Re: [Int-area] DCHP-based authentication for DSL?
Yoshihiro Ohba <yohba@tari.toshiba.com> Tue, 06 November 2007 15:29 UTC
Return-path: <int-area-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IpQMe-0006bD-7K; Tue, 06 Nov 2007 10:29:16 -0500
Received: from int-area by megatron.ietf.org with local (Exim 4.43) id 1IpQMd-0006aG-8u for int-area-confirm+ok@megatron.ietf.org; Tue, 06 Nov 2007 10:29:15 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IpQMc-0006Zu-Ux for int-area@lists.ietf.org; Tue, 06 Nov 2007 10:29:14 -0500
Received: from [2001:418:1403:0:212:17ff:fe52:7811] (helo=toshi17.tari.toshiba.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IpQMc-00076h-8p for int-area@lists.ietf.org; Tue, 06 Nov 2007 10:29:14 -0500
Received: from steelhead.localdomain (tarij-98.tari.toshiba.com [172.30.24.201] (may be forged)) by toshi17.tari.toshiba.com (8.13.1/8.13.1) with ESMTP id lA6FSqun043242; Tue, 6 Nov 2007 10:28:52 -0500 (EST) (envelope-from yohba@tari.toshiba.com)
Received: from ohba by steelhead.localdomain with local (Exim 4.67) (envelope-from <yohba@tari.toshiba.com>) id 1IpQMF-0005ep-Mi; Tue, 06 Nov 2007 10:28:51 -0500
Date: Tue, 06 Nov 2007 10:28:51 -0500
To: "Eric Voit (evoit)" <evoit@cisco.com>
Subject: Re: [Int-area] DCHP-based authentication for DSL?
Message-ID: <20071106152851.GC20711@steelhead.localdomain>
References: <EEEF19C5-1577-41CE-85DE-AC3376601CCE@cisco.com> <EC1D3B60F1526848BF55E5AD3D391F8903A7BC41@xmb-rtp-20a.amer.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-2022-jp"
Content-Disposition: inline
In-Reply-To: <EC1D3B60F1526848BF55E5AD3D391F8903A7BC41@xmb-rtp-20a.amer.cisco.com>
User-Agent: Mutt/1.5.13 (2006-08-11)
From: Yoshihiro Ohba <yohba@tari.toshiba.com>
X-Spam-Score: -1.4 (-)
X-Scan-Signature: 5ebbf074524e58e662bc8209a6235027
Cc: Internet Area <int-area@lists.ietf.org>
X-BeenThere: int-area@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/int-area>
List-Post: <mailto:int-area@lists.ietf.org>
List-Help: <mailto:int-area-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=subscribe>
Errors-To: int-area-bounces@lists.ietf.org
On Tue, Nov 06, 2007 at 09:20:14AM -0500, Eric Voit (evoit) wrote: > > From: Ralph Droms, November 05, 2007 9:36 PM > > > > No, PANA would not require changes to the DHCP client > > behavior if the first hop relay agent is configured to > > discard DHCP messages until PANA authentication is complete. > > I am assuming you are talking about discarding DHCP messages for the > second DHCP assigned IP address when the lease for the first address > expires. In old PANA threads such as: > http://www1.ietf.org/mail-archive/web/pana/current/msg00376.html > They worried quite a bit about uncoordinated state machines resulting in > slow client logon. Up to 30 second delays were mentioned. > > Since random duration global IP address assignment delays of up to 30 > seconds is not acceptable, I am expect that PANA has fixed this. Could > one of the PANA people explain how? I am not sure what exact PANA deployment scenario is being discussed here, but 30 seconds delay mentioned in the old PANA thread is between the time when DHCP is started and the time when an IPv4 link-local address is configured after DHCP timeouts. > > BTW: even with the DHCP message for the 1st IP address, there are PANA > drafts which require DHCP client modifications. For example: > ftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-ietf-dhc-paa-opt > ion-05.txt > "defines new DHCPv4 and DHCPv6 options that contain a list of IP > addresses to locate one or more of PANA Authentication Agents (PAA)." This is the default method for obtaining PAA's IP address. This does not mean this is the only way. PANA allows other methods for configuring PAA's IP address if defined. Also, a particular deployment where PAA always resides in access router may simply use default gateway address as PAA's address