* Bernard Aboba: >> My question is more why do they need EAP in situations where they are >> not running at the link layer than why do they want or not want PANA. > > The simple answer is that there are situations which IEEE 802.1X cannot > handle on wired networks. As specified, IEEE 802.1X is "network port > control", which means that authorization is controllable only at the port > level. If there is more than one host connected to a switch port, then > that model no longer applies. Isn't this just a "don't do that, then" scenario? Plugging in a hub tends to undermine much of the accountability 802.1X is supposed to provide. Anyway, 802.1X is terminally broken because end users can rewire that port and bypass security policies (put a laptop with bridging software onto it, plug in a hub, and so on). It's very hard to solve this problem at a sub-IP layer because you need an ARP replacement which is tied to the port (physical layer) and IP rouuting (network layer) at the same time, and in a secure fashion. And without some cryptography on the payload, you still won't be able to tell two hosts on the same port apart. My personal conclusion from this mess is to give up trying to make the sub-IP layers secure, but start directly at the IP layer. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf