List Info

Thread: Re: draft-pruss-dhcp-auth-dsl-00.txt
Re: draft-pruss-dhcp-auth-dsl-00.txt
country flaguser name
United States		 2007-03-22 05:22:58 
On Mar 22, 2007, at 10:40 AM, Derek Harkness wrote:
> Plus you need to change, or at least change the usage
of, the RADIUS
> protocol to allow you to make an access request to get
an access  
> accept
> for the user data ( IP Address, DNS, etc ) without the
valid password
> and then another ( access request ) to the server which
can return an
> Access accept ( carry on as before ) or an Access
Reject in which case
> this reject applies not to the associated request but
to the previous
> for that user.

The more I hear about this the worse it sounds.   You're
talking  
about doing address allocation out of the RADIUS server?  
That's  
crazy talk.   Why even bother to use DHCP if you're not
actually  
using DHCP?

So let's draw a distinction here.   There is the entire
protocol that  
you propose to implement, which I think the working group
really  
can't get behind, even if someone outside of DHC says
there's a  
demand for it.   And then there is a partial transition
solution,  
which lets you use the shared keys you've already
established in AAA,  
but doesn't break the DHCP protocol and doesn't do address
allocation  
out of RADIUS.

If this partial solution is of interest to you, I'm willing
to talk  
about it and help you to make it happen.   I don't know if
it's  
practical, and I'm not asserting it is - I'm just saying
that if  
there is a pony in here, that's where I think it is.

If the only thing that's "good enough" is the one
where you  
authenticate through AAA before you get configuration
parameters, and  
do IP address allocation out of AAA, then I am reluctant to
help you  
with it, because (a) I think there's zero chance of it
passing last  
call in the working group - I would vote against it, and I
can't  
think of anybody else in the working group who wouldn't -
and (b) it  
breaks RFC2131/2132 in fundamental ways that I don't think
are  
acceptable.

I think if you implement the complete solution you've
proposed, what  
you have isn't DHCP anymore - it's something using the DHCP
port and  
packet structure that will break interoperability in
surprising  
ways.   So if that's what you really want, I'd rather see
you roll a  
different protocol, call it something different, and think
about how  
to advance it on those terms.



_______________________________________________
dhcwg mailing list
dhcwgietf.org
https://
www1.ietf.org/mailman/listinfo/dhcwg
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )