Re: [dhcwg] Discussion of dhc WG rechartering for DHCP authentication

[Basavaraj Patil <basavaraj.patil at nsn.com>]

Title: Re: [dhcwg] Discussion of dhc WG rechartering for DHCP authentication

Hi Ric,

So I understand that the reason to use DHCP as a means to do the authentication of the subscriber is from the perspective of:

1. Minimal impact to deployed large scale DSL networks
2. Reusing a protocol that is already used in DSL networks rather than having to implement a new protocol because of the deployed base and backwards compatibility
   

I think I understand your predicament a little better now.
I am just wondering if the DSL forum is going down the wrong path by extending DHCP to solve a problem by taking this band-aid approach instead of solving it the right way (whether that is 802.1x, PANA or whatever else).

-Raj

On 11/7/07 1:25 AM, "ext Richard Pruss" <ric at cisco.com> wrote:

> Basavaraj Patil wrote, around 2/11/07 1:49 AM: 
> >  Re: [dhcwg] Discussion of dhc WG rechartering for DHCP authentication 
> > Ric,
> >  
> > That’s not the point. I agree that we do authentication at several layers today. Access auth, SIP auth, etc.
> > But what the I-D is proposing is basically extending DHCP to accomplish access auth.
> > For access auth, there are several mechanisms today. Do we need DHCP to solve the access-auth problem as well?
> >  
> > What is the primary reason/argument for doing access auth via DHCP? Is it an optimization or is it because there is no other way to solve the access auth problem in the domain that you are looking at?
> >  
> There a confluence of two design directions in DSL architecture coming together driving the next generation of IP session requirements in DSL Forum.
>
> One direction comes from small greenfield networks and the move to ethernet, they have been deploying DSL with DHCP and Option 82 line details providing the identity criteria to configure the host but also the L2 and L3 edges.  Most of the DSL BRAS vendors now allow the BRAS to use DHCP attributes trigger configuration retrieval for the BRAS from RADIUS.
>
> The second comes from large long standing PPPoE/PPPoA networks which have massive databases of existing users and want to allow a gradual migration to ethernet service delivery but not require churn in the customer authentication database.
>
> Finally DSL architecture is all about scaling (I guess SP engineering always is) where we have BRAS's with 60K+ subscribers on and millions of users on the network, we try set everything up at the same time and do it once.  To be clear we did not start off by trying to invent something new here, we went through many existing approaches before we got here today.
>
> I think if you take the authentication question in the DSL architecture context, the simple questions that are probably bugging you like "Why did they not just use 802.1x?" might be clearer:
>
> The current recommended DSL Forum architecture is in TR-101: 
> http://www.dslforum.org/techwork/tr/TR-101.pdf 
>
> The current draft of next generation WT-148 is: 
> http://www.arkko.com/ietf/intarea/dsl2006.887.03.doc 
>
> The living list of requirements for authentication for WT-146 is: 
> https://datatracker.ietf.org/documents/LIAISON/file457.doc 
>
> - Ric
>
>
> > -Raj
> >  
> >  
> > On 11/1/07 10:33 AM, "ext Richard Pruss" <rpruss at cisco.com> <mailto:rpruss at cisco.com>  wrote:
> >  
> >   
> > > Authentication is something that happens at every layer with every application. Terminal access was designed without authentication, that does not mean we do it like that today.
> > >  
> > >  I do not think we can take the argument of it was not designed for x as a reason to stay in the past.
> > >  
> > > Regards,
> > > Ric
> > >  
> > > Basavaraj Patil wrote, around 29/10/07 9:42 AM: 
> > >   
> > > >  
> > > > Ralph,
> > > >  
> > > > I think overloading DHCP for access authentication is a bad idea. DHCP was