and I believe all DHCP clients understands Router option. > > Presumably whatever mechanism is used to allow IP traffic > > after PANA authentication could also trigger the relay agent > > to allow DHCP forwarding. > > This would again result in DHCP Timeouts unless coordination of the > client state machine is occurring. (And even if there is coordination > with the client, there is ugly system behavior if the 2nd client DHCP > message is initiated before the relay agent has completed updating its > filters!) I am not sure what coordination of the client state machine exactly means, but to avoid the ugly behavior, a PAA implementation can delay returning PANA authentication result until relay agent completes filtering installation. Yoshihiro Ohba > > Eric > > > Of course, I'm speculating wildly here about implementation > > details without the benefit of any system architecture docs... > > > > - Ralph > > > > On Nov 5, 2007, at Nov 5, 2007,8:33 PM, Richard Pruss wrote: > > > > > > > > > > > Bernard Aboba wrote, around 6/11/07 11:11 AM: > > >>> But let's have a fair evaluation. If we decide that PANA > > fits the > > >>> requirements perfectly, the above objections apply > > equally well to > > >>> it. > > >> > > >> Actually, I'm not clear that the objections apply equally well to > > >> PANA. > > >> > > >> On the Windows platform at least, there is an API that permits > > >> integration of new EAP lower layers. That means that PANA support > > >> can be added by a third party with no required changes to the > > >> operating system. > > >> > > >> Since DHCP/EAP requires change to the DHCP state machine, the work > > >> required would be considerably greater. > > >> > > >> > > >> > > > Does PANA not also require changes to the DHCP state > > machine to stop > > > it running until PANA has authenticated on the link local address? > > > > > > > > > _______________________________________________ > > > Int-area mailing list > > > Int-area@lists.ietf.org > > > https://www1.ietf.org/mailman/listinfo/int-area > > > > > > _______________________________________________ > > Int-area mailing list > > Int-area@lists.ietf.org > > https://www1.ietf.org/mailman/listinfo/int-area > > > > > _______________________________________________ > Int-area mailing list > Int-area@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/int-area > > _______________________________________________ Int-area mailing list Int-area@lists.ietf.org https://www1.ietf.org/mailman/listinfo/int-area
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- Re: [Int-area] DCHP-based authentication for DSL? Richard Pruss
- [Int-area] DCHP-based authentication for DSL? Jari Arkko
- Re: [Int-area] DCHP-based authentication for DSL? Richard Pruss
- Re: [Int-area] DCHP-based authentication for DSL? Alan DeKok
- RE: [Int-area] DCHP-based authentication for DSL? Maglione Roberta
- Re: [Int-area] DCHP-based authentication for DSL? James Kempf
- RE: [Int-area] DCHP-based authentication for DSL? Pekka Savola
- RE: [Int-area] DCHP-based authentication for DSL? Alper Yegin
- Re: [Int-area] DCHP-based authentication for DSL? Richard Pruss
- Re: [Int-area] DCHP-based authentication for DSL? Alan DeKok
- Re: [Int-area] DCHP-based authentication for DSL? Jari Arkko
- Re: [Int-area] DCHP-based authentication for DSL? Pekka Savola
- Re: [Int-area] DCHP-based authentication for DSL? Iljitsch van Beijnum
- Re: [Int-area] DCHP-based authentication for DSL? Jari Arkko
- RE: [Int-area] DCHP-based authentication for DSL? Alper Yegin
- Re: [Int-area] DCHP-based authentication for DSL? Mark Townsley
- Re: [Int-area] DCHP-based authentication for DSL? Richard Pruss
- Re: [Int-area] DCHP-based authentication for DSL? Bernard Aboba
- RE: [Int-area] DCHP-based authentication for DSL? MORAND Lionel RD-CORE-ISS
- Re: [Int-area] DCHP-based authentication for DSL? Richard Pruss
