Hi Amy,
Thanks for your reply.
The links of the drafts mentioned earlier are
http://www.ietf.org/internet-drafts/draft-r
am-dhc-dhcpv6-aakey-01.txt
and
http://www.ietf.org/internet-drafts/draf
t-ram-dhc-dhcpv6-diam-app-01.txt
. In brief, they define a solution for authenticating the
user at the
AAA and also establishing the DHCP security association
between the DHCP
client and server dynamically.
I notice that the purpose of both your draft and the above
mentioned
drafts are the same. That is, authenticating the user at the
AAA. In the
solution described in the above drafts, the AAA server is
contacted via
the DHCP Server. In architectures like WiMax, the DHCP
Relay and the
NAS/AAA Client may not co-exist.
The solution described in the above two drafts fit in well
with the DHCP
authentication mechanism described in RFC 3118. And they
handle the
roaming scenarios by establishing the authentication keys
dynamically.
Please let us know your comments.
Thanks,
Saumya
-----Original Message-----
From: Amy Zhao [mailto:zhaoyuping huawei.com]
Sent: Thursday, October 12, 2006 8:01 AM
To: Upadhyaya Saumya-a20369
Subject: RE: I-D
ACTION:draft-zhao-dhc-user-authentication-00.txt
Hello!
Please see in line.
Thanks!
B.R.
Amy
> -----Original Message-----
> From: Upadhyaya Saumya-a20369 [mailto:saumyamotorola.com]
> Sent: Tuesday, October 03, 2006 2:01 PM
> To: zhaoyupinghuawei.com
> Cc: Ram O V Vishnu-A14676
> Subject: RE: I-D
ACTION:draft-zhao-dhc-user-authentication-00.txt
>
> Hi,
>
> We have a couple of queries based on your published
draft.
>
> - Which networks do you see an applicability of this
type of
> authentication? Would it be applicable, in say, WiMAX
> networks where other mechanisms are used for access
authorization?
When the DHCP protocol is used between a user-equipment and
a DHCP
server in
a public domain envionments,network service offered via the
access
network
need user identification,therefor dhcp protocol require a
user-based
authentication.
> - Typically, access authorization is provided using an
L2
> based authentication mechanism like, say, EAP. In a
case
> where the network is using a EAP based authentication
> protocol, how would this solution be useful?
This solution is not intend to replace the L2 based
authentication
mechanism, it just a solution based on dhcp.
we are just to provide a method that provides an
authentication for a
user,
and this method is suited to be used in public domain
environments and
it is
simple to be implemented.
> - Does your scheme assume a secure DHCP channel between
the
> DHCP client-relay-server? How would man-in-the-middle
type of
> attacks be addressed without that?
For basic user-based authentication, it should woked in a
secure DHCP
channel.
For Digest user-based authentication, it is a secure
user-based
authentication, but it can not completely address the MIM
attack.
> - Do you think this could be coupled with DHCP
authentication
> scheme described in draft-ram-dhc-dhcpv6-aakey-01 and
> draft-ram-dhc-dhcpv6-diam-app-01?
I need some time to read above mentioned drafts, where can I
get them?
> - Have you considered a roaming scenario?
Sorry, I am not familiar with roaming technical. Maybe it
will be useful
to
roaming/mobile clients. 
> - How does your scheme work in the case where both user
> authentication (say, NAI based) and device
authentication
> need to be performed?
>
>
> Thanks and Regards,
> Saumya
>
> -----Original Message-----
> From: Internet-Draftsietf.org
[mailto:Internet-Draftsietf.org]
> Sent: Monday, October 02, 2006 8:20 PM
> To: i-d-announceietf.org
> Subject: I-D
ACTION:draft-zhao-dhc-user-authentication-00.txt
>
>
> A New Internet-Draft is available from the on-line
Internet-Drafts
> directories.
>
>
> Title : DHCP User-based Authentication
> Author(s) : Y. Zhao
> Filename : draft-zhao-dhc-user-authentication-00.txt
> Pages : 24
> Date : 2006-10-2
>
> This document defines an authentication mechanism to
provide an
> authentication for a user in an access network by means
of dhcp. The
> authentication mechanism described here couples DHCP to
an
> authentication, authorization and accounting system
(AAA),
> thus enabling
> users to supply user credentials for AAA via DHCP.
>
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-zhao-dhc
-user-authen
> tication-0
> 0.txt
>
> To remove yourself from the I-D Announcement list, send
a message to
> i-d-announce-requestietf.org with the word
unsubscribe in
> the body of
> the message.
> You can also visit
> h
ttps://www1.ietf.org/mailman/listinfo/I-D-announce
> to change your subscription settings.
>
> Internet-Drafts are also available by anonymous FTP.
Login with the
> username "anonymous" and a password of your
e-mail address. After
> logging in, type "cd internet-drafts" and
then
> "get
draft-zhao-dhc-user-authentication-00.txt".
>
> A list of Internet-Drafts directories can be found in
> http://www.ietf.org/s
hadow.html
> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>
> Internet-Drafts can also be obtained by e-mail.
>
> Send a message to:
> mailservietf.org.
> In the body type:
> "FILE
>
/internet-drafts/draft-zhao-dhc-user-authentication-00.txt&q
uot;.
>
> NOTE: The mail server at ietf.org can return the
document in
> MIME-encoded form by using the "mpack"
utility. To use this
> feature, insert the command "ENCODING mime"
before the "FILE"
> command. To decode the response(s), you will need
"munpack" or
> a MIME-compliant mail reader. Different
MIME-compliant mail
> readers
> exhibit different behavior, especially when dealing
with
> "multipart" MIME messages (i.e. documents
which have been split
> up into multiple messages), so check your local
documentation on
> how to manipulate these messages.
>
> Below is the data which will enable a MIME compliant
mail reader
> implementation to automatically retrieve the ASCII
version of the
> Internet-Draft.
>
_______________________________________________
dhcwg mailing list
dhcwgietf.org
https://
www1.ietf.org/mailman/listinfo/dhcwg
|