Re: The Emperor Has No Clothes: Is PANA actually useful?

To: Bernard Aboba <aboba at internaut.com>
Subject: Re: The Emperor Has No Clothes: Is PANA actually useful?
From: Florian Weimer <fw at deneb.enyo.de>
Date: Tue, 30 May 2006 07:49:37 +0200
Cc: Sam Hartman <hartmans-ietf at mit.edu>, ietf at ietf.org
In-reply-to: <Pine.LNX.4.61.0605260837120.11505@internaut.com> (Bernard Aboba's message of "Fri, 26 May 2006 08:58:02 -0700 (PDT)")
List-help: <mailto:ietf-request@ietf.org?subject=help>
List-id: IETF-Discussion <ietf.ietf.org>
List-post: <mailto:ietf@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
References: <0MKp2t-1FjVUq2du1-0001ur@mrelay.perfora.net> <tslwtc8kes5.fsf@cz.mit.edu> <Pine.LNX.4.61.0605260837120.11505@internaut.com>

* Bernard Aboba:

>> My question is more why do they need EAP in situations where they are
>> not running at the link layer than why do they want or not want PANA.
>
> The simple answer is that there are situations which IEEE 802.1X cannot 
> handle on wired networks.  As specified, IEEE 802.1X is "network port 
> control", which means that authorization is controllable only at the port 
> level.  If there is more than one host connected to a switch port, then 
> that model no longer applies. 

Isn't this just a "don't do that, then" scenario?  Plugging in a hub
tends to undermine much of the accountability 802.1X is supposed to
provide.

Anyway, 802.1X is terminally broken because end users can rewire that
port and bypass security policies (put a laptop with bridging software
onto it, plug in a hub, and so on).  It's very hard to solve this
problem at a sub-IP layer because you need an ARP replacement which is
tied to the port (physical layer) and IP rouuting (network layer) at
the same time, and in a secure fashion.  And without some cryptography
on the payload, you still won't be able to tell two hosts on the same
port apart.

My personal conclusion from this mess is to give up trying to make the
sub-IP layers secure, but start directly at the IP layer.

_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Follow-Ups:
- Re: The Emperor Has No Clothes: Is PANA actually useful?
  - From: Bernard Aboba

References:
- RE: The Emperor Has No Clothes: Is PANA actually useful?
  - From: Alper Yegin
- Re: The Emperor Has No Clothes: Is PANA actually useful?
  - From: Sam Hartman
- Re: The Emperor Has No Clothes: Is PANA actually useful?
  - From: Bernard Aboba

Prev by Date: Re: The Emperor Has No Clothes: Is PANA actually useful?
Next by Date: Re: The Emperor Has No Clothes: Is PANA actually useful?
Previous by thread: Re: The Emperor Has No Clothes: Is PANA partly useful?
Next by thread: Re: The Emperor Has No Clothes: Is PANA actually useful?
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: The Emperor Has No Clothes: Is PANA actually useful?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.