- RE: [Int-area] DCHP-based authentication for DSL? Alper Yegin
- Re: [Int-area] DCHP-based authentication for DSL? Jari Arkko
- Re: [Int-area] DCHP-based authentication for DSL? Jari Arkko
- Re: [Int-area] DCHP-based authentication for DSL? Iljitsch van Beijnum
- Re: [Int-area] DCHP-based authentication for DSL? Jari Arkko
- Re: [Int-area] DCHP-based authentication for DSL? Iljitsch van Beijnum
- Re: [Int-area] DCHP-based authentication for DSL? Ralph Droms
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- Re: [Int-area] DCHP-based authentication for DSL? Bernard Aboba
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- Re: [Int-area] DCHP-based authentication for DSL? Mark Townsley
- Re: [Int-area] DCHP-based authentication for DSL? Ralph Droms
- RE: [Int-area] DCHP-based authentication for DSL? Eric Voit (evoit)
- Re: [Int-area] DCHP-based authentication for DSL? Stig Venaas
- Re: [Int-area] DCHP-based authentication for DSL? Mark Townsley
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- Re: [Int-area] DCHP-based authentication for DSL? Richard Pruss
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- Re: [Int-area] DCHP-based authentication for DSL? Iljitsch van Beijnum
- Re: [Int-area] DCHP-based authentication for DSL? Iljitsch van Beijnum
- RE: [Int-area] DCHP-based authentication for DSL? Eric Voit (evoit)
- Re: [Int-area] DCHP-based authentication for DSL? Mark Townsley
- Re: [Int-area] DCHP-based authentication for DSL? Iljitsch van Beijnum
- Re: [Int-area] DCHP-based authentication for DSL? Iljitsch van Beijnum
- Re: [Int-area] DCHP-based authentication for DSL? Mark Townsley
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- Re: [Int-area] DCHP-based authentication for DSL? Mark Townsley
- RE: [Int-area] DCHP-based authentication for DSL? Eric Voit (evoit)
- RE: [Int-area] DCHP-based authentication for DSL? Alper Yegin
- Re: [Int-area] DCHP-based authentication for DSL? James Kempf
- Re: [Int-area] DCHP-based authentication for DSL? Mark Townsley
- Business considerations (Was: Re: [Int-area] DCHP… Jari Arkko
- Re: [Int-area] DCHP-based authentication for DSL? Jari Arkko
- Re: [Int-area] DCHP-based authentication for DSL? Iljitsch van Beijnum
- RE: [Int-area] DCHP-based authentication for DSL? Bernard Aboba
- Re: Business considerations (Was: Re: [Int-area] … James Kempf
- Re: Business considerations (Was: Re: [Int-area] … Jari Arkko
- RE: [Int-area] DCHP-based authentication for DSL? Alper Yegin
- RE: [Int-area] DCHP-based authentication for DSL? Eric Voit (evoit)
- RE: [Int-area] DCHP-based authentication for DSL? Alper Yegin
- RE: [Int-area] DCHP-based authentication for DSL? Eric Voit (evoit)
- Re: [Int-area] DCHP-based authentication for DSL? Alan DeKok
- Re: [Int-area] DCHP-based authentication for DSL? Iljitsch van Beijnum
- Re: [Int-area] DCHP-based authentication for DSL? Julien Bournelle
- Re: [Int-area] DCHP-based authentication for DSL? Bernard Aboba
- Re: [Int-area] DCHP-based authentication for DSL? Alan DeKok
- Re: [Int-area] DCHP-based authentication for DSL? David R Oran
- RE: [Int-area] DCHP-based authentication for DSL? Alper Yegin
- RE: [Int-area] DCHP-based authentication for DSL? Eric Voit (evoit)
- Re: [Int-area] DCHP-based authentication for DSL? Richard Pruss
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- RE: [Int-area] DCHP-based authentication for DSL? Eric Voit (evoit)
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- Re: [Int-area] DCHP-based authentication for DSL? Richard Pruss
- RE: [Int-area] DCHP-based authentication for DSL? Eric Voit (evoit)
- RE: [Int-area] DCHP-based authentication for DSL? Alper Yegin
- Re: [Int-area] DCHP-based authentication for DSL? Iljitsch van Beijnum
- RE: [Int-area] DCHP-based authentication for DSL? Pekka Savola
- Re: [Int-area] DCHP-based authentication for DSL? Hannes Tschofenig
- Re: [Int-area] DCHP-based authentication for DSL? Julien Bournelle
