are denying the requirements: > > > > > > IPAuth-8 Must handle L3 CPE device authentication and > > > end-device > > > (PC) > > > user based authentication (likely with L2 > > CPEs in the > > > latter > > > case) > > > > > > IPAuth-9 Should be simple to implement on client > (PC or CPE) > > > > > > This is because it is not possible to modify deployed > PC stacks > > > with > > > that solution as DHCP is an internal part of the > > operating systems. > > > On > > > the other hand, PANA can be supported at the application > > layer and > > > it > > > does not require change to the IP stack. > > > > > > > > > 5. IETF's IPR strategy > > > > > > IETF has already produced an IPR-free solution to this > > > problem: PANA. Why > > > > > > should IETF not recommend use of PANA but instead > rubber stamp an > > > IPR-encumbered solution? > > > > > > > > > 6. Community pushback > > > > > > Several people (excluding all PANA-related people) > already spoke > > > against > > > it. > > > > > > > > > Under the light of these issues, it is not clear why IETF is even > > > considering standardizing such a solution at this point. > > > > > > DSLF in its liaison letter said they were "seriously considering" > > > using this solution, not like "demanding it be > standardized." It's > > > perfectly fine if IETF analyzes the solution and concludes it has > > > serious issues, and responds with another alternative for DSLF's > > > consideration. > > > > > > Regards, > > > > > > Alper > > > > > > > > > > > > > > > _______________________________________________ > > > Int-area mailing list > > > Int-area@lists.ietf.org > > > https://www1.ietf.org/mailman/listinfo/int-area > > > > > > > > > _______________________________________________ > > Int-area mailing list > > Int-area@lists.ietf.org > > https://www1.ietf.org/mailman/listinfo/int-area > > > > > _______________________________________________ > Int-area mailing list > Int-area@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/int-area > _______________________________________________ Int-area mailing list Int-area@lists.ietf.org https://www1.ietf.org/mailman/listinfo/int-area
- [Int-area] Why IETF should not standardize dhcp-a… Alper Yegin
- Re: [Int-area] Why IETF should not standardize dh… Yoshihiro Ohba
- RE: [Int-area] Why IETF should not standardize dh… Bound, Jim
- RE: [Int-area] Why IETF should not standardize dh… Eric Voit (evoit)
- Re: [Int-area] Why IETF should not standardize dh… Bernard_Aboba
- dhcp-auth IPR (was RE: [Int-area] Why IETF should… Alper Yegin
- RE: [Int-area] Why IETF should not standardize dh… Bound, Jim
- [Int-area] RE: dhcp-auth IPR (was RE: [Int-a] Why… Bound, Jim
- [Int-area] RE: dhcp-auth IPR (was RE: [Int-a] Why… Eric Voit (evoit)
- Re: [Int-area] RE: dhcp-auth IPR (was RE: [Int-a]… Yoshihiro Ohba
- [Int-area] IPR discussions Jari Arkko
- RE: [Int-area] RE: dhcp-auth IPR (was RE: [Int-a]… Alper Yegin