[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt

To: DHC WG <dhcwg at ietf.org>
Subject: Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt
From: Ted Lemon <Ted.Lemon at nominum.com>
Date: Wed, 21 Mar 2007 15:12:44 +0100
In-reply-to: <7DBAFEC6A76F3E42817DF1EBE64CB02604662C8D@FTRDMEL2.rd.francetelecom.fr>
List-help: <mailto:dhcwg-request@ietf.org?subject=help>
List-id: dhcwg.ietf.org
List-post: <mailto:dhcwg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
References: <7DBAFEC6A76F3E42817DF1EBE64CB02604662C8D@FTRDMEL2.rd.francetelecom.fr>

On Mar 21, 2007, at 2:45 PM, MORAND Lionel RD-CORE-ISS wrote:

So at least, it seems that there is consensus that something is missing in dhcp-based environment for network access control, that was not (really) the case several months ago ;)

I don't think you can say that. Dave Thaler actually made a really nice presentation this morning about his configuration draft, and one of the points he reiterated, which has been a theme for the DHCP community pretty much since day one, is that you *can't* control access to the network using the DHCP protocol.

The reason that I think that the CHAP-over-DHCP option has merit is because it's being used to authenticate not network access itself, but rather the identifier that is being used to control the specific parameter set assigned to the client. Nothing about this protocol is actually an access control mechanism other than by accident - if you can't provide valid identification for your configuration key, the server can't give you a configuration. You can still manually configure; it probably won't work because stuff happening at layers two and three won't get configured by the NAS. But fundamentally this isn't an access control system - it's a system for matching an authenticated key to a configuration. It only controls access if other elements in the network that aren't described in this draft (and should not be) effect some sort of access control.

Finally, I have a specific question: should the dhcp-based authentication solution be considered either as a "patch" solution for dhcp-based dsl networks, fulfilling some short-term security requirements not covered by other solutions, or as the ultimate solution for providing network access control in any dhcp-based environment?

As a disinterested third party, my opinion is that this is a transitional protocol, not a solution. I think it should be presented that way, not as a final answer to the authentication problem. The WG has been down the path of doing PANA and EAP over DHCP in the past, and we've never gotten to the point of seeing a proposal that we could make sense of; if you take away all the EAP baggage from this suggestion, it seems reasonable to me, but it does not seem like a solution to the network access problem - it seems like a solution to the problem of making the transition from a PPPoE +AAA configuration system to a DHCP-based configuration system.

_______________________________________________
dhcwg mailing list
dhcwg at ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

Follow-Ups:
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt
  - From: Yoshihiro Ohba
- Re: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt
  - From: Richard Pruss
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt
  - From: Alper Yegin

References:
- RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt
  - From: MORAND Lionel RD-CORE-ISS

Prev by Date: RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt
Next by Date: RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt
Previous by thread: RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt
Next by thread: RE: [dhcwg] draft-pruss-dhcp-auth-dsl-00.txt
Index(es):
- Date
- Thread