[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dhcwg] [New I-D] DHCP User-based Authentication

To: Amy Zhao <zhaoyuping at huawei.com>
Subject: Re: [dhcwg] [New I-D] DHCP User-based Authentication
From: Pavan Kurapati <pavan_kurapati at infosys.com>
Date: Fri, 13 Oct 2006 14:43:12 +0530
Cc: dhcwg at ietf.org
In-reply-to: <005201c6ea86$dd069070$1b05a40a@china.huawei.com>
List-help: <mailto:dhcwg-request@ietf.org?subject=help>
List-id: dhcwg.ietf.org
List-post: <mailto:dhcwg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
References: <005201c6ea86$dd069070$1b05a40a@china.huawei.com>
User-agent: Mozilla Thunderbird 1.0.7 (X11/20050923)

Hi Amy,

A few comments that I have :

1. Since the AAA server is interacting with Relay Agent, why do we carry the messages to the server if the authentication is failed? Your solution looks more complex to me in case of Digest Authentication where you carry the challenge response to the server and server justs puts the same in the OFFER. In my opinion, there should be a mechanism where NAS (relay agent) should relay the DHCP message only after the authentication is successful. Say, we use new message types to communicate between Relay agent and DHCP client for the authentication process. NAS can challenge the DHCP client and verify the response through AAA server. Only if it is 'success' it can forward the DISCOVER message to the Server. I know that currently Relay and Client do not communicate directly. But as an eg, even in case of NAS acting as PPP relay agent there are instances where NAS sends LCP requests directly to the client even if it doesn't terminate the PPP. Similar mechanism can be employed here.

2. Section 5.2.1 : You defined type values as "0" and "1". In the description of 'data' you mentioned "if type = 1 ... if type = 2 ...". Change either one of the description

3. In section 6, In basic authentication mechanism, client will put User-based Authentication option only in DISCOVER packet (as per the initial flow chart) and the REQUEST does not contain this option. I think you need to make it clear in first bullet point.

Regards,
Pavan


Amy Zhao wrote:

Hi, All:
We posted a new I-D as follows.
It's a pretty rough draft  and we need your feedback.
Any comments / advices will be highly appreciated!
Thanks!
B.R. Amy
------------------------------
A New Internet-Draft is available from the on-line Internet-Drafts directories.
	Title		: DHCP User-based Authentication
	Author(s)	: Y. Zhao
	Filename	: draft-zhao-dhc-user-authentication-00.txt
	Pages		: 24
	Date		: 2006-10-2
	
This document defines an authentication mechanism to provide an
authentication for a user in an access network by means of dhcp.  The
authentication mechanism described here couples DHCP to an
authentication, authorization and accounting system (AAA), thus
enabling users to supply user credentials for AAA via DHCP.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-zhao-dhc-user-authentication-00.tx
t
To remove yourself from the I-D Announcement list, send a message to i-d-announce-request at ietf.org with the word unsubscribe in the body of the message. You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce to change your subscription settings.

Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-zhao-dhc-user-authentication-00.txt".

A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
Internet-Drafts can also be obtained by e-mail.
Send a message to:
	mailserv at ietf.org.
In the body type:
	"FILE /internet-drafts/draft-zhao-dhc-user-authentication-00.txt".
	
NOTE:	The mail server at ietf.org can return the document in
	MIME-encoded form by using the "mpack" utility.  To use this
	feature, insert the command "ENCODING mime" before the "FILE"
	command.  To decode the response(s), you will need "munpack" or
	a MIME-compliant mail reader.  Different MIME-compliant mail readers
	exhibit different behavior, especially when dealing with
	"multipart" MIME messages (i.e. documents which have been split
	up into multiple messages), so check your local documentation on
	how to manipulate these messages.
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
-------------- next part --------------
Skipped content of type multipart/alternative
------------------------------
_______________________________________________ dhcwg mailing list dhcwg at ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg

_______________________________________________
dhcwg mailing list
dhcwg at ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

Follow-Ups:
- RE: [dhcwg] [New I-D] DHCP User-based Authentication
  - From: Amy Zhao

References:
- [dhcwg] [New I-D] DHCP User-based Authentication
  - From: Amy Zhao

Prev by Date: RE: [dhcwg] [New I-D] DHCP User-based Authentication
Next by Date: [dhcwg] [DHCPv6] Delayed Authentication Protocol v.s. Reconfigure Key Authentication Protocol
Previous by thread: RE: [dhcwg] [New I-D] DHCP User-based Authentication
Next by thread: RE: [dhcwg] [New I-D] DHCP User-based Authentication
Index(es):
- Date
- Thread