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- RE: [Int-area] DCHP-based authentication for DSL? Wojciech Dec (wdec)
- Re: [Int-area] DCHP-based authentication for DSL? Ralph Droms
- Re: [Int-area] DCHP-based authentication for DSL? Bernard Aboba
- RE: [Int-area] DCHP-based authentication for DSL? Eric Voit (evoit)
- Re: [Int-area] DCHP-based authentication for DSL? Hannes Tschofenig
- RE: [Int-area] DCHP-based authentication for DSL? Alper Yegin
- Re: [Int-area] DCHP-based authentication for DSL? Mark Townsley
- RE: [Int-area] DCHP-based authentication for DSL? Alper Yegin
- Re: [Int-area] DCHP-based authentication for DSL? Ralph Droms
- RE: [Int-area] DCHP-based authentication for DSL? Eric Voit (evoit)
- RE: [Int-area] DCHP-based authentication for DSL? Alper Yegin
- RE: [Int-area] DCHP-based authentication for DSL? Eric Voit (evoit)
- Re: [Int-area] DCHP-based authentication for DSL? Mark Townsley
- Re: [Int-area] DCHP-based authentication for DSL? Julien Bournelle
- Re: [Int-area] DCHP-based authentication for DSL? Iljitsch van Beijnum
- RE: [Int-area] DCHP-based authentication for DSL? Wojciech Dec (wdec)
- Re: [Int-area] DCHP-based authentication for DSL? Iljitsch van Beijnum
- RE: [Int-area] DCHP-based authentication for DSL? Wojciech Dec (wdec)
- Re: [Int-area] DCHP-based authentication for DSL? Iljitsch van Beijnum
- Re: [Int-area] DCHP-based authentication for DSL? Ralph Droms
- Re: [Int-area] DCHP-based authentication for DSL? Ralph Droms
- RE: [Int-area] DCHP-based authentication for DSL? Alper Yegin
- RE: [Int-area] DCHP-based authentication for DSL? Alper Yegin
- RE: [Int-area] DCHP-based authentication for DSL? Peter Arberg
- RE: [Int-area] DCHP-based authentication for DSL? Peter Arberg
- Re: [Int-area] DCHP-based authentication for DSL? Iljitsch van Beijnum
- RE: [Int-area] DCHP-based authentication for DSL? Bill Welch
- RE: [Int-area] DCHP-based authentication for DSL? Alper Yegin
- Re: [Int-area] DCHP-based authentication for DSL? Stig Venaas
- RE: [Int-area] DCHP-based authentication for DSL? Bill Welch
- Re: [Int-area] DCHP-based authentication for DSL? Richard Pruss
- Re: [Int-area] DCHP-based authentication for DSL? Ralph Droms
- Re: [Int-area] DCHP-based authentication for DSL? Ralph Droms
- Re: [Int-area] DCHP-based authentication for DSL? Richard Pruss
- Re: [Int-area] DCHP-based authentication for DSL? Hannes Tschofenig
- Re: [Int-area] DCHP-based authentication for DSL? Ralph Droms
- Re: [Int-area] DCHP-based authentication for DSL? Stig Venaas
- Re: [Int-area] DCHP-based authentication for DSL? Ralph Droms
- Re: [Int-area] DCHP-based authentication for DSL? Ralph Droms
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- Re: [Int-area] DCHP-based authentication for DSL? Richard Pruss
- Re: [Int-area] DCHP-based authentication for DSL? Richard Pruss
- RE: [Int-area] DCHP-based authentication for DSL? Bill Welch
- Re: [Int-area] DCHP-based authentication for DSL? Hannes Tschofenig
- Re: [Int-area] DCHP-based authentication for DSL? Richard Pruss
- Re: [Int-area] DCHP-based authentication for DSL? Hannes Tschofenig
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- Re: [Int-area] DCHP-based authentication for DSL? Alan DeKok
- RE: [Int-area] DCHP-based authentication for DSL? Alper Yegin
- Re: [Int-area] DCHP-based authentication for DSL? Iljitsch van Beijnum
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- Re: [Int-area] DCHP-based authentication for DSL? Alan DeKok
- Re: [Int-area] DCHP-based authentication for DSL? Bernard_Aboba
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- RE: [Int-area] DCHP-based authentication for DSL? Alper Yegin
- Re: [Int-area] DCHP-based authentication for DSL? Ralph Droms
- RE: [Int-area] DCHP-based authentication for DSL? Alper Yegin
- Re: [Int-area] DCHP-based authentication for DSL? Stig Venaas
