So I have a some questions.
Around 5 years ago when PANA started, there was significant pushback from
several IAB members regarding putting network access authentication at the
IP layer. The pushback was that network access authentication rightly
belongs at the link layer, because the security problem is authentication
and authorization for a host to access the link and to allow routing to the
Internet. Authorization for obtaining configuration information such as an
IP address, DNS server, etc., is a completely different matter and is
covered for DHCP by RFC 3118 (though that RFC leaves out the significant
issue of key provisioning which is important in public access networks such
as hotspots). PANA was chartered anyway, for the same reasons that are being
cited now for doing AAA through DHCP, namely that XYZ external body (in that
case 3GPP2) with the power to push through deployment (which IETF doesn't
have) said they wanted IP level network access authentication to replace
PPP.
The first question is, why is this architectural issue any less relevent
today than it was when PANA was chartered? Why can't the DSL Forum provide
network access authentication at the link layer, the way 802.11 does? "We
have all these deployed systems and we can't change them" isn't a valid
argument, the same was true with 802.11 when 802.1x was added (though
perhaps not as many deployed systems).
PANA completed their work, I haven't been following it for a while so I
don't know the publication status of their documents. But presuming they
have been approved by the IESG and published, why can't the DSL Forum use
PANA?
I will venture a guess here: they don't want to deploy a new protocol. This
brings up what, to my mind, is a serious and significant philisophical issue
about the IETF. PANA is just one of a number of instances in the last three
or four years in which attempts to do new protocols to solve new problems
have either been hijacked by people wanting to hack existing protocols or,
if the new protocol has been developed, have been ignored by network
equipment vendors and thus have failed to be deployed. Isn't it maybe time
for the IETF to modify the process whereby new work is chartered, so that no
working groups are opened that do new protocols and that all work is
restricted to simply modifying and upgrading old protocols? This would save
a whole lot of money, both IETFs and the companies who send their people to
the meetings and allow them to waste their time on email and draft writing
for protocols that don't get deployed. All that money that IETF and
companies spent on PANA was essentially wasted.
jak
----- Original Message -----
From: "Jari Arkko" <[EMAIL PROTECTED]>
To: "Internet Area" <[EMAIL PROTECTED]>
Sent: Thursday, October 04, 2007 1:22 PM
Subject: [Int-area] DCHP-based authentication for DSL?
We talked about the DSL requirements earlier on this list. Now
they have sent us a liaison statement regarding what they would
like to do:
"At this time, we would like to make the IETF aware that during
our most recent DSL Forum quarterly meeting, the Architecture
and Transport Working Group agreed to seriously consider adopting
a mechanism such as that proposed in draft-pruss-dhcp-auth-dsl-01.txt
or draft-zhao-dhc-user-authentication-02. We understand that the authors
of these specifications intend to produce a combined document soon.
The DSL Forum formally requests that the IETF adopt this as a work
item, and would appreciate being advised of progress as soon as possible.
Our next quarterly meeting is December 10-13, in Lisbon, Portugal."
How do we feel about this? Is this a good idea, considering the DSL
architecture? How will it affect DHCP the protocol? How would
you go about making DHCP extensions so that they work best
for all possible environments and not just DSL? Is anyone
already working on the combined draft promised above? Are
there any other choices that we should recommend instead?
I would like to hold the discussion on this in this list until
we've determined that the DHCP protocol is the right tool
for the job. If it is, we can recharter DHC WG again to add
the actual development work there. (DHC is right now
being rechartered but that recharting is mostly a cleanup
and not the addition of functionality to do this.)
Jari
_______________________________________________
Int-area mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/int-area
_______________________________________________
Int-area mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/int-area
