[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Informational RFC to be: draft-gpaterno-wireless-pppoe-11.txt
The author has requested that this document be published as an
informational document. I asked some knowledgable folk what they
thought of this document; their comments are below.
Question for the author: what is your motivation for publishing this
document? Do you have plans for doing any follow-up work in this
space?
Thomas
Bernard Aboba <aboba@internaut.com> writes:
> Aside from the fact that the document is somewhat out of date (WFA
> is currently in the process of certifying WPA-compliant access points that
> address the security issues described in the document), there is a
> fundamental problem with the logic of the argument.
> First the author points out the security flaws of WEP. Then he goes ahead
> and advocates addoption of PPPOE along with PPP encryption algorithms
> such as MPPE which (like WEP) lack integrity protection. In addition, he
> does not propose a standard key exchange mechanism, after criticizing
> IEEE 802.1X for the same problem.
> I would have no problem with this document if it actually listed
> the security flaws of WEP and then specified a PPPOE profile (including
> use of appropriate ciphersuites and key exchange algorithms) to address those
> issues.
> But as it is, this document reads mostly like a marketing blurb seeking
> validation by publication as an RFC. If there is really interest in this
> solution as the author claims, the right way to proceed is to flesh it out
> to the point where the approach is credible. This document doesn't do
> that.
Karl Fox <karlfox@columbus.rr.com> writes:
> Bernard's technical points notwithstanding, it turns my stomach to see
> yet another latecomer to wireless security proposed. We already have
> the IEEE and multiple groups within the IETF trying to solve this
> problem (some of which are well suited to the problem, such as Mobile
> IP), and they are dealing with the real life, difficult issues that
> occur in mobile networks. Trying to make a mobile network connection
> look like a dial-up is a poor fit. I say shut it down.
James Carlson <james.d.carlson@sun.com> writes:
> I vote "no" for publication as an RFC. To be frank, I can't tell what
> this document intends to be. It doesn't actually describe any
> particular new or changed protocol, nor any particularly interoperable
> solution to a known problem, nor does it analyze the security issues
> of its recommendations in sufficient detail.
> If this document described some vendor-proprietary material that was
> already shipped (e.g., the case with PPPoE) and somewhat entrenched,
> then the value of publishing something to describe it, even when it's
> clearly at odds with established IETF efforts, might possibly outweigh
> the desire to avoid such confusion. I don't see that such a thing is
> true here.
> Moreover, what value would this document bring? Clearly, if someone
> wanted to deploy PPPoE over 802.11, he could do so _today_. No new
> IETF would be necessary. The components to do this all exist today in
> many implementations.
Thomas