[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: I-D ACTION:draft-ietf-dhc-agentopt-radius-07.txt (fwd)

To: "Wijnen, Bert \(Bert\)" <bwijnen@lucent.com>, <aaa-doctors@ops.ietf.org>
Subject: RE: I-D ACTION:draft-ietf-dhc-agentopt-radius-07.txt (fwd)
From: "Nelson, David" <dnelson@enterasys.com>
Date: Mon, 12 Jul 2004 16:15:49 -0400
Cc: <rdroms@cisco.com>, "Greg Weber" <gdweber@cisco.com>

> So may I assume that everyone is checking the summary,
> Ralph's responses and this new revision?

Yes.

> ALso, can we set a deadline by which we think we can have a
> summary of remaining issues?

I'll provide my comments now.  I don't see any "show stoppers".

-- Dave

COMMENT RESPONSE:

"Because the RADIUS server and NAS are in the same administrative
domain, the RADIUS server can be configured to return the appropriate
attributes to the NAS, sized to fit in the RADIUS Attributes sub-option,
and the RADIUS server can be aware of whether the NAS is configured to
use the RADIUS Attributes sub-option."

RETORT:

This is true...  RADIUS and DHCP servers configured under a unified
administrative policy can certainly be made to interoperate as specified
in the ID.  It seems clear that the WG understands this.  As long as
this is equally clear to all readers of the eventual RFC, then this
issue is satisfactorily addressed, IMHO.

COMMENT RESPONSE:

"Many DHCP services make use of different pieces of information about
the DHCP client to determine the exact configuration information,
including the assigned IP address, to be returned to the client.  The
intent of this sub-option is to make attributes supplied by the RADIUS
server, such as the User-Name, available to the DHCP server as part of
the information available about the DHCP client."

RETORT:

OK.  I can see that a DHCP server might make sensible use of a
User-Name, for example by looking up the group membership of the user
and making host configuration policy decisions based on that group
membership.  I guess my concern here was that *other* uses could be made
of the User-Name information, which would put DHCP servers in the role
of AAA servers.  IMHO, that would be a Bad Idea (tm). Since it seems
inappropriate to attempt to place restrictions on DHCP server
implementation issues in an "over-the-wire" protocol document, I'll not
push this issue further, even though I still have nagging doubts.

COMMENT:

> Guidance may be needed on how the NAS is supposed to correlate DHCP 
> requests with the previous RADIUS requests.  Is this based on MAC 
> address?  Does that pose a spoofing threat specific to the proposed 
> functionality which should be covered in the Security Considerations 
> section?

COMMENT RESPONSE:

"No guidance is needed because 802.1X enables forwarding on a single
port switch port for a single host.  Any DHCP messages received on that
port then presumably were sent by the just authorized host."

RETORT:

IMHO, the answer to the question raised in the comment is "Yes, in many
cases the correlation will be by MAC address".  The notion of
one-station-one-switch-port, is a special case of 802.1X (albeit the
design-center).  In general, there are the shared media cases to be
considered.  Certainly for any 802.11 access points, and even for 802.3
switch ports with multiple attached stations, via a hub or VoIP phone.

Prev by Date: Re: Status update on: draft-ietf-dhc-agentopt-radius-07.txt
Next by Date: Re: REMINDER: Response to the review comments on draft-ietf-dhc-agentopt-radius-06.txt
Previous by thread: RE: I-D ACTION:draft-ietf-dhc-agentopt-radius-07.txt (fwd)
Next by thread: Status update on: draft-ietf-dhc-agentopt-radius-07.txt
Index(es):
- Date
- Thread