Adrien de Croy wrote: > > They state no-one has implemented RFC 3118 (DHCP-AUTH). Given that > RFC 3118 has been out for 6 years, that may have something to do with > trying to auth at too low a level in the stack. Same reason IP auth > options were chucked out. Auth fundamentally requires sharing of > secrets. It's unmanageable to share secrets (esp on a large scale) > without using networking protocols (i.e. you'd need to use > sneakernet). Therefore DHCP can't effectively or efficiently be > authed, since it sets up the networking protocols that would be used > for sharing secrets, and therefore "DHCP Auth" is a chicken-and-egg > paradox. You'd need an ethernet (non IP) level key management / auth > subsystem to auth DHCP. One that can cross subnets. Since most > routers are IP routers, ethernet level is a non-starter as well. You > really need an IP level or higher protocol for auth. > PS, even though obviously DHCP sits over UDP which sits over IP and therefore is a higher level protocol than IP, it configures IP, and IP is dependent on it, and therefore in this context it is effectively lower level - there's doubtless a better phrase to describe this. -- Adrien de Croy - WinGate Proxy Server - http://www.wingate.comReceived on Tuesday, 19 June 2007 07:14:38 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 12 September 2008 03:48:56 GMT