[39060] in North American Network Operators' Group
Re: Cable Modem [really more about PPPoE]
daemon@ATHENA.MIT.EDU (Fletcher E Kittredge)
Tue Jun 26 09:39:12 2001
Message-Id: <200106261338.f5QDcct29784@smtp.gwi.net>
To: Chris Parker <cparker@starnetusa.net>
Cc: nanog@merit.edu
Reply-To: Fletcher E Kittredge <fkittred@gwi.net>
In-reply-to: Your message of "Mon, 25 Jun 2001 17:09:24 CDT."
<5.1.0.14.2.20010625163428.024169c0@mailc.starnetinc.com>
Date: Tue, 26 Jun 2001 09:38:38 -0400
From: Fletcher E Kittredge <fkittred@gwi.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 25 Jun 2001 17:09:24 -0500 Chris Parker wrote:
> >2) To balance this one special case advantage, radius auth has a
> > number of flaws:
> > i) it is an older protocol designed for a different model of
> > networking and thus is missing many features of DHCP. In
> > particular, clean mechanisms for setting an arbitrary number of
> > client configuration values.
>
> Removing radius-auth from PPPoE for a second, I would hazzard that
> with the use of the defined radius VSA format, the number of client
> configuration values is not limited in practical applications.
You know, I started down that path once.
Good luck trying to get Microsoft and Apple to support radius VSA for
configuring clients. Can you imagine what Microsoft would do?
> > ii) public networks, it uses username/password authentication.
> > This is a flawed mechanism for auth. It is insecure[1] and
> > generates a fair amount of support traffic.
>
> You failed to include your [1] reference, so I'm not sure what you
> are refuting here. I would suggest that relying on username/password
> auth via CHAP is less susceptible to spoofing than a MAC address. I'm
> definitely open for other means of authenticating yourself on the
> network.
Sorry about that missing footnote.
[1] Radius is auth mechanism independent. There are probably more
than a dozen currently supported by one implemenation or another.
However, for large, public access networks, the only one I know of in
use is username/password.
Username/password is weak authorization. If you don't agree, please
see "Secrets and Lies : Digital Security in a Networked World" by
Bruce Schneir, [John Wiley & Sons, August 2000 ; ISBN: 0471253111 ].
It is an accessable discussion of the issues by an expert.
