[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Informational RFC to be: draft-gpaterno-wireless-pppoe-11.txt

To: RFC Editor <rfc-editor@rfc-editor.org>
Subject: Re: Informational RFC to be: draft-gpaterno-wireless-pppoe-11.txt
From: Thomas Narten <narten@us.ibm.com>
Date: Tue, 09 Sep 2003 07:20:02 -0400
Cc: gpaterno@gpaterno.com, James Carlson <james.d.carlson@east.sun.com>, Karl Fox <karlfox@columbus.rr.com>, "W. Mark Townsley" <townsley@cisco.com>, ron@aol.net, iesg@ietf.org

The author has requested that this document be published as an
informational document. I asked some knowledgable folk what they
thought of this document; their comments are below.

Question for the author: what is your motivation for publishing this
document? Do you have plans for doing any follow-up work in this
space?

Thomas

Bernard Aboba <aboba@internaut.com> writes:

> Aside from the fact that the document is somewhat out of date (WFA
> is currently in the process of certifying WPA-compliant access points that
> address the security issues described in the document), there is a
> fundamental problem with the logic of the argument.

> First the author points out the security flaws of WEP.  Then he goes ahead
> and advocates addoption of PPPOE along with PPP encryption algorithms
> such as MPPE which (like WEP) lack integrity protection.  In addition, he
> does not propose a standard key exchange mechanism, after criticizing
> IEEE 802.1X for the same problem.

> I would have no problem with this document if it actually listed
> the security flaws of WEP and then specified a PPPOE profile (including
> use of appropriate ciphersuites and key exchange algorithms) to address those
> issues.

> But as it is, this document reads mostly like a marketing blurb seeking
> validation by publication as an RFC.  If there is really interest in this
> solution as the author claims, the right way to proceed is to flesh it out
> to the point where the approach is credible.  This document doesn't do
> that.


Karl Fox <karlfox@columbus.rr.com> writes:

> Bernard's technical points notwithstanding, it turns my stomach to see 
> yet another latecomer to wireless security proposed.  We already have 
> the IEEE and multiple groups within the IETF trying to solve this 
> problem (some of which are well suited to the problem, such as Mobile 
> IP), and they are dealing with the real life, difficult issues that 
> occur in mobile networks.  Trying to make a mobile network connection 
> look like a dial-up is a poor fit.  I say shut it down.

James Carlson <james.d.carlson@sun.com> writes:

> I vote "no" for publication as an RFC.  To be frank, I can't tell what
> this document intends to be.  It doesn't actually describe any
> particular new or changed protocol, nor any particularly interoperable
> solution to a known problem, nor does it analyze the security issues
> of its recommendations in sufficient detail.

> If this document described some vendor-proprietary material that was
> already shipped (e.g., the case with PPPoE) and somewhat entrenched,
> then the value of publishing something to describe it, even when it's
> clearly at odds with established IETF efforts, might possibly outweigh
> the desire to avoid such confusion.  I don't see that such a thing is
> true here.

> Moreover, what value would this document bring?  Clearly, if someone
> wanted to deploy PPPoE over 802.11, he could do so _today_.  No new
> IETF would be necessary.  The components to do this all exist today in
> many implementations.


Thomas

Prev by Date: status of draft-heath-ppp-v44-02.txt
Next by Date: Re: Policy Statement on RFC authors
Previous by thread: Informational RFC to be: draft-gpaterno-wireless-pppoe-11.txt
Next by thread: Re: Informational RFC to be: draft-gpaterno-wireless-pppoe-11.txt
Index(es):
- Date
- Thread