W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2007

Re: protocol support for intercepting proxies

From: Adrien de Croy <adrien@qbik.com>
Date: Tue, 19 Jun 2007 19:14:51 +1200
Message-ID: <4677826B.2010000@qbik.com>
To: Mark Andrews <Mark_Andrews@isc.org>
CC: Henrik Nordstrom <henrik@henriknordstrom.net>, HTTP Working Group <ietf-http-wg@w3.org>

Adrien de Croy wrote:
> They state no-one has implemented RFC 3118 (DHCP-AUTH).  Given that 
> RFC 3118 has been out for 6 years, that may have something to do with 
> trying to auth at too low a level in the stack.  Same reason IP auth 
> options were chucked out.  Auth fundamentally requires sharing of 
> secrets.  It's unmanageable to share secrets (esp on a large scale) 
> without using networking protocols (i.e. you'd need to use 
> sneakernet).  Therefore DHCP can't effectively or efficiently be 
> authed, since it sets up the networking protocols that would be used 
> for sharing secrets, and therefore "DHCP Auth" is a chicken-and-egg 
> paradox.  You'd need an ethernet (non IP) level key management / auth 
> subsystem to auth DHCP.  One that can cross subnets.  Since most 
> routers are IP routers, ethernet level is a non-starter as well.  You 
> really need an IP level or higher protocol for auth.

PS, even though obviously DHCP sits over UDP which sits over IP and 
therefore is a higher level protocol than IP, it configures IP, and IP 
is dependent on it, and therefore in this context it is effectively 
lower level - there's doubtless a better phrase to describe this.

Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Tuesday, 19 June 2007 07:14:38 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:42 UTC