Re: The Emperor Has No Clothes: Is PANA partly useful?

Bernard Aboba wrote:
> > My question is more why do they need EAP in situations where they are
> > not running at the link layer than why do they want or not want PANA.
>
> The simple answer is that there are situations which IEEE 802.1X cannot 
> handle on wired networks.  As specified, IEEE 802.1X is "network port 
> control", which means that authorization is controllable only at the port 
> level.  If there is more than one host connected to a switch port, then 
> that model no longer applies. 
That is exactly the problem of aDSL here in Germany. The line ends in a
modem at my home and I can connect as many clients as I want, using
different accounts on one ISP or even connect me to different ISPs. So aDSL
here is a many to many connection with people tunneling via PPPoE.

> For example, consider a user with two machines attached to a hub on a 
> single port - a laptop and a desktop machine.  The desktop authenticates 
> via machine credentials, and for some reason the certificate has expired 
> without being renewed.  The laptop has up to date credentials.  However, 
> because they are both connected to the same port, they will each attempt 
> to authenticate; since the desktop machine no longer has up to date 
> credentials, its authentication will fail, causing port access to be 
> denied, throwing the laptop off the network.  The two machines will 
> continue to cycle through authentication attempts, causing the port to 
> alternatively be open and closed.
> Some of the solutions that have been discussed include:
>
> a. For the switch to keep MAC state on each port, which requires a 
> additional CAM, and therefore a forklift upgrade, OR
> b. For the switch to support protected Ethernet (802.1ae) and associated 
> key management (802.1af) so that traffic from each host can be 
> cryptographically separated, also requiring an (even more expensive) 
> forklift upgrade; OR
> c. For the host and routers to support EAP over UDP.  Typically this works 
> by having the router recognize a new host (e.g. new entry in the ARP 
> table), then challenging it via EAP over UDP.  If the host successfully 
> authenticates, packets from that IP address are allowed to pass through 
> the router filter; otherwise not. 
>
> Of these approaches, b) is the most secure since it enables cryptographic 
> separation between traffic from different MAC addresses, preventing
> MAC address piggyback attacks as well as enabling reliable "shared media" 
> operation. However, it is also the most expensive approach, since each 
> port now needs to support encryption; at lines rates of 1+ Gbps this can 
> be pricey. 
>
> Approach a) is less expensive (and less ecure) than b), but also requires 
> a forklift upgrade. 
>
> Approach c) is probably the least secure, but it is also the 
> least expensive approach, since no switch ports need to be upgraded. 
>
> One might argue that approach c) is likely to represent a short-term fix 
> until switches supporting a) or b) are commonly available, and therefore 
> that EAP over UDP has no long-term future.  I would tend to agree with 
> this, but would also observe that switches tend to have long replacement 
> cycles. For example, it is common to see customers with Cat 5K switches 
> that have been in place for a nearly decade with no immediate prospects 
> for replacement. Those kind of customers are likely to find EAP over UDP 
> appealing. 

--
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter(_at_)peter-dambier(_dot_)de
mail: peter(_at_)echnaton(_dot_)serveftp(_dot_)com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf