On Aug 15, 2007, at 06:29, Wes Beebee (wbeebee) wrote:
DHCPv6 is useful when MSO's want to control which CPE's get
addresses and which do not. It provides a simple way to do access
control on a network.
EAP is a better way to do that. DHCPv6 is more useful for
controlling which CPE gets what addresses from a centrally
administered network service. I just don't see how that solves any
*real* problems; that's all. Why should it matter what address each
CPE interface is assigned, as long as it's reachable, authenticated,
authorized and accounted? (Answer: because there are lazy people
using interface addresses as CPE device identifiers in security
protocols, when there are perfectly good alternatives in IPv6 that
have the added virtue of actually functioning properly.)
As near as I can tell, the one architecturally goodish thing DHCPv6
has going for it is prefix delegation. There's no way to do that
with straight router advertisements-- more's the pity. (Once again,
IETF stopped short of redesigning the full Appletalk protocol stack,
which supported ad-hoc routed internets, sort of... but, alas, I'm
beginning to degenerate.)
Could a hacked-up rogue system still manage to get on? Probably -
but at least it bars casual users from getting on a network that
they're not supposed to.
Probably? Try: absolutely.
I could tell you how I used a commercial off-the-shelf product at
IETF 69 to bypass the hotel's stupid method of using DHCP to prevent
me from interposing my Wi-Fi NAT gateway into the in-room Internet
service. It's a supported feature of the product I used, expressly
marketed to customers for the purpose of making it easy for casual
users to do this. If they had used an appropriate technology, it
wouldn't have mattered whether I was using a bridge or a router or I
was directly connected, and they would have still been assured that
only my one computer was permitted to access their network. Instead,
they were relying on my good will not to run an open Wi-Fi AP and
allow everybody in the rooms around me to share my access.
Operators who depend on DHCPv6 alone to deter users from accessing
their networks with unauthorized devices are just going to end up
peeving their paying customers with needless interoperability
complexity. Some operators have already discovered this, and they've
now stopped using DHCP as an access control mechanism.
--
james woodyatt <[EMAIL PROTECTED]>
member of technical staff, communications engineering
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
