It seems that the IETF answer is pretty clear, so let me make a comment on extending IEEE 802.1af.
I believe extending IEEE 802.1af has its own contradiction. If 802.1X frames are allowed to be forwarded across multiple LAN segments in a LAN, then it means that the clients already have, before they are authenticated, full access to the MAC-layer service including bridging service. If we consider an analogy by taking one layer up, it is similar to running network access authentication over IP between pairs of IP hosts in end-to-end fashion while the IP hosts already have full Internet access, which does not make much sense. Of course, if data packet ciphering is needed at L2 in addition to full access to the MAC-layer service, then it might make sense to define IPsec-like security architecture over L2 (with IKE-like protocol for authentication and key management) that works between pairs of L2 devices across multiple LAN segments in a LAN, but I doubt if DSLF really needs data packet ciphering at L2 across multiple LAN segments. I would suggest DSLF people to think about this architectural aspect before seriously considering an extension of 802.1af. Best Regards, Yoshihiro Ohba On Fri, Oct 19, 2007 at 01:02:49AM -0400, Eric Voit (evoit) wrote: > Yoshihiro, > Jari, > > I don't have a problem with PANA. It looks like a fine protocol. > > Yet the DSL Forum didn't ask for PANA, they asked for DHCP Auth. Twice. > I believe there are sound operational reasons for why they have done so. > And I have done my best to reflect some of those during this debate. > > Since it has been two weeks, I have reattached at the bottom Jari's > original request which started this thread. His original question > remains: do we recharter DHC to do what is being requested? > > If the IETF's answer is "no", I would suspect the DSLF will refocus > itself on extending the nascent 802.1af work instead. Remember, the > first DSLF liaison statement was also addressed to the IEEE. > > IMHO, the IETF needs to soon decide whether it wants to continue the > protocol leadership it has enjoyed with Broadband and its hundreds of > millions of PPPoE & DHCP Opt82 subscribers, or pass the baton to the > IEEE. > > Eric > > > > From: Yoshihiro Ohba, October 18, 2007 9:39 PM > > > > I was mentinoning in terms of the number of combinations of > > IP address allocation state (no address/non-service > > address/service address) and authentication state > > (unauthenticated/authenticated) that may be used for > > debugging/troubleshooting. But even in terms of state > > transtions, I don't see much difference. EAP state > > transitions make no diffirence. Option 82 makes no > > difference if option 82 is also inserted in PANA message. > > DHCP state transisions (excluding those for EAP state > > transitions) before completion of authentication makes no > > diffirence. The only difference would be DHCP state > > transitions after successful authentication in PANA, but I > > don't really think this is a big deal that can justify > > significant change to DHCP. > > > > Yoshihiro Ohba > > > > > > -----Original Message----- > From: Jari Arkko [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 04, 2007 4:22 PM > To: Internet Area > Subject: [Int-area] DCHP-based authentication for DSL? > > > We talked about the DSL requirements earlier on this list. Now they have > sent us a liaison statement regarding what they would like to do: > > "At this time, we would like to make the IETF aware that during our most > recent DSL Forum quarterly meeting, the Architecture and Transport > Working Group agreed to seriously consider adopting a mechanism such as > that proposed in draft-pruss-dhcp-auth-dsl-01.txt or > draft-zhao-dhc-user-authentication-02. We understand that the authors of > these specifications intend to produce a combined document soon. > The DSL Forum formally requests that the IETF adopt this as a work item, > and would appreciate being advised of progress as soon as possible. > > Our next quarterly meeting is December 10-13, in Lisbon, Portugal." > > > How do we feel about this? Is this a good idea, considering the DSL > architecture? How will it affect DHCP the protocol? How would you go > about making DHCP extensions so that they work best for all possible > environments and not just DSL? Is anyone already working on the combined > draft promised above? Are there any other choices that we should > recommend instead? > > I would like to hold the discussion on this in this list until we've > determined that the DHCP protocol is the right tool for the job. If it > is, we can recharter DHC WG again to add the actual development work > there. (DHC is right now being rechartered but that recharting is mostly > a cleanup and not the addition of functionality to do this.) > > Jari > > _______________________________________________ Int-area mailing list [email protected] https://www1.ietf.org/mailman/listinfo/int-area
