> My question is more why do they need EAP in situations where they are > not running at the link layer than why do they want or not want PANA. The simple answer is that there are situations which IEEE 802.1X cannot handle on wired networks. As specified, IEEE 802.1X is "network port control", which means that authorization is controllable only at the port level. If there is more than one host connected to a switch port, then that model no longer applies. For example, consider a user with two machines attached to a hub on a single port - a laptop and a desktop machine. The desktop authenticates via machine credentials, and for some reason the certificate has expired without being renewed. The laptop has up to date credentials. However, because they are both connected to the same port, they will each attempt to authenticate; since the desktop machine no longer has up to date credentials, its authentication will fail, causing port access to be denied, throwing the laptop off the network. The two machines will continue to cycle through authentication attempts, causing the port to alternatively be open and closed. Some of the solutions that have been discussed include: a. For the switch to keep MAC state on each port, which requires a additional CAM, and therefore a forklift upgrade, OR b. For the switch to support protected Ethernet (802.1ae) and associated key management (802.1af) so that traffic from each host can be cryptographically separated, also requiring an (even more expensive) forklift upgrade; OR c. For the host and routers to support EAP over UDP. Typically this works by having the router recognize a new host (e.g. new entry in the ARP table), then challenging it via EAP over UDP. If the host successfully authenticates, packets from that IP address are allowed to pass through the router filter; otherwise not. Of these approaches, b) is the most secure since it enables cryptographic separation between traffic from different MAC addresses, preventing MAC address piggyback attacks as well as enabling reliable "shared media" operation. However, it is also the most expensive approach, since each port now needs to support encryption; at lines rates of 1+ Gbps this can be pricey. Approach a) is less expensive (and less ecure) than b), but also requires a forklift upgrade. Approach c) is probably the least secure, but it is also the least expensive approach, since no switch ports need to be upgraded. One might argue that approach c) is likely to represent a short-term fix until switches supporting a) or b) are commonly available, and therefore that EAP over UDP has no long-term future. I would tend to agree with this, but would also observe that switches tend to have long replacement cycles. For example, it is common to see customers with Cat 5K switches that have been in place for a nearly decade with no immediate prospects for replacement. Those kind of customers are likely to find EAP over UDP appealing. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf