[Int-area] pruss-dhcp-auth-dsl-02 review
"Alper Yegin" <alper.yegin@yegin.org> Mon, 03 December 2007 01:37 UTC
Return-path: <int-area-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Iz0FG-0002Tx-5O; Sun, 02 Dec 2007 20:37:14 -0500
Received: from int-area by megatron.ietf.org with local (Exim 4.43) id 1Iz0FE-0002Pg-Us for int-area-confirm+ok@megatron.ietf.org; Sun, 02 Dec 2007 20:37:12 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Iz0FE-0002N4-JI for int-area@ietf.org; Sun, 02 Dec 2007 20:37:12 -0500
Received: from mout.perfora.net ([74.208.4.195]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Iz0FE-0006u5-4V for int-area@ietf.org; Sun, 02 Dec 2007 20:37:12 -0500
Received: from IBM52A5038A94F ([207.236.117.226]) by mrelay.perfora.net (node=mrus0) with ESMTP (Nemesis) id 0MKp8S-1Iz0F82uwY-0008GZ; Sun, 02 Dec 2007 20:37:11 -0500
From: Alper Yegin <alper.yegin@yegin.org>
To: int-area@ietf.org
Date: Mon, 03 Dec 2007 03:36:57 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
In-Reply-To: <474ECA5A.70007@piuha.net>
Thread-Index: Acgyks3V2ErQdnxSSp2MQqMfNuT9JQBqorrA
Message-Id: <0MKp8S-1Iz0F82uwY-0008GZ@mrelay.perfora.net>
X-Provags-ID: V01U2FsdGVkX1+kKo+iv8Sp8D1MP/022H396YypPVxqa8YqdBT 5VROtY+oeuiYoQdLa6pcFcyJfHoUFHcD50TlvJTiT4VzrAKYma lNx6rjcrxAu/Vr3jKLtcg==
X-Spam-Score: -0.0 (/)
X-Scan-Signature: cd26b070c2577ac175cd3a6d878c6248
Cc:
Subject: [Int-area] pruss-dhcp-auth-dsl-02 review
X-BeenThere: int-area@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/int-area>
List-Post: <mailto:int-area@lists.ietf.org>
List-Help: <mailto:int-area-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=subscribe>
Errors-To: int-area-bounces@lists.ietf.org
Here is my review comments on this I-D. Putting aside all the issues that have been already raised, just concentrating on the text in this I-D... - DHCP client on "home network devices" scenario missing, despite clear indication in the I-D that this is a valid scenario. - In Figure 1, is there a DHCP relay on both AN and NAS? If only NAS has it, can the AN still insert DHCP option 82? - Figure 2 cannot deliver IP address to HGW via DHCPOFFER as the IP address is only known after the RADIUS Access Accept. But this violates RFC 2131, as DHCPOFFER must provide the IP address. - In Figure 3, NAS inserts CHAP option in the DHCPOFFER. I don't think DHCP relays are allowed to inject options towards the DHCP clients. - In Figure 3, DHCP server receives the DHCPREQUEST but does not respond to it. NAS (DHCP relay) becomes the entity that generates DHCPACK/NAK. This totally breaks DHCP. - Multi-round DHCPEAP is wedged into the current DHCP state machine, effectively altering it. - In Figure 4, EAP retransmission can cause the DHCP server to transmit unsolicited DHCPEAP. This again breaks the usual request-response type DHCP state machine. - Regarding Figure 4, I-D states: The message following this exchange is a DHCP Offer, sent unchanged by the Server. That's not true, as the DHCPOFFER carries EAP result. - In Figure 5, NAS (DHCP relay) is generating a DHCP message. This is not compliant with DHCP. - In Figure 5, when the NAS receives a retransmitted EAP message over RADIUS, what should it do? Would it send the DHCP client an unsolicited DHCP message from DHCP relay? - In Figure 5, how is the EAP re-authentication initiated by the AAA server handled? - With the DHCP relay generating messages and otherwise adding options in both ways, end-to-end model is broken. RFC 3118 cannot be used. - In Figure 5, DHCP relay "caches" the DHCPDISCOVER message, goes on with a multiple round-trips of DHCPEAP with the client, and then "releases" the DHCPDISCOVER message towards the DHCP server. Very strange behavior.......... - In Figure 5, DHCP server never sees DHCPREQUEST. Because DHCPREQUEST is consumed by the DHCP relay. This is just broken. - How does this solution guarantee orderly delivery of EAP payloads? - IETF would not standardize anything with MD5. This was already said, not sure why this is still hanging around. We had published an I-D for securing DHCP using EAP-generated keys. draft-yegin-eap-boot-rfc3118. As you can see, that does not require mixing up DHCP and EAP protocols. Overall, this proposal suffers the obvious consequences that'd arise when one stacks up two distinctly unrelated protocols where - State machines do not match - End-points do not match - Call flows do not match - External interactions do not match These are fundamental issues... Alper _______________________________________________ Int-area mailing list Int-area@lists.ietf.org https://www1.ietf.org/mailman/listinfo/int-area
- [Int-area] DHCP auth: comments on pruss-dhcp-auth… Jari Arkko
- [Int-area] Re: DHCP auth: comments on pruss-dhcp-… Richard Pruss
- [Int-area] pruss-dhcp-auth-dsl-02 review Alper Yegin
- [Int-area] Re: DHCP auth: comments on pruss-dhcp-… Jari Arkko
- [Int-area] Another review of pruss-dhcp-auth-dsl-… Bernard_Aboba
- Re: [Int-area] Re: DHCP auth: comments on pruss-d… Mark Townsley
- Re: [Int-area] Another review of pruss-dhcp-auth-… Richard Pruss