Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Cable Modem [really more about PPPoE]

  • From: William Allen Simpson
  • Date: Tue Jun 26 12:22:51 2001

Fletcher E Kittredge wrote:
> 
> On Tue, 26 Jun 2001 00:21:46 -0400  William Allen Simpson wrote:
> > RADIUS (speaking as one of the original authors) has nothing to do with
> > PPP.  It was just a simple mechanism to communicate to a NAS for
> > authentication purposes.
> 
> Correct.  Let me restate that again.  Radius was designed for an
> different purpose than for authenticating in an IPoE environment.
> There is no NAS in an well designed IPoE environment.
> 
There is no such thing as a "well designed IPoE environment", that's 
a contradiction in terms.  But there is ALWAYS a Network Access Server!  
Unless, you are postulating something without network access, in which 
case why are you pontificating on NANOG?

RADIUS was designed for authentication.  (It's in the name.)  Cable 
needs authentication, too, as all its users are "Remote".


>... DHCP only does a fraction of what Radius does; DHCP only
> allocates IPs and "suggests" client parameters.  No accounting... No
> auth...  Personally, I think that multiple protocols, one for each
> task, is a better approach.
> 
We are in agreement on the latter.  Which is why there are separate 
protocols, instead of 1. 

However, you seem to have some misconceptions.  DHCP is a "Host" 
protocol.  RADIUS is a "Server" protocol.  (It's in the names.)  Hosts 
never talk RADIUS.

The host to NAS authentication protocols vary.  For serial point-to-
point links, PPP is the natural mechanism.  For multipoint broadcast 
media, we developed IPsec tunnels.

There are other efforts, such as 802.1x.  It could fill the niche, but 
has complicated problems, and has not seen much deployment.  And unlike 
IPsec, it is not well integrated with privacy.


>...
> I am having problems visualizing how Kerberos' ticket model would work
> in a public access network with potentially hundreds of thousands of
> users wandering on and off in millions of short lived sessions per
> day (check for mail every five minutes...)
> 
Works here....  OK, only tens of thousands, but if you are postulating 
hundreds of thousands on a single cable, you will be rather seriously 
oversubscribed.  

(I have seen Kerberos used across realms throughout North America, with 
potentially hundreds of thousands of simultaneous users.  I have seen 
Kerberos used as a backend for RADIUS users.  The pioneering code was 
done at Merit, which should not surprise anyone :-)

-- 
William Allen Simpson
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.