[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dhcwg] [New I-D] DHCP User-based Authentication

To: Amy Zhao <zhaoyuping at huawei.com>
Subject: Re: [dhcwg] [New I-D] DHCP User-based Authentication
From: Eliot Lear <lear at cisco.com>
Date: Thu, 12 Oct 2006 10:22:28 +0200
Authentication-results: sj-dkim-5.cisco.com; header.From=lear@cisco.com; dkim=pass ( sig from cisco.com verified; );
Cc: dhcwg at ietf.org
Dkim-signature: a=rsa-sha1; q=dns; l=1546; t=1160641350; x=1161505350; c=relaxed/simple; s=sjdkim5002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=lear@cisco.com; z=From:Eliot=20Lear=20<lear@cisco.com> |Subject:Re=3A=20[dhcwg]=20[New=20I-D]=20DHCP=20User-based=20Authentication; X=v=3Dcisco.com=3B=20h=3DPyYeba3AJ89XPJ40GkpNB5Gj1Ko=3D; b=XnMWF//XRL4d00Nm+NvaDTwswf3e1buCI/UF4n4NsgcYPnrrru0XmGGYatcT9/QOid/kxHYv am7NiIxBqZSFIbX8rN8gU3BWX9MLLQTS32DN5T0Ec1zFOeNxkbvx+fki;
In-reply-to: <000a01c6edae$55e6a870$1b05a40a@china.huawei.com>
List-help: <mailto:dhcwg-request@ietf.org?subject=help>
List-id: dhcwg.ietf.org
List-post: <mailto:dhcwg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
References: <000a01c6edae$55e6a870$1b05a40a@china.huawei.com>
User-agent: Thunderbird 1.5.0.7 (Macintosh/20060909)

Amy Zhao wrote:
>> I have the following three questions:
>>
>>    1. Why is DHCP the correct protocol to do user-based 
>> authentication?
>>     
>
> If we want to use DHCP for configuring clients accessing the Internet
> through some form of high-speed access technology such as cable or ADSL, we
> need a coupling between AAA and DHCP.
>   

What resource is DHCP protecting, and is it effective at protecting that
resource?

>   
>>    2. How would this work interact with RFC 3118 (as 
>> mentioned by Andre
>>       Kostur)?
>>     
>
> You and Andre both mention this issue. To tell the truth, I really missed
> it. but until now, I think the two options are seperate. Maybe I miss some
> issues.

Fundamentally the issue is this: what is to prevent a rogue DHCP server
from snarfing a client password?  More precisely: how does the client
properly recognize an authorized DHCP server versus a rogue server.  I
think that leads us to 3 below.

>  
>
>   
>>    3. At this late date it seems wise to at least address the issue of
>>       the authentication server proving itself to the connecting
>>       device.  This seems to me to change the nature of risk 
>> with regard
>>       to who is giving up information.  What in your proposal is to
>>       prevent a rogue DHCP server from snarfing passwords?
>>
>>     
> Sorry, I could not catch your mean.Do you mean to add some context in the
> draft? 
>   

See above.  How do I know that I am handing my password to A Good Guy?

Eliot

_______________________________________________
dhcwg mailing list
dhcwg at ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

Follow-Ups:
- RE: [dhcwg] [New I-D] DHCP User-based Authentication
  - From: Amy Zhao

References:
- RE: [dhcwg] [New I-D] DHCP User-based Authentication
  - From: Amy Zhao

Prev by Date: [dhcwg] RE: I-D ACTION:draft-zhao-dhc-user-authentication-00.txt
Next by Date: RE: [dhcwg] [New I-D] DHCPv6 Relay Agent Link Selection(RALS) Option
Previous by thread: RE: [dhcwg] [New I-D] DHCP User-based Authentication
Next by thread: RE: [dhcwg] [New I-D] DHCP User-based Authentication
Index(es):
- Date
- Thread