> > > > not designed for that purpose. I guess I need to communicate this on the
> > > > int-area list. But anyway you know my opinion at least in the DHC WG.
> > > >  
> > > > -Basavaraj
> > > >  
> > > >  
> > > > On 10/19/07 6:05 AM, "ext Ralph Droms" <rdroms at cisco.com> <mailto:rdroms at cisco.com>  <mailto:rdroms at cisco.com>  wrote:
> > > >  
> > > >   
> > > >  
> > > >   
> > > > >  
> > > > > There is a lengthy discussion about rechartering the dhc WG to take
> > > > > on the DHCP authentication proposals in draft-pruss-dhcp-auth-
> > > > > dsl-01.txt and draft-zhao-dhc-user-authentication-02 in the int-
> > > > > area at ietf.org mailing list.  Both of these drafts have been submitted
> > > > > for to the WG for review in the past, and neither, to date, has been
> > > > > accepted as a dhc WG work iterm.  I've included a copy of the initial
> > > > > posting, http://www1.ietf.org/mail-archive/web/int-area/current/
> > > > > msg00957.html, below.  Because this discussion may lead to the
> > > > > rechartering of the dhc WG to take on either or both of these drafts
> > > > > as new work items, those of you not on the int-area mailing list
> > > > > should consider reviewing the e-mail thread and contributing to the
> > > > > discussion.
> > > > >  
> > > > > - Ralph
> > > > >  
> > > > >  
> > > > > =====
> > > > > To: Internet Area <int-area at ietf.org>
> > > > > Subject: [Int-area] DCHP-based authentication for DSL?
> > > > > From: Jari Arkko <jari.arkko at piuha.net>
> > > > > Date: Thu, 04 Oct 2007 23:22:15 +0300
> > > > >  
> > > > >  
> > > > > We talked about the DSL requirements earlier on this list. Now
> > > > > they have sent us a liaison statement regarding what they would
> > > > > like to do:
> > > > >  
> > > > > "At this time, we would like to make the IETF aware that during
> > > > > our most recent DSL Forum quarterly meeting, the Architecture
> > > > > and Transport Working Group agreed to seriously consider adopting
> > > > > a mechanism such as that proposed in draft-pruss-dhcp-auth-dsl-01.txt
> > > > > or draft-zhao-dhc-user-authentication-02. We understand that the authors
> > > > > of these specifications intend to produce a combined document soon.
> > > > > The DSL Forum formally requests that the IETF adopt this as a work
> > > > > item, and would appreciate being advised of progress as soon as
> > > > > possible.
> > > > >  
> > > > > Our next quarterly meeting is December 10-13, in Lisbon, Portugal."
> > > > >  
> > > > >  
> > > > > How do we feel about this? Is this a good idea, considering the DSL
> > > > > architecture? How will it affect DHCP the protocol? How would
> > > > > you go about making DHCP extensions so that they work best
> > > > > for all possible environments and not just DSL? Is anyone
> > > > > already working on the combined draft promised above? Are
> > > > > there any other choices that we should recommend instead?
> > > > >  
> > > > > I would like to hold the discussion on this in this list until
> > > > > we've determined that the DHCP protocol is the right tool
> > > > > for the job. If it is, we can recharter DHC WG again to add
> > > > > the actual development work there. (DHC is right now
> > > > > being rechartered but that recharting is mostly a cleanup
> > > > > and not the addition of functionality to do this.)
> > > > >  
> > > > > Jari
> > > > >  
> > > > >  
> > > > > _______________________________________________
> > > > > dhcwg mailing list
> > > > > dhcwg at ietf.org
> > > > > https://www1.ietf.org/mailman/listinfo/dhcwg
> > > > >     
> > > > >  
> > > > >  
> > > >   
> > > >  
> > > >  
> > > > _______________________________________________
> > > > dhcwg mailing list
> > > > dhcwg at ietf.org
> > > > https://www1.ietf.org/mailman/listinfo/dhcwg
> > > >  
> > > >   
> > > >  
> > >  
> > >  
> >  
> >  




_______________________________________________
dhcwg mailing list
dhcwg at ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg