[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dhcwg] Discussion of dhc WG rechartering for DHCP authentication

To: Alper Yegin <alper.yegin at yegin.org>
Subject: Re: [dhcwg] Discussion of dhc WG rechartering for DHCP authentication
From: Richard Pruss <ric at cisco.com>
Date: Mon, 05 Nov 2007 15:15:38 +1000
Authentication-results: hkg-dkim-2; header.From=ric@cisco.com; dkim=pass (si g from cisco.com/hkgdkim2001 verified; );
Cc: dhcwg at ietf.org
Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1532; t=1194239813; x=1195103813; c=relaxed/simple; s=hkgdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=ric@cisco.com; z=From:=20Richard=20Pruss=20<ric@cisco.com> |Subject:=20Re=3A=20[dhcwg]=20Discussion=20of=20dhc=20WG=20rechartering=2 0for=20DHCP=20authentication |Sender:=20; bh=fLCqGuJ11p6IkucWgIZZQd6Umfopgq/xDEwQ/B6RdmQ=; b=EB8clepe+nknFBQgXlq1EFgKTfj8tCh8Sr+94T7dxaZ2g3oO2yiJHY/Mw6mqDsjK5lUcBB++ hePVIAu/IF/JT14JEUqsKf8FWPtpkUeY1mBVFDmBF8xmsdlSjEBXP7N5Bt4jCaYhkuy8Bxvx9L nAi4MJXwJlJSZL6pStUoiPcNI=;
In-reply-to: <0MKp8S-1Invys46az-0005zR@mrelay.perfora.net>
List-help: <mailto:dhcwg-request@ietf.org?subject=help>
List-id: dhcwg.ietf.org
List-post: <mailto:dhcwg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
Organization: Cisco Systems
References: <0MKp8S-1Invys46az-0005zR@mrelay.perfora.net>
Reply-to: ric at cisco.com
User-agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.8) Gecko/20061025 Thunderbird/1.5.0.8 Mnenhy/0.7.4.0

Alper Yegin wrote, around 2/11/07 10:50 PM:

How is setting up a different filter on the devices that already know how to setup filters considered a "considerable re-work"? I'd appreciate if you can tell us how this is anything more than simply setting up a filter rule.

The devices currently install these filters based on DHCP snooping.  In
our proposal current architecture use of the DHCP ack will still trigger
drive the source address verification on the first network hop, exactly
as they do today.

With PANA, these devices which are the whole of the transmission edge
would all need to get a new PANA snooping enabled code base, with all
the filtering use cases around that.  New ideas like authenticated and
unauthenticated IP addresses and policy for those need to be hooked to
new filters that operate on IP streams. A snooping version of PANA or
some sort of PANA grafting to a policy distribution mechanisms.

That more new stuff than I care to count can charitably called "considerable re-work", more it should be pretty obvious from ethernet security is not the application for PANA. This application is deeply entwined with layer 2, PANA is clearly aimed at IP authentication and is not a layer 2 or in the DHCP Auth case layer 2.5 application.

I wonder why you keep driving this square peg into a round hole.  The
first entry of the PANA FAQ is that PANA is layer 2 agnostic and you
seem determined to undo that.
http://www.toshiba.com/tari/pana/pana-faq.txt

- Ric


_______________________________________________
dhcwg mailing list
dhcwg at ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

References:
- RE: [dhcwg] Discussion of dhc WG rechartering for DHCP authentication
  - From: Alper Yegin

Prev by Date: RE: [dhcwg] Discussion of dhc WG rechartering for DHCP authentication
Next by Date: [dhcwg] Clarification in RFC 3633
Previous by thread: Re: SAVA arguments (Was: Re: [Int-area] Re: [dhcwg] Discussion of dhc WGrecharteringforDHCPauthentication)
Next by thread: RE: [dhcwg] Discussion of dhc WG rechartering for DHCP authentication
Index(es):
- Date
- Thread