- From: Adrien de Croy <adrien@qbik.com>
- Date: Tue, 19 Jun 2007 19:14:51 +1200
- To: Mark Andrews <Mark_Andrews@isc.org>
- CC: Henrik Nordstrom <henrik@henriknordstrom.net>, HTTP Working Group <ietf-http-wg@w3.org>
Adrien de Croy wrote: > > They state no-one has implemented RFC 3118 (DHCP-AUTH). Given that > RFC 3118 has been out for 6 years, that may have something to do with > trying to auth at too low a level in the stack. Same reason IP auth > options were chucked out. Auth fundamentally requires sharing of > secrets. It's unmanageable to share secrets (esp on a large scale) > without using networking protocols (i.e. you'd need to use > sneakernet). Therefore DHCP can't effectively or efficiently be > authed, since it sets up the networking protocols that would be used > for sharing secrets, and therefore "DHCP Auth" is a chicken-and-egg > paradox. You'd need an ethernet (non IP) level key management / auth > subsystem to auth DHCP. One that can cross subnets. Since most > routers are IP routers, ethernet level is a non-starter as well. You > really need an IP level or higher protocol for auth. > PS, even though obviously DHCP sits over UDP which sits over IP and therefore is a higher level protocol than IP, it configures IP, and IP is dependent on it, and therefore in this context it is effectively lower level - there's doubtless a better phrase to describe this. -- Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Tuesday, 19 June 2007 07:14:38 UTC