Behcet Sarikaya wrote: > Hi Hesham, > Have you read draft-pruss? If you look at Figure 1, it is not replacing > AAA servers with DHCP servers, DHCP server acts like NAS. I agree that > DHCP has been overloaded and I think it is this issue that Ralph wants > discussed.
The DHCP server receives an unsigned, unencrypted packet from some random device on the net, that could very well be spoofed... and uses that to initiate a signed, potentially encrypted authentication session with a AAA server. I don't think that's a very good idea. At least with normal AAA access requests there's an underlying session that the NAS can hang up on. e.g. Dial-up session, PPPoE, TCP connection, etc. The NAS may have no idea who the caller is, but it can forcibly boot them off of the network if authentication fails. DHCP servers have no such power. If someone avoids DHCP, and therefore avoids this DHCP "authentication", their ability to access the network is unrestricted. This proposal complicates the network for limited benefit, and can easily be worked around. It depends on untrusted clients doing the "right thing" when they're told authentication has failed, which is an interesting approach to network security. Alan DeKok. _______________________________________________ Int-area mailing list [email protected] https://www1.ietf.org/mailman/listinfo/int-area
