Bechet - Your point "Without an IP address access to the Internet is restricted. " is true; however, denying assignment of an address using DHCP does not keep a host from getting a global IP address through some other means like manual configuration, snooping the link to determine the appropriate prefix and hijacking an address or (IPv6) address autoconfiguration.
- Ralph On 4/13/07 11:57 AM, "Behcet Sarikaya" <[EMAIL PROTECTED]> wrote: > ----- Original Message ---- > From: Alan DeKok <[EMAIL PROTECTED]> > To: Behcet Sarikaya <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Sent: Tuesday, April 10, 2007 2:59:26 PM > Subject: Re: [Int-area] Re: [dhcwg] Discussion of subscriber authentication > > > Behcet Sarikaya wrote: >> Hi Hesham, >> Have you read draft-pruss? If you look at Figure 1, it is not replacing >> AAA servers with DHCP servers, DHCP server acts like NAS. I agree that >> DHCP has been overloaded and I think it is this issue that Ralph wants >> discussed. > > The DHCP server receives an unsigned, unencrypted packet from some > random device on the net, that could very well be spoofed... and uses > that to initiate a signed, potentially encrypted authentication session > with a AAA server. > > I don't think that's a very good idea. > > [behcet] agreed > > At least with normal AAA access requests there's an underlying session > that the NAS can hang up on. e.g. Dial-up session, PPPoE, TCP > connection, etc. The NAS may have no idea who the caller is, but it can > forcibly boot them off of the network if authentication fails. DHCP > servers have no such power. If someone avoids DHCP, and therefore > avoids this DHCP "authentication", their ability to access the network > is unrestricted. > > [behcet] > Disagree. Without an IP address access to the Internet is restricted. Yes the > host may have access to the link. 802.11 access points let you associate with > open authentication but you can not use the network. It may be the same on DSL > networks. > The host can make a link-local address both in v4 and v6 but not a global > address. > > This proposal complicates the network for limited benefit, and can > easily be worked around. It depends on untrusted clients doing the > "right thing" when they're told authentication has failed, which is an > interesting approach to network security. > > [behcet] Authentication failed, no IP address, what more can you do? > > Alan DeKok. > _______________________________________________ > Int-area mailing list > [EMAIL PROTECTED] > https://www1.ietf.org/mailman/listinfo/int-area _______________________________________________ Int-area mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/int-area
