I believe extending IEEE 802.1af has its own contradiction. If 802.1X
frames are allowed to be forwarded across multiple LAN segments in a
LAN, then it means that the clients already have, before they are
authenticated, full access to the MAC-layer service including bridging
service.
IEEE 802.1af has discussed allowing unicast destinations in IEEE 802.1X
wired frames, similar to what is already done in IEEE 802.11i. If that is
adopted, then the forwarding issue is moot. Even with multicast
destinations I would not assume that arbitrary forwarding is allowed;
existing implementations forward only to a specific designated
authenticator.
I would also note that IEEE 802.1af is discussing "discovery" extensions
very
similar to what exists in PPPOE.
Of course, if data
packet ciphering is needed at L2 in addition to full access to the
MAC-layer service, then it might make sense to define IPsec-like
security architecture over L2 (with IKE-like protocol for
authentication and key management) that works between pairs of L2
devices across multiple LAN segments in a LAN
That is within the charter of IEEE 802.1af, which is about providing keying
material for IEEE 802.1ae (e.g. "encrypted Ethernet").
_______________________________________________
Int-area mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/int-area
