IETF Logo Mail Archive

Re: [Int-area] DCHP-based authentication for DSL?

Ralph Droms <rdroms@cisco.com> Sun, 28 October 2007 23:02 UTC

Return-path: <int-area-bounces@lists.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ImH9f-0000OJ-7A; Sun, 28 Oct 2007 19:02:51 -0400
Received: from int-area by megatron.ietf.org with local (Exim 4.43) id 1ImH9d-0000Nr-PO for int-area-confirm+ok@megatron.ietf.org; Sun, 28 Oct 2007 19:02:49 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ImH9d-0000Nj-Fn for int-area@lists.ietf.org; Sun, 28 Oct 2007 19:02:49 -0400
Received: from sj-iport-6.cisco.com ([171.71.176.117]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ImH9X-0007Kb-QG for int-area@lists.ietf.org; Sun, 28 Oct 2007 19:02:49 -0400
X-IronPort-AV: E=Sophos;i="4.21,339,1188802800"; d="scan'208";a="243620249"
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-6.cisco.com with ESMTP; 28 Oct 2007 16:02:43 -0700
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id l9SN2f0N006202; Sun, 28 Oct 2007 16:02:41 -0700
Received: from xbh-rtp-211.amer.cisco.com (xbh-rtp-211.cisco.com [64.102.31.102]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id l9SN2ITw010070; Sun, 28 Oct 2007 23:02:40 GMT
Received: from xfe-rtp-202.amer.cisco.com ([64.102.31.21]) by xbh-rtp-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 28 Oct 2007 19:02:27 -0400
Received: from [64.0.235.59] ([10.86.240.206]) by xfe-rtp-202.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 28 Oct 2007 19:02:27 -0400
In-Reply-To: <20071026002824.GA14789@steelhead.localdomain>
References: <005501c81555$6f49f360$ba3dfea9@ad.redback.com> <471F0F26.4070006@uninett.no> <471FACDD.3000707@cisco.com> <C087AF58-A3DF-40CC-9AB2-BE30E3657A00@cisco.com> <8BA9DF9F-7094-4F4A-8FDD-ED9F36017251@cisco.com> <20071026002824.GA14789@steelhead.localdomain>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <97AA148C-232F-4905-AC98-AFA58EA15558@cisco.com>
Content-Transfer-Encoding: 7bit
From: Ralph Droms <rdroms@cisco.com>
Subject: Re: [Int-area] DCHP-based authentication for DSL?
Date: Sun, 28 Oct 2007 16:22:27 -0400
To: Yoshihiro Ohba <yohba@tari.toshiba.com>
X-Mailer: Apple Mail (2.752.2)
X-OriginalArrivalTime: 28 Oct 2007 23:02:27.0255 (UTC) FILETIME=[9C07AC70:01C819B6]
X-TM-AS-Product-Ver: SMEX-8.0.0.1181-5.000.1023-15508.000
X-TM-AS-Result: No--28.443800-8.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=4451; t=1193612561; x=1194476561; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=rdroms@cisco.com; z=From:=20Ralph=20Droms=20<rdroms@cisco.com> |Subject:=20Re=3A=20[Int-area]=20DCHP-based=20authentication=20for=20DSL? |Sender:=20; bh=5T/buFIk6veOWG1PNKeUGVEo9NM1p59Tk0K1DdM04eY=; b=oYAAqNjoKBPi7dMcQi1/pu2i7w/Y1c7vfkTl6H8qXB2m3KY+hqtZyd/UEEovgOYw78zcyMX8 ARmzU+MnBL/NRh27GNz/5nkJ5HhHCObkRtxR9A2nJ0GFWlp8iXp0ZsZ5yTJ84zjqL4AOZTAWV+ WIzrUpI4bwlNkg3r/u30bOz6g=;
Authentication-Results: sj-dkim-1; header.From=rdroms@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
X-Spam-Score: -4.0 (----)
X-Scan-Signature: 67c1ea29f88502ef6a32ccec927970f0
Cc: Internet Area <int-area@lists.ietf.org>
X-BeenThere: int-area@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/int-area>
List-Post: <mailto:int-area@lists.ietf.org>
List-Help: <mailto:int-area-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@lists.ietf.org?subject=subscribe>
Errors-To: int-area-bounces@lists.ietf.org

The only reference to fragmentation in RFC 951 is:

3. Packet Format

    [...] For
    simplicity it is assumed that the BOOTP packet is never fragmented.

There are no references to fragmentation in RFC 213[12] or RFC 3315.