- RE: [Int-area] DCHP-based authentication for DSL? Wojciech Dec (wdec)
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- RE: [Int-area] DCHP-based authentication for DSL? Bill Welch
- RE: [Int-area] DCHP-based authentication for DSL? Alper Yegin
- RE: [Int-area] DCHP-based authentication for DSL? Templin, Fred L
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- Re: [Int-area] DCHP-based authentication for DSL? Iljitsch van Beijnum
- RE: [Int-area] DCHP-based authentication for DSL? Templin, Fred L
- RE: [Int-area] DCHP-based authentication for DSL? Templin, Fred L
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- RE: [Int-area] DCHP-based authentication for DSL? Templin, Fred L
- RE: [Int-area] DCHP-based authentication for DSL? Wojciech Dec (wdec)
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- RE: [Int-area] DCHP-based authentication for DSL? Templin, Fred L
- RE: [Int-area] DCHP-based authentication for DSL? Bernard Aboba
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- RE: [Int-area] DCHP-based authentication for DSL? Templin, Fred L
- RE: [Int-area] DCHP-based authentication for DSL? Templin, Fred L
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- RE: [Int-area] DCHP-based authentication for DSL? Templin, Fred L
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- RE: [Int-area] DCHP-based authentication for DSL? Templin, Fred L
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- Re: [dhcwg] Re: [Int-area] DCHP-based authenticat… Richard Pruss
- Re: [dhcwg] Re: [Int-area] DCHP-based authenticat… Ted Lemon
- RE: [dhcwg] Re: [Int-area] DCHP-based authenticat… Eric Voit (evoit)
- Re: [Int-area] DCHP-based authentication for DSL? Ralph Droms
- Re: [dhcwg] Re: [Int-area] DCHP-based authenticat… Ted Lemon
- RE: [Int-area] DCHP-based authentication for DSL? Alper Yegin
- Re: [Int-area] DCHP-based authentication for DSL? Richard Pruss
- Re: [dhcwg] Re: [Int-area] DCHP-based authenticat… Richard Pruss
- RE: [Int-area] DCHP-based authentication for DSL? Wojciech Dec (wdec)
- RE: [Int-area] DCHP-based authentication for DSL? Alper Yegin
- Re: [dhcwg] Re: [Int-area] DCHP-based authenticat… Ted Lemon
- Re: [Int-area] DCHP-based authentication for DSL? Ted Lemon
- Re: [Int-area] DCHP-based authentication for DSL? Alan DeKok
- Re: [Int-area] DCHP-based authentication for DSL? Bernard Aboba
- Re: [Int-area] DCHP-based authentication for DSL? Richard Pruss
- Re: [Int-area] DCHP-based authentication for DSL? Ralph Droms
- Re: [Int-area] DCHP-based authentication for DSL? Ted Lemon
- Re: [Int-area] DCHP-based authentication for DSL? Alan DeKok
- Re: [Int-area] DCHP-based authentication for DSL? Damic, Damjan
- Re: [Int-area] DCHP-based authentication for DSL? Richard Pruss
- RE: [Int-area] DCHP-based authentication for DSL? Eric Voit (evoit)
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- RE: [Int-area] DCHP-based authentication for DSL? Templin, Fred L
- Re: [Int-area] DCHP-based authentication for DSL? Alan DeKok
- Re: [Int-area] DCHP-based authentication for DSL? Iljitsch van Beijnum
- Re: [Int-area] DCHP-based authentication for DSL? Richard Pruss
- Re: [Int-area] DCHP-based authentication for DSL? Iljitsch van Beijnum
- Re: [Int-area] DCHP-based authentication for DSL? Richard Pruss
- RE: [Int-area] DCHP-based authentication for DSL? Alper Yegin
- RE: [Int-area] DCHP-based authentication for DSL? Alper Yegin
- Re: [Int-area] DCHP-based authentication for DSL? Iljitsch van Beijnum
- Re: [Int-area] DCHP-based authentication for DSL? Mark Townsley
- Re: [Int-area] DCHP-based authentication for DSL? Iljitsch van Beijnum
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- Re: [Int-area] DCHP-based authentication for DSL? Mark Townsley
- Re: [Int-area] DCHP-based authentication for DSL? Yoshihiro Ohba
- Re: [Int-area] DCHP-based authentication for DSL? Jari Arkko
- RE: [Int-area] DCHP-based authentication for DSL? Avi Lior