Bernard Aboba wrote:
My question is more why do they need EAP in situations where they are
not running at the link layer than why do they want or not want PANA.
The simple answer is that there are situations which IEEE 802.1X cannot
handle on wired networks. As specified, IEEE 802.1X is "network port
control", which means that authorization is controllable only at the port
level. If there is more than one host connected to a switch port, then
that model no longer applies.
That is exactly the problem of aDSL here in Germany. The line ends in a
modem at my home and I can connect as many clients as I want, using
different accounts on one ISP or even connect me to different ISPs. So aDSL
here is a many to many connection with people tunneling via PPPoE.
For example, consider a user with two machines attached to a hub on a
single port - a laptop and a desktop machine. The desktop authenticates
via machine credentials, and for some reason the certificate has expired
without being renewed. The laptop has up to date credentials. However,
because they are both connected to the same port, they will each attempt
to authenticate; since the desktop machine no longer has up to date
credentials, its authentication will fail, causing port access to be
denied, throwing the laptop off the network. The two machines will
continue to cycle through authentication attempts, causing the port to
alternatively be open and closed.
Some of the solutions that have been discussed include:
a. For the switch to keep MAC state on each port, which requires a
additional CAM, and therefore a forklift upgrade, OR
b. For the switch to support protected Ethernet (802.1ae) and associated
key management (802.1af) so that traffic from each host can be
cryptographically separated, also requiring an (even more expensive)
forklift upgrade; OR
c. For the host and routers to support EAP over UDP. Typically this works
by having the router recognize a new host (e.g. new entry in the ARP
table), then challenging it via EAP over UDP. If the host successfully
authenticates, packets from that IP address are allowed to pass through
the router filter; otherwise not.
Of these approaches, b) is the most secure since it enables cryptographic
separation between traffic from different MAC addresses, preventing
MAC address piggyback attacks as well as enabling reliable "shared media"
operation. However, it is also the most expensive approach, since each
port now needs to support encryption; at lines rates of 1+ Gbps this can
be pricey.
Approach a) is less expensive (and less ecure) than b), but also requires
a forklift upgrade.
Approach c) is probably the least secure, but it is also the
least expensive approach, since no switch ports need to be upgraded.
One might argue that approach c) is likely to represent a short-term fix
until switches supporting a) or b) are commonly available, and therefore
that EAP over UDP has no long-term future. I would tend to agree with
this, but would also observe that switches tend to have long replacement
cycles. For example, it is common to see customers with Cat 5K switches
that have been in place for a nearly decade with no immediate prospects
for replacement. Those kind of customers are likely to find EAP over UDP
appealing.
--
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter@xxxxxxxxxxxxxxxx
mail: peter@xxxxxxxxxxxxxxxxxxxxx
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf