ietf
[Top] [All Lists]

Re: The Emperor Has No Clothes: Is PANA actually useful?

2006-05-26 08:59:30
My question is more why do they need EAP in situations where they are
not running at the link layer than why do they want or not want PANA.

The simple answer is that there are situations which IEEE 802.1X cannot 
handle on wired networks.  As specified, IEEE 802.1X is "network port 
control", which means that authorization is controllable only at the port 
level.  If there is more than one host connected to a switch port, then 
that model no longer applies. 

For example, consider a user with two machines attached to a hub on a 
single port - a laptop and a desktop machine.  The desktop authenticates 
via machine credentials, and for some reason the certificate has expired 
without being renewed.  The laptop has up to date credentials.  However, 
because they are both connected to the same port, they will each attempt 
to authenticate; since the desktop machine no longer has up to date 
credentials, its authentication will fail, causing port access to be 
denied, throwing the laptop off the network.  The two machines will 
continue to cycle through authentication attempts, causing the port to 
alternatively be open and closed.

Some of the solutions that have been discussed include:

a. For the switch to keep MAC state on each port, which requires a 
additional CAM, and therefore a forklift upgrade, OR

b. For the switch to support protected Ethernet (802.1ae) and associated 
key management (802.1af) so that traffic from each host can be 
cryptographically separated, also requiring an (even more expensive) 
forklift upgrade; OR

c. For the host and routers to support EAP over UDP.  Typically this works 
by having the router recognize a new host (e.g. new entry in the ARP 
table), then challenging it via EAP over UDP.  If the host successfully 
authenticates, packets from that IP address are allowed to pass through 
the router filter; otherwise not. 

Of these approaches, b) is the most secure since it enables cryptographic 
separation between traffic from different MAC addresses, preventing
MAC address piggyback attacks as well as enabling reliable "shared media" 
operation. However, it is also the most expensive approach, since each 
port now needs to support encryption; at lines rates of 1+ Gbps this can 
be pricey. 

Approach a) is less expensive (and less ecure) than b), but also requires 
a forklift upgrade. 

Approach c) is probably the least secure, but it is also the 
least expensive approach, since no switch ports need to be upgraded. 

One might argue that approach c) is likely to represent a short-term fix 
until switches supporting a) or b) are commonly available, and therefore 
that EAP over UDP has no long-term future.  I would tend to agree with 
this, but would also observe that switches tend to have long replacement 
cycles. For example, it is common to see customers with Cat 5K switches 
that have been in place for a nearly decade with no immediate prospects 
for replacement. Those kind of customers are likely to find EAP over UDP 
appealing. 

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>