Alan DeKok wrote:
Behcet Sarikaya wrote:
Hi Hesham,
Have you read draft-pruss? If you look at Figure 1, it is not replacing
AAA servers with DHCP servers, DHCP server acts like NAS. I agree that
DHCP has been overloaded and I think it is this issue that Ralph wants
discussed.
The DHCP server receives an unsigned, unencrypted packet from some
random device on the net, that could very well be spoofed... and uses
that to initiate a signed, potentially encrypted authentication session
with a AAA server.
I think you have misunderstood the draft, possibly I was not clear
enough, two points of clarification for you concerns:
1. In the draft the DHCP server is the NAS and it has layer 2 restricted
relationship with the device offering credentials. There is no
technical difference between where this is running and where and PPPoE
is used, the only difference is that after authentication, services like
multicast can be introduced from Layer 2 devices before the NAS, which
is why providers want to move from PPPoE.
2. In the second option in the draft one may run EAP over DHCP which can
be as encrypted and signed to your hearts content.
-Ric
I don't think that's a very good idea.
At least with normal AAA access requests there's an underlying session
that the NAS can hang up on. e.g. Dial-up session, PPPoE, TCP
connection, etc. The NAS may have no idea who the caller is, but it can
forcibly boot them off of the network if authentication fails. DHCP
servers have no such power. If someone avoids DHCP, and therefore
avoids this DHCP "authentication", their ability to access the network
is unrestricted.
This proposal complicates the network for limited benefit, and can
easily be worked around. It depends on untrusted clients doing the
"right thing" when they're told authentication has failed, which is an
interesting approach to network security.
Alan DeKok.
_______________________________________________
Int-area mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/int-area
_______________________________________________
Int-area mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/int-area
