[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[dhcwg] RE: I-D ACTION:draft-zhao-dhc-user-authentication-00.txt

To: "Amy Zhao" <zhaoyuping at huawei.com>
Subject: [dhcwg] RE: I-D ACTION:draft-zhao-dhc-user-authentication-00.txt
From: "Upadhyaya Saumya-a20369" <saumya at motorola.com>
Date: Thu, 12 Oct 2006 14:13:09 +0800
Cc: dhcwg at ietf.org
In-reply-to: <000401c6eda6$741c8ce0$1b05a40a@china.huawei.com>
List-help: <mailto:dhcwg-request@ietf.org?subject=help>
List-id: dhcwg.ietf.org
List-post: <mailto:dhcwg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
Thread-index: AcbmMtLSyAeGZ5UBQoi9fP4cb/8tpAAdBVAQAADJiTABvSkM0AAI5/5w
Thread-topic: I-D ACTION:draft-zhao-dhc-user-authentication-00.txt

Hi Amy,

Thanks for your reply.

The links of the drafts mentioned earlier are
http://www.ietf.org/internet-drafts/draft-ram-dhc-dhcpv6-aakey-01.txt
and
http://www.ietf.org/internet-drafts/draft-ram-dhc-dhcpv6-diam-app-01.txt
. In brief, they define a solution for authenticating the user at the
AAA and also establishing the DHCP security association between the DHCP
client and server dynamically.

I notice that the purpose of both your draft and the above mentioned
drafts are the same. That is, authenticating the user at the AAA. In the
solution described in the above drafts, the AAA server is contacted via
the DHCP Server. In architectures like WiMax,  the DHCP Relay and the
NAS/AAA Client may not co-exist. 

The solution described in the above two drafts fit in well with the DHCP
authentication mechanism described in RFC 3118. And they handle the
roaming scenarios by establishing the authentication keys dynamically.

Please let us know your comments. 

Thanks,
Saumya

-----Original Message-----
From: Amy Zhao [mailto:zhaoyuping at huawei.com] 
Sent: Thursday, October 12, 2006 8:01 AM
To: Upadhyaya Saumya-a20369
Subject: RE: I-D ACTION:draft-zhao-dhc-user-authentication-00.txt

Hello!

      Please see in line.

Thanks!

B.R.
Amy 

 

> -----Original Message-----
> From: Upadhyaya Saumya-a20369 [mailto:saumya at motorola.com] 
> Sent: Tuesday, October 03, 2006 2:01 PM
> To: zhaoyuping at huawei.com
> Cc: Ram O V Vishnu-A14676
> Subject: RE: I-D ACTION:draft-zhao-dhc-user-authentication-00.txt
> 
> Hi,
> 
> We have a couple of queries based on your published draft.
> 
> - Which networks do you see an applicability of this type of 
> authentication? Would it be applicable, in say, WiMAX 
> networks where other mechanisms are used for access authorization?

When the DHCP protocol is used between a user-equipment and a DHCP
server in
a public domain envionments,network service offered via the access
network
need user identification,therefor dhcp protocol require a user-based
authentication.



> - Typically, access authorization is provided using an L2 
> based authentication mechanism like, say, EAP. In a case 
> where the network is using a EAP based authentication 
> protocol, how would this solution be useful?

This solution is not intend to replace the L2 based authentication
mechanism, it just a solution based on dhcp.
we are just to provide a method that provides an authentication for a
user,
and this method is suited to be used in public domain environments and
it is
simple to be implemented.

> - Does your scheme assume a secure DHCP channel between the 
> DHCP client-relay-server? How would man-in-the-middle type of 
> attacks be addressed without that? 

For basic user-based authentication, it should woked in a secure DHCP
channel.
For Digest user-based authentication, it is a secure user-based
authentication, but it can not completely address the MIM attack.  

> - Do you think this could be coupled with DHCP authentication 
> scheme described in draft-ram-dhc-dhcpv6-aakey-01 and 
> draft-ram-dhc-dhcpv6-diam-app-01?

I need some time to read above mentioned drafts, where can I get them?

> - Have you considered a roaming scenario?

Sorry, I am not familiar with roaming technical. Maybe it will be useful
to
roaming/mobile clients. :-)

> - How does your scheme work in the case where both user 
> authentication (say, NAI based) and device authentication 
> need to be performed?
> 
> 
> Thanks and Regards,
> Saumya
> 
> -----Original Message-----
> From: Internet-Drafts at ietf.org [mailto:Internet-Drafts at ietf.org]
> Sent: Monday, October 02, 2006 8:20 PM
> To: i-d-announce at ietf.org
> Subject: I-D ACTION:draft-zhao-dhc-user-authentication-00.txt 
> 
> 
> A New Internet-Draft is available from the on-line Internet-Drafts 
> directories.
> 
> 
> 	Title		: DHCP User-based Authentication
> 	Author(s)	: Y. Zhao
> 	Filename	: draft-zhao-dhc-user-authentication-00.txt
> 	Pages		: 24
> 	Date		: 2006-10-2
> 	
> This document defines an authentication mechanism to provide an
> authentication for a user in an access network by means of dhcp.  The
> authentication mechanism described here couples DHCP to an
> authentication, authorization and accounting system (AAA), 
> thus enabling
> users to supply user credentials for AAA via DHCP.
> 
> 
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-zhao-dhc-user-authen
> tication-0
> 0.txt
> 
> To remove yourself from the I-D Announcement list, send a message to 
> i-d-announce-request at ietf.org with the word unsubscribe in 
> the body of 
> the message. 
> You can also visit 
> https://www1.ietf.org/mailman/listinfo/I-D-announce 
> to change your subscription settings.
> 
> Internet-Drafts are also available by anonymous FTP. Login with the 
> username "anonymous" and a password of your e-mail address. After 
> logging in, type "cd internet-drafts" and then 
> "get draft-zhao-dhc-user-authentication-00.txt".
> 
> A list of Internet-Drafts directories can be found in
> http://www.ietf.org/shadow.html 
> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> 
> Internet-Drafts can also be obtained by e-mail.
> 
> Send a message to:
> 	mailserv at ietf.org.
> In the body type:
> 	"FILE
> /internet-drafts/draft-zhao-dhc-user-authentication-00.txt".
> 	
> NOTE:	The mail server at ietf.org can return the document in
> 	MIME-encoded form by using the "mpack" utility.  To use this
> 	feature, insert the command "ENCODING mime" before the "FILE"
> 	command.  To decode the response(s), you will need "munpack" or
> 	a MIME-compliant mail reader.  Different MIME-compliant mail
> readers
> 	exhibit different behavior, especially when dealing with
> 	"multipart" MIME messages (i.e. documents which have been split
> 	up into multiple messages), so check your local documentation on
> 	how to manipulate these messages.
> 
> Below is the data which will enable a MIME compliant mail reader
> implementation to automatically retrieve the ASCII version of the
> Internet-Draft.
> 



_______________________________________________
dhcwg mailing list
dhcwg at ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

Prev by Date: RE: [dhcwg] [New I-D] DHCPv6 Relay Agent Link Selection(RALS) Option
Next by Date: Re: [dhcwg] [New I-D] DHCP User-based Authentication
Previous by thread: [dhcwg] FYI, Internet-Drafts Submission Cutoff Dates for the 67th IETF Meeting in San Diego
Next by thread: [dhcwg] [DHCPv6] Delayed Authentication Protocol v.s. Reconfigure Key Authentication Protocol
Index(es):
- Date
- Thread