----- Original Message ----
From: Alan DeKok <[EMAIL PROTECTED]>
To: Behcet Sarikaya <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Sent: Tuesday, April 10, 2007 2:59:26 PM
Subject: Re: [Int-area] Re: [dhcwg] Discussion of subscriber authentication
Behcet Sarikaya wrote:
> Hi Hesham,
> Have you read draft-pruss? If you look at Figure 1, it is not replacing
> AAA servers with DHCP servers, DHCP server acts like NAS. I agree that
> DHCP has been overloaded and I think it is this issue that Ralph wants
> discussed.
The DHCP server receives an unsigned, unencrypted packet from some
random device on the net, that could very well be spoofed... and uses
that to initiate a signed, potentially encrypted authentication session
with a AAA server.
I don't think that's a very good idea.
[behcet] agreed
At least with normal AAA access requests there's an underlying session
that the NAS can hang up on. e.g. Dial-up session, PPPoE, TCP
connection, etc. The NAS may have no idea who the caller is, but it can
forcibly boot them off of the network if authentication fails. DHCP
servers have no such power. If someone avoids DHCP, and therefore
avoids this DHCP "authentication", their ability to access the network
is unrestricted.
[behcet]
Disagree. Without an IP address access to the Internet is restricted. Yes the
host may have access to the link. 802.11 access points let you associate with
open authentication but you can not use the network. It may be the same on DSL
networks.
The host can make a link-local address both in v4 and v6 but not a global
address.
This proposal complicates the network for limited benefit, and can
easily be worked around. It depends on untrusted clients doing the
"right thing" when they're told authentication has failed, which is an
interesting approach to network security.
[behcet] Authentication failed, no IP address, what more can you do?
Alan DeKok.
_______________________________________________
Int-area mailing list
[EMAIL PROTECTED]
https://www1.ietf.org/mailman/listinfo/int-area
