Peter Arberg wrote: [...] > To me the question is not as mush between PANA, 802.1x or DHCP, > it is more about, DHCP option 82 based authentication is used > today, and working, so only in the case where ISP's start placing > the access nodes in non secure locations do a subscriber CPE > authentication make sense, and then in that case what should it be ? > > DHCP option 82 authentication when access nodes are in secure > locations and DHCP authentication as proposed in the "pruss-draft" > when a need is to rely on the CPE information for > authentication sounds like the best option to me.
It's not as simple as just putting credentials into option 82 though. For one thing there are strict limits on the size of DHCP messages that will limit what EAP or other mechanisms you can use. When the EAP MTU is too small for the EAP message, you need multiple requests and responses to transport the message. This is not possible without major DHCP changes. Hence you are not free to use what EAP mechanisms or credentials you like without major changes to DHCP. While with say PANA you could do that. DHCP is a fairly complicated protocol and we should be very cautious making changes to the protocol itself. Changes might also require DHCP snooping devices to be changed. If DHCP is not changed, then I think PANA would be a more future proof solution. Of course I don't know what other changes would be needed to make PANA work. Stig > > As such I will like to voice the support for DHC WG to take on > this work to investigate if this is a viable solution for both > IPv4 and IPv6 solutions. > > thanks, > Peter _______________________________________________ Int-area mailing list [email protected] https://www1.ietf.org/mailman/listinfo/int-area
