PANA Protocol Update and Open Issues - PowerPoint PPT Presentation

About This Presentation
Title:

PANA Protocol Update and Open Issues

Description:

Some leftovers are creating ambiguity, hence issue 104 (need editorial fix) 6 ... Issue 105: Ambiguity on two types on reauthentication (EAP- and non-EAP-based) ... – PowerPoint PPT presentation

Number of Views:53
Avg rating:3.0/5.0
Slides: 17
Provided by: ietf
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: PANA Protocol Update and Open Issues


1
PANA Protocol Update and Open Issues
  • IETF 60

2
Since IETF 59
  • Expert reviews by
  • Erik Nordmark, Pasi Eronen, Randy Turner
  • draft-ietf-pana-pana-04,05.txt
  • Resolved
  • 71-80, 83-85, 91-93, 96-100, 103, 107
  • Still open
  • 94, 95, 102, 105, 106, 108, 109
  • http//danforsberg.info8080/pana-issues/

3
Issue 71
  • Issue PANA-Bind-Request should include the types
    of post-PANA address configuration mechanisms
    available.
  • Resolution
  • Post-PANA Address Configuration (PPAC) AVP
    carried in PBR/PBA
  • Options No config, DHCP, RFC2462, RFC3456, IKEv2

4
Issue 72
  • Issue Currently capability discovery is not
    accomplished until the end of EAP authentication.
    Copying some bits, such as POPA types and
    per-packet protection capability, to PAA
    discovery may be useful for discovering
    capability mismatch early on.
  • Resolution PSR now includes PPAC and Protection
    Capability AVPs
  • Warning about insecurity of discovery and
    spoofing attacks

5
Issue 73
  • Issue What type of DI will be used on DSL
    networks? A lower-layer per-packet identifier
    (source address) might not be available in all
    deployments.
  • Resolution
  • Locally significant identifiers are ok (e.g.,
    circuit id, PPP interface id)
  • DI does not have to be carried in an AVP
  • Some leftovers are creating ambiguity, hence
    issue 104 (need editorial fix)

6
Issue 74
  • Issue The current design is using PRAR and PRAA
    for mobility feature. We can use PBR and PBA
    instead, which will be better aligned with the
    regular signaling.
  • Resolution
  • Use PBR/PBA instead
  • -----gt PDI
  • lt----- PSR
  • -----gt PSASessionID
  • lt----- PBR
  • -----gt PBA

7
Issue 78
  • Issue EAP pass-through authenticator may fail
    authentication without an EAP-Failure message
    being forwarded to the EAP peer
  • Resolution Send PANA-Error with
    PANA_UNABLE_TO_COMPLY code

8
Issue 79
  • Issue Should PANA support the case where EAP
    authentication succeeds but network access
    authorization fails due to, e.g., authorization
    rejected by a AAA proxy or authorization locally
    rejected by a PAA?
  • Resolution PBR result codes
  • PANA_SUCCESS
  • PANA_AUTHORIZATION_REJECTED
  • PANA_AUTHENTICATION_REJECTED

9
Issue 85
  • Issue If PRPA is replaced by POPA, PAA needs to
    be notified
  • Resolution PaC sends PANA-Update-Request with
    IP-Address AVP.
  • Side fix PANA-reauth MUST include MAC AVP only
    when PANA SA is available

10
Issue 98
  • Issue PANA answers may be lost. PaC/PAA should
    be ready to respond to retransmitted requests.
  • Resolution
  • PANA-auth-req responses are driven by EAP
  • MAY respond to duplicate PANA-termination-req
  • SHOULD respond to any other duplicate requests
  • Section 4.7 and 4.11 are duplicates (bug).

11
Issue 100
  • Issue Due to retranmissions and window of
    acceptable seq. numbers, ISN_ on PAA and PaC may
    differ. ISNs are used in PANA_MAC_Key
    computation.
  • Resolution
  • Carry Nonce values in PSR and PSA
  • Use nonce values instead of ISNs in key
    computation.

12
Issue 107
  • Issue Current seq. no scheme does not
    accommodate rexmited rseq

PaC PAA (tseq,rseq) 1 lt------ (x,y) 2
--gt.. (y1,x) msg lost 3 lt------
(x1,y)
  • PaC drops msg 3 because y was already
    acknowledged.
  • Resolution Relax the expected rseq window to
    allow rexmit of rseq

13
Others
  • Issue 75 Clarify why DI is exchanged (prevent
    MitM).
  • Issue 76 Clarify rate limiting re-authentication
    (coordination not necessary).
  • Issue 77 Overlap between pana-pana and pana-fwk
    (remove text from former).
  • Issue 80 Remove Appendix on sequence number
    scheme discussion.
  • Issue 83 Use Diameter Address type format
    instead of re-inventing.
  • Issue 84 Editorial

14
Others
  • Issue 91 Editorial on explanatory content and
    flow (more actions needed under Issue 102)
  • Issue 92 Incorrect no. of parameters to SHA1
  • Cookie ltsecret-versiongt HMAC_SHA1( ltDevice-Id
    of PaCgt , ltsecretgt)
  • Issue 93 Clarify vendor-IDs are SMI enterprise
    numbers (IANA)
  • Issue 96 EAP-TLS should be an informative
    reference.
  • Issue 97 The retransmission behavior seems quite
    complicated (proposals on the ML please!)
  • Issue 99 Missing IANA considerations section (in
    accordance with BCP 26).
  • Issue 103 Clarification on Session and Session
    ID.

15
Still Open
  • Issue 94 95 Editorial on security
    considerations
  • Issue 102 Reorganize the text flow (editorial)
  • Issue 105 Ambiguity on two types on
    reauthentication (EAP- and non-EAP-based).
  • Issue 106 Should rexmited msg have the same seq
    no?
  • Issue 108 Session migration from one interface
    to another
  • Issue 109 Adjusting the AVP and PANA msg field
    sizes

16
Next Steps
  • Fix the open issues
  • Publish -06
  • Go to WG last call
Write a Comment
User Comments (0)
About PowerShow.com