1 / 16

DHCP Authentication Discussion

DHCP Authentication Discussion. INTAREA meeting, 70th IETF Vancouver, Canada Jari Arkko and Ralph Droms. Outline. Introduction and background DSL community needs & proposal (Ric) Summary of discussion and analysis Discussion. Introduction and Background. Moving away from PPPoE in DSL

Download Presentation

DHCP Authentication Discussion

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. DHCP Authentication Discussion INTAREA meeting, 70th IETF Vancouver, Canada Jari Arkko and Ralph Droms

  2. Outline • Introduction and background • DSL community needs & proposal (Ric) • Summary of discussion and analysis • Discussion

  3. Introduction and Background • Moving away from PPPoE in DSL • But still keeping some of the business models and infrastructure • DSL Forum liaison to IETF (Jul & Oct) • A number of different potential approaches (802.1X, PANA, DHCP, ...) • Considering DHC recharter • Other SDOs and extensions

  4. The Desired Outcome of Discussion • Present the proposal on the table • Discuss the architectural and protocol implications • Sense of the room on the direction: • Yes/No for doing DHCP work on this • Maybe also guidance on alternatives (if no) and details (if yes) • Decisions on list

  5. Content • Issues to think about • Requirements from an IETF perspective • Way Forward

  6. Issues to Think About (1/2) • Moving away from PPPoE is good • Freedom to carry your CPE device to a location of your choosing is good • IETF specification of extensions in this space is good, as opposed to vendor specific solutions • Multi-SDO coordination can be fun

  7. Issues to Think About (2/2) • Potential solutions • Layer 2 solutions (IEEE liaison) • IP layer network access control solutions (PANA) • Subscriber authentication in DHCP with either CHAP or EAP • DHCP drafts are in very early stages • Need significant work • Not here to discuss details – focus on architectural impact of doing something in a particular way • Solutions cannot be evaluated merely by their e2e behaviour • The architecture at the home site matters (CPE vs. hosts) • Ability of the network in between to deal with the required signalling (1X, PANA, DHCP) • Future developments matter (IPv6, other updates, etc.)

  8. Challenges in DHCP Solutions (1/2) • Securing the DHCP transaction vs. using DHCP for access control • Preventing configuration does not prevent access if manual configuration is possible • Access to link vs. beyond the link • A DHCP-based solution does not work with hosts that employ stateless IPv6 • Server vs. relay responding to messages

  9. Challenges in DHCP Solutions (2/2) • Retransmission responsibility on the client vs. server side • CHAP vs. EAP • A number of other issues from the list: • MTU issues, OFFER vs. ACK, key binding, session ids, ...

  10. Acceptable Solution Requirements • MUST solve the detailed technical issues • MUST NOT place requirements on hosts: • Requiring hosts to support DHCP AUTH • Requiring all IPv6 hosts to support DHCPv6 • MUST handle both IPv4 and IPv6 • MUST be able to deal with backwards compatibility issues & fit the state machine • MUST accurately describe the limitations and applicability of the solution • MUST conform to existing DHCP RFCs

  11. Way Forward • Discussion now • Sense of the room on the direction: • Yes/No for doing DHCP work on this • Maybe also guidance on alternatives (if no) and details (if yes) • Consensus call on the list • If a DHCP-based approach is chosen, revise draft and recharter DHC WG to include this effort • If not, we will ask DSL Forum to think about other solutions (such as 802.1X)

  12. Background Material Slides

  13. Current status and analysis • DSLF liaison statements have been discussed on int-area mailing list: www1.ietf.org/mail-archive/web/int-area/current/ • Initial question: msg00957.html • Followup: msg01171.html • Followup: msg01215.html • Discussion has not demonstrated rough consensus either to accept or to reject the DSLF liaison statement request to develop extensions to DHCP • Some detailed reviews of the specific proposal • Arkko: msg01245.html • Aboba: msg01257.html

  14. Liaison Statement 2 "At this time, we would like to make the IETF aware that during our most recent DSL Forum quarterly meeting, the Architecture and Transport Working Group agreed to seriously consider adopting a mechanism such as that proposed in draft-pruss-dhcp-auth-dsl-01.txt or draft-zhao-dhc-user-authentication-02. We understand that the authors of these specifications intend to produce a combined document soon. The DSL Forum formally requests that the IETF adopt this as a work item, and would appreciate being advised of progress as soon as possible.” Combined draft:draft-pruss-dhcp-auth-dsl-02.txt

  15. Questions We Asked When the Liaison Was Received • How do we feel about this [request]? • Is this a good idea, considering the DSL architecture? • How will it affect DHCP the protocol? • How would you go about making DHCP extensions so that they work best for all possible environments and not just DSL? • Is anyone already working on the combined draft promised above? • Are there any other choices that we should recommend instead? • I would like to hold the discussion on this [request] in [the int-area] list until we've determined that the DHCP protocol is the right tool for the job.

  16. Other • Draft-iab-ip-config by Aboba and Thaler • Slides from Dave Thaler's DHC WG presentation in IETF-68 • There is an IPR declaration on draft-pruss

More Related