In my opinion, this reference is to simplicity in the IP layer, not  
in the BOOTP layer.  The IP layer handles any fragmentation and the  
BOOTP/DHCP layers are unaware of that fragmentation.  Therefore, any  
addresses included in the DHCP messages are irrelevant to BOOTP/DHCP  
message reassembly.

On the other hand, as I wrote in a previous message, all bets are off  
regarding L2 (or other) devices that snoop the DHCP messages without  
performing IP reassembly.

And, as a practical matter, I suspect all extant DHCP clients and  
servers have a DHCP message MTU less than 1500 octets.

- Ralph


On Oct 25, 2007, at Oct 25, 2007,8:28 PM, Yoshihiro Ohba wrote:

> Isn't DHCP designed based on the same assumption as BOOTP in terms of
> IP fragmentation?  BOOTP assumes that BOOTP messages are never
> fragmented according RFC 951.
>
> An issue with fragmenting DHCP message I can think of is that a DHCP
> relay agent or server may not be able to correctly reassemble
> fragmented messages when simultaneously received from multiple DHCP
> clients if the source address of those messages is unspecified
> (0.0.0.0).  How does DHCP address this issue?
>
> Note: DHCPv6 does not have this issue because a specified address is
> always used.
>
> Yoshihiro Ohba
>
>
> On Wed, Oct 24, 2007 at 05:03:01PM -0400, Ralph Droms wrote:
>> Sorry, I made a goof.  Relay agents can forward fragmented DHCP
>> messages.  There is, if I recall correctly, a recommendation against
>> fragmentation (perhaps RFC 2131); however, the stack on the node
>> where the relay agent is instantiated will re-assemble the DHCP
>> message before delivering it to the relay agent, and then re-fragment
>> the new DHCP message resent by the relay agent.
>>
>> - Ralph
>>
>> On Oct 24, 2007, at Oct 24, 2007,4:54 PM, Ralph Droms wrote:
>>
>>> Section 6.3 of draft-pruss-dhcp-auth-dsl-01 addresses how to fit
>>> the EAP info into DHCP options, using RFC 3396.
>>>
>>> However, there is also a recommendation, when using EAP, that the
>>> server set the "Maximum DHCP Message Size" option to 1604.  Sending
>>> a DHCP message of this size may require fragmentation, but DHCP
>>> relay agents cannot forward fragmented DHCP messages.
>>>
>>> - Ralph
>>>
>>> On Oct 24, 2007, at Oct 24, 2007,4:36 PM, Richard Pruss wrote:
>>>
>>>>
>>>>
>>>> Stig Venaas wrote, around 24/10/07 7:23 PM:
>>>>> It's not as simple as just putting credentials into option 82
>>>>> though.
>>>>> For one thing there are strict limits on the size of DHCP
>>>>> messages that
>>>>> will limit what EAP or other mechanisms you can use. When the EAP
>>>>> MTU is too small for the EAP message, you need multiple  
>>>>> requests and
>>>>> responses to transport the message. This is not possible without
>>>>> major DHCP changes. Hence you are not free to use what EAP
>>>>> mechanisms
>>>>> or credentials you like without major changes to DHCP. While with
>>>>> say
>>>>> PANA you could do that.
>>>>>
>>>> Stig section 6.3 of the currently posted -01 draft addresses the
>>>> size issue of EAP in some detail, it is not clear if you are
>>>> saying the proposed mechanism would not work.
>>>>
>>>> Regardless of the mechanism if one thinks of this from the
>>>> implementation it should be no big deal as for EAP and RADIUS one
>>>> has to chop EAP into small enough chunks to get through
>>>> limitations in RADIUS (<253 bytes). While DHCP has similar
>>>> problems (<255 bytes), and one could can expect that most
>>>> networking companies would have implemented the lower common
>>>> denominator of RADIUS here.
>>>>
>>>> Regards,
>>>> Ric
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Int-area mailing list
>>>> Int-area@lists.ietf.org
>>>> https://www1.ietf.org/mailman/listinfo/int-area
>>>
>>>
>>> _______________________________________________
>>> Int-area mailing list
>>> Int-area@lists.ietf.org
>>> https://www1.ietf.org/mailman/listinfo/int-area
>>
>>
>> _______________________________________________
>> Int-area mailing list
>> Int-area@lists.ietf.org
>> https://www1.ietf.org/mailman/listinfo/int-area
>>


_______________________________________________
Int-area mailing list
Int-area@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/int-area

v2.23.0 | Report a Bug | By Email