Eliot
On 23.07.2025 16:53, Alan DeKok wrote:
On Jul 23, 2025, at 11:26 AM, Alexander Clouter<alex=2Bietf=40coremem....@dmarc.ietf.org> wrote:For where topological information (eg. IP address assignment) is deemed to be within scope.I would argue that IP address assignment should not be in scope. That would go down the path of replacing DHCP, which seems a bit much to do.Only spit balling but maybe there is something we can instead do to extend the TLS binding to carry over to the DHCP. This would then no longer be limited to TEAP, you could maybe even retrofit it to EAP-(T)TLS.TTLS would need to define a TTLS-specific attribute but sure.My thinking is the DHCP client would then include an attribute to the server saying "I expect something binding here tied back to the TLS session of my EAP dance" and the DHCP server would include it as an option in the response. The client decide what to do in the presence (or non-presence) of it based on a local policy.Hmm... I'll have to think about that.With this, you could now do topological (eg. IP) assignment and support DHCP snooping. With the proposal TEAP options approach, there would need to be some additionally special OOB protocol between the switchport and your policy server to communicate these DHCP assignments and make DHCP snooping work in practice. Of course the other option is to leave this at "use this only for assigning the WPAD server" :)Yes, it would be useful to send these options in the final Access-Accept, too. Alan DeKok. _______________________________________________ Emu mailing list --emu@ietf.org To unsubscribe send an email toemu-le...@ietf.org
OpenPGP_0x87B66B46D9D27A33.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Emu mailing list -- emu@ietf.org To unsubscribe send an email to emu-le...@ietf.org
