North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Cable Modem [really more about PPPoE]
- From: William Allen Simpson
- Date: Tue Jun 26 12:22:51 2001
Fletcher E Kittredge wrote:
> On Tue, 26 Jun 2001 00:21:46 -0400 William Allen Simpson wrote:
> > RADIUS (speaking as one of the original authors) has nothing to do with
> > PPP. It was just a simple mechanism to communicate to a NAS for
> > authentication purposes.
> Correct. Let me restate that again. Radius was designed for an
> different purpose than for authenticating in an IPoE environment.
> There is no NAS in an well designed IPoE environment.
There is no such thing as a "well designed IPoE environment", that's
a contradiction in terms. But there is ALWAYS a Network Access Server!
Unless, you are postulating something without network access, in which
case why are you pontificating on NANOG?
RADIUS was designed for authentication. (It's in the name.) Cable
needs authentication, too, as all its users are "Remote".
>... DHCP only does a fraction of what Radius does; DHCP only
> allocates IPs and "suggests" client parameters. No accounting... No
> auth... Personally, I think that multiple protocols, one for each
> task, is a better approach.
We are in agreement on the latter. Which is why there are separate
protocols, instead of 1.
However, you seem to have some misconceptions. DHCP is a "Host"
protocol. RADIUS is a "Server" protocol. (It's in the names.) Hosts
never talk RADIUS.
The host to NAS authentication protocols vary. For serial point-to-
point links, PPP is the natural mechanism. For multipoint broadcast
media, we developed IPsec tunnels.
There are other efforts, such as 802.1x. It could fill the niche, but
has complicated problems, and has not seen much deployment. And unlike
IPsec, it is not well integrated with privacy.
> I am having problems visualizing how Kerberos' ticket model would work
> in a public access network with potentially hundreds of thousands of
> users wandering on and off in millions of short lived sessions per
> day (check for mail every five minutes...)
Works here.... OK, only tens of thousands, but if you are postulating
hundreds of thousands on a single cable, you will be rather seriously
(I have seen Kerberos used across realms throughout North America, with
potentially hundreds of thousands of simultaneous users. I have seen
Kerberos used as a backend for RADIUS users. The pioneering code was
done at Merit, which should not surprise anyone :-)
William Allen Simpson
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32