* Bernard Aboba:
My question is more why do they need EAP in situations where they are
not running at the link layer than why do they want or not want PANA.
The simple answer is that there are situations which IEEE 802.1X cannot
handle on wired networks. As specified, IEEE 802.1X is "network port
control", which means that authorization is controllable only at the port
level. If there is more than one host connected to a switch port, then
that model no longer applies.
Isn't this just a "don't do that, then" scenario? Plugging in a hub
tends to undermine much of the accountability 802.1X is supposed to
provide.
Anyway, 802.1X is terminally broken because end users can rewire that
port and bypass security policies (put a laptop with bridging software
onto it, plug in a hub, and so on). It's very hard to solve this
problem at a sub-IP layer because you need an ARP replacement which is
tied to the port (physical layer) and IP rouuting (network layer) at
the same time, and in a secure fashion. And without some cryptography
on the payload, you still won't be able to tell two hosts on the same
port apart.
My personal conclusion from this mess is to give up trying to make the
sub-IP layers secure, but start directly at the IP layer.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf