[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[dhcwg] draft-pruss-dhcp-auth-dsl-00.txt

To: dhcwg at ietf.org
Subject: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt
From: Yoshihiro Ohba <yohba at tari.toshiba.com>
Date: Fri, 02 Mar 2007 15:28:44 -0500
List-help: <mailto:dhcwg-request@ietf.org?subject=help>
List-id: dhcwg.ietf.org
List-post: <mailto:dhcwg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
User-agent: Mutt/1.5.13 (2006-08-11)

Hi,

Let me ask the same fundamental question that I asked before for a
similar draft related to DHCP and authentication.

Is this WG chartered for developing a solution for network access
authentication and authorization other than developing authentication
mechanisms for DHCP?

I am asking this because Introduction of
draft-pruss-dhcp-auth-dsl-00.txt says:

"
   This document defines DHCP Options and procedures that allow for a
   CHAP-based authentication exchange to occur in DHCP in order to
   enable smooth migration from PPP sessions to IP sessions in a DSL
   Broadband network environment.  Primary goals are integration of
   authentication in such a way that it will operate seamlessly with
   existing RADIUS-based AAA infrastructure and ATM or Ethernet based
   DSL Networks.  As such, only the termination points of PPP in the DSL
   network are affected, both of which are devices that would logically
   need to be updated in any transition from PPP to IP sessions.
"

Also, I fail to see a reason for IETF to work on combining DHCP and
network access authentication even as experimental and for the purpose
of the primary goals stated above.  I believe that the primary goals
can be achieved by simply using PANA running EAP-MD5 between HGW and
NAS.  In this case, NAS is acting as EAP authenticator co-located with
EAP server for EAP-MD5, where the EAP server is acting as a protocol
translator that converts credentials carried in EAP-MD5 into RADIUS
attributes or field (i.e., CHAP-Password and CHAP-Challenge or RADIUS
Request Authenticator field) used for carrying CHAP credentials, and
vise versa.  If an algorithm other than MD5 is used for CHAP, it is
also possible to define an experimental EAP method to interwork with
non-MD5 CHAP algorithms and again let the EAP server on the NAS act as
a protocol translator.  I think these workarounds are sufficient to
work with existing RADIUS-based AAA infrastructure and ATM or Ethernet
based DSL Networks and still allows smooth migration from PPP session
to IP session with EAP.

The bottomline is, host configuration and network access
authentication are two different problems that are better solved by
separate protocols.

Regards,
Yoshihiro Ohba

_______________________________________________
dhcwg mailing list
dhcwg at ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

Follow-Ups:
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt
  - From: Richard Pruss

Prev by Date: RE: [dhcwg] DUID on a Virtual Host
Next by Date: [dhcwg] I-D ACTION:draft-ietf-dhc-dhcpv6-srsn-option-01.txt
Previous by thread: [dhcwg] I-D ACTION:draft-ietf-dhc-agent-vpn-id-04.txt
Next by thread: Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt
Index(es):
- Date
- Thread