[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dhcwg] [New I-D] DHCP User-based Authentication

To: Amy Zhao <zhaoyuping at huawei.com>
Subject: Re: [dhcwg] [New I-D] DHCP User-based Authentication
From: Markus Kai Richard Stenberg <mstenber at cisco.com>
Date: Fri, 13 Oct 2006 23:28:58 +0900
Authentication-results: sj-dkim-4.cisco.com; header.From=mstenber@cisco.com; dkim=pass ( sig from cisco.com verified; );
Cc: dhcwg at ietf.org
Dkim-signature: a=rsa-sha1; q=dns; l=1696; t=1160749741; x=1161613741; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mstenber@cisco.com; z=From:Markus=20Kai=20Richard=20Stenberg=20<mstenber@cisco.com> |Subject:Re=3A=20[dhcwg]=20[New=20I-D]=20DHCP=20User-based=20Authentication; X=v=3Dcisco.com=3B=20h=3DtvbOBTD0MxoH0Uddwaktamg+0+0=3D; b=ZGu7fKDTr2vHZSa2ZYlVrXRRst7VVdipOLxXndxzAdj+uffJquup37+dpmm63r+o7vZgLx+U 4Pv8t71k5ImG6L0/JJfoQN3c7dYX71G/o2w2Nw1b+DWH/JiLUEbdtCmn;
In-reply-to: <005201c6ea86$dd069070$1b05a40a@china.huawei.com> (Amy Zhao's message of "Sun, 08 Oct 2006 11:07:17 +0800")
List-help: <mailto:dhcwg-request@ietf.org?subject=help>
List-id: dhcwg.ietf.org
List-post: <mailto:dhcwg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
Organization: cisco Systems, Inc.
References: <005201c6ea86$dd069070$1b05a40a@china.huawei.com>
User-agent: Gnus/5.110006 (No Gnus v0.6) XEmacs/21.4.14 (usg-unix-v)

I also read through the draft. Some thoughts..

- Typically, the relay-server link is secured and doing the AAA centrally
  in the server sounds more sensible anyway, as you have less ACLs needed
  for the AAA server access, and in general can have AAA server far away
  from relays. Is there some real case due to which doing this in the relay
  makes more sense? (and no, "NAS deployment models do this with other
  protocols" isn't justification)

- As others noted, EAP is the way to go for this kind of stuff in general,
  not much point in adding it here too? PANA, PPPoX, and even IKE can
  leverage EAP, reinventing wheels isn't fun.

- If we wanted to add it here, specifying MD5 in this day and age sounds
  rather naive - it can be argued to be a broken hash algorithm.

- "Basic authentication" sounds about as good as no authentication, as far
  as security goes - if someone can snoop on the wire, you're hosed. The
  reason the "basic authentication" in WWW is successful is (I posit)
  mostly due to being able to leverage SSL/TLS as transport, after which it
  is just somewhat distasteful matter of sharing the password with
  identified remote party (remember, SSL/TLS _has_ authentication of server
  via certificate, but your scheme for DHCP does not authenticate the
  relay)

All in all? I'd recommend forgetting about it, or alternatively crafting
ugly EAP-o-DHCP to compete with the EAP-o-UDP of PANAland? I doubt it'd be
within charter either, though, due to disclaimer of ".. not duplicate
existing mechanism" in the charter.

Anyway, using existing extensible auth arch over crafting a new one would
be clearly preferrable..

-Markus

_______________________________________________
dhcwg mailing list
dhcwg at ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

References:
- [dhcwg] [New I-D] DHCP User-based Authentication
  - From: Amy Zhao

Prev by Date: Re: [dhcwg] [New I-D] DHCP User-based Authentication
Next by Date: Re: [dhcwg] [Question] When should we use Interface-ID option
Previous by thread: RE: [dhcwg] [New I-D] DHCP User-based Authentication
Next by thread: RE: [dhcwg] [New I-D] DHCP User-based Authentication
Index(es):
- Date
- Thread