I just want to clarify a few points that I think are being misunderstood. 1) Most modern broadband services that utilize DHCP instead of PPPoE do not allow a subscriber to statically configure their IP address. This is prevented via the BRAS/NAS that is the subscribers default gateway, which may be acting as a DHCP relay, proxy or server. The BRAS will not install a forwarding entry for a subscriber that it has not learned through the DHCP process. Forwarding entries are then built based on the assigned IP address and the requesting MAC.
2) I brought this up in Prague, but I will repeat it here. Service providers are using DHCP for authentication today. They are just using it in a primitive form. They rely on the inserted Opt 82 information to identify the subscriber to Radius. 3) Service providers typically do not want to allow configuration of a client until they are authenticated. Often because they will provide alternate configuration depending on their identification. 4) The goal of draft-pruss-dhcp-auth-dsl is to provide an option for service providers to maintain their investment in their current AAA infrastructures with little or no changes to them. I don't believe it is intended to alter DHCP server implementations, but rather proxy/relays/servers that are implemented in BRAS platforms. I suppose this is really the area for debate. 5) Client side implementations that would require modification are typically in the control of the service provider. They may be a managed residential gateway, or a dsl modem. User owned equipment is typically not allowed to authenticate the PPPoE session today, I would see this as being no different. Regards, Curtis Sherbo -----Original Message----- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Friday, April 13, 2007 9:18 AM To: Behcet Sarikaya Cc: [EMAIL PROTECTED] Subject: Re: [Int-area] Discussion of subscriber authentication Behcet Sarikaya wrote: > If someone avoids DHCP, and therefore avoids this DHCP > "authentication", their ability to access the network is unrestricted. > [behcet] > Disagree. Without an IP address access to the Internet is restricted. DHCP is *advisory*. The clients that do DHCP could just as well configure a static IP, and get network access. > [behcet] Authentication failed, no IP address, what more can you do? Sniff the local net. Find an unused IP. Configure it. Configuring static IP's is impossible only if the switch filters traffic. i.e. It blocks all network traffic except for DHCP, until the DHCP IP has been allocated. Once the IP has been allocated, it only permits traffic that uses that source IP. This is not, as yet, a common configuration for a switch. Alan DeKok. _______________________________________________ Int-area mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/int-area _______________________________________________ Int-area mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/int-area
