It's really difficult for me to understand the main objective of this discussion...
Based on the fact that no standard solution for user/device access authentication was available for early deployment of ethernet-based DSL networks, some ad-hoc solutions were proposed. One of them was to rely on the line identification to perform some "implicit" user authentication. This mechanism was using the DHCP option 82 (inserted by a DHCP relay in the same DSL access network) to convey line related information to AAA infrastructure. Migrating from a traditional PPP based networks to a pure IP-based access environment, the DSL Forum was looking for a more secure network access authentication. At this stage (about 2 years ago), several candidate protocols were listed, and PANA was one of them. If I remember correctly, PANA was fulfilling "most" of (if not "all") the DSL security requirements, based on an evalutaion grid provided by the DLS Forum. The main inconvenient of PANA (if I correctly remember) at this time was that the protocol specification was judged not mature enough to serve as a basis for further work. Now, one "could" say that the PANA protocol specification is "quite" stable as a Proposed Standard RFC is available ;) Therefore, the question is quite simple: why do not simply reconsider the use of PANA in DSL environment? The proposed alternative, i.e. DHCP-based authentication, that is for the moment only an individual submission at IETF, will have anyway impacts on the DHCP client, the DHCP server and DSL network node behaviours if the goal is to have EAP in DHCP. And the proposed alternative do not explain why the current possible solution(s) don't fulfil the DSL Forum requirements... And I'm not sure that there is a direct link between the existing use of the DHCP option 82 in DSL network leads seamlessly to DHCP-EAP... At least, a pragmatic approach within IETF would be to see how PANA can fulfill DSL forum security requirements, see if there is some functionality gaps, see if this gap could be fulfilled with within PANA or with possible add-on solutions and if not, see other alternatives should be investigated. Only because IETF has already defined "the Protocol for Carrying Authentication for Network Access (PANA), a network-layer transport for Extensible Authentication Protocol (EAP) to enable network access authentication between clients and access networks." Lionel > > -----Original Message----- > From: Jari Arkko [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 04, 2007 11:22 PM > To: Internet Area > Subject: [Int-area] DCHP-based authentication for DSL? > > > We talked about the DSL requirements earlier on this list. Now > they have sent us a liaison statement regarding what they would > like to do: > > "At this time, we would like to make the IETF aware that during > our most recent DSL Forum quarterly meeting, the Architecture > and Transport Working Group agreed to seriously consider adopting > a mechanism such as that proposed in draft-pruss-dhcp-auth-dsl-01.txt > or draft-zhao-dhc-user-authentication-02. We understand that > the authors > of these specifications intend to produce a combined document soon. > The DSL Forum formally requests that the IETF adopt this as a work > item, and would appreciate being advised of progress as soon > as possible. > > Our next quarterly meeting is December 10-13, in Lisbon, Portugal." > > > How do we feel about this? Is this a good idea, considering the DSL > architecture? How will it affect DHCP the protocol? How would > you go about making DHCP extensions so that they work best > for all possible environments and not just DSL? Is anyone > already working on the combined draft promised above? Are > there any other choices that we should recommend instead? > > I would like to hold the discussion on this in this list until > we've determined that the DHCP protocol is the right tool > for the job. If it is, we can recharter DHC WG again to add > the actual development work there. (DHC is right now > being rechartered but that recharting is mostly a cleanup > and not the addition of functionality to do this.) > > Jari > > > > _______________________________________________ > Int-area mailing list > [email protected] > https://www1.ietf.org/mailman/listinfo/int-area > > _______________________________________________ Int-area mailing list [email protected] https://www1.ietf.org/mailman/listinfo/int-area
