PANA Protocol Update and Open Issues - PowerPoint PPT Presentation

About This Presentation
Title:

PANA Protocol Update and Open Issues

Description:

Some leftovers are creating ambiguity, hence issue 104 (need editorial fix) 6 ... Issue 105: Ambiguity on two types on reauthentication (EAP- and non-EAP-based) ... – PowerPoint PPT presentation

Number of Views:53
Avg rating:3.0/5.0
Slides: 17
Provided by: ietf
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: PANA Protocol Update and Open Issues


1
PANA Protocol Update and Open Issues
  • IETF 60

2
Since IETF 59
  • Expert reviews by
  • Erik Nordmark, Pasi Eronen, Randy Turner
  • draft-ietf-pana-pana-04,05.txt
  • Resolved
  • 71-80, 83-85, 91-93, 96-100, 103, 107
  • Still open
  • 94, 95, 102, 105, 106, 108, 109
  • http//danforsberg.info8080/pana-issues/

3
Issue 71
  • Issue PANA-Bind-Request should include the types
    of post-PANA address configuration mechanisms
    available.
  • Resolution
  • Post-PANA Address Configuration (PPAC) AVP
    carried in PBR/PBA
  • Options No config, DHCP, RFC2462, RFC3456, IKEv2

4
Issue 72
  • Issue Currently capability discovery is not
    accomplished until the end of EAP authentication.
    Copying some bits, such as POPA types and
    per-packet protection capability, to PAA
    discovery may be useful for discovering
    capability mismatch early on.
  • Resolution PSR now includes PPAC and Protection
    Capability AVPs
  • Warning about insecurity of discovery and
    spoofing attacks

5
Issue 73
  • Issue What type of DI will be used on DSL
    networks? A lower-layer per-packet identifier
    (source address) might not be available in all
    deployments.
  • Resolution
  • Locally significant identifiers are ok (e.g.,
    circuit id, PPP interface id)
  • DI does not have to be carried in an AVP
  • Some leftovers are creating ambiguity, hence
    issue 104 (need editorial fix)

6
Issue 74
  • Issue The current design is using PRAR and PRAA
    for mobility feature. We can use PBR and PBA
    instead, which will be better aligned with the
    regular signaling.
  • Resolution
  • Use PBR/PBA instead
  • -----gt PDI
  • lt----- PSR
  • -----gt PSASessionID
  • lt----- PBR
  • -----gt PBA

7
Issue 78
  • Issue EAP pass-through authenticator may fail
    authentication without an EAP-Failure message
    being forwarded to the EAP peer
  • Resolution Send PANA-Error with
    PANA_UNABLE_TO_COMPLY code

8
Issue 79
  • Issue Should PANA support the case where EAP
    authentication succeeds but network access
    authorization fails due to, e.g., authorization
    rejected by a AAA proxy or authorization locally
    rejected by a PAA?
  • Resolution PBR result codes
  • PANA_SUCCESS
  • PANA_AUTHORIZATION_REJECTED
  • PANA_AUTHENTICATION_REJECTED

9
Issue 85
  • Issue If PRPA is replaced by POPA, PAA needs to
    be notified
  • Resolution PaC sends PANA-Update-Request with
    IP-Address AVP.
  • Side fix PANA-reauth MUST include MAC AVP only
    when PANA SA is available

10
Issue 98
  • Issue PANA answers may be lost. PaC/PAA should
    be ready to respond to retransmitted requests.
  • Resolution
  • PANA-auth-req responses are driven by EAP
  • MAY respond to duplicate PANA-termination-req
  • SHOULD respond to any other duplicate requests
  • Section 4.7 and 4.11 are duplicates (bug).

11
Issue 100
  • Issue Due to retranmissions and window of
    acceptable seq. numbers, ISN_ on PAA and PaC may
    differ. ISNs are used in PANA_MAC_Key
    computation.
  • Resolution
  • Carry Nonce values in PSR and PSA
  • Use nonce values instead of ISNs in key
    computation.

12
Issue 107
  • Issue Current seq. no scheme does not
    accommodate rexmited rseq

PaC PAA (tseq,rseq) 1 lt------ (x,y) 2
--gt.. (y1,x) msg lost 3 lt------
(x1,y)
  • PaC drops msg 3 because y was already
    acknowledged.
  • Resolution Relax the expected rseq window to
    allow rexmit of rseq

13
Others
  • Issue 75 Clarify why DI is exchanged (prevent
    MitM).
  • Issue 76 Clarify rate limiting re-authentication
    (coordination not necessary).
  • Issue 77 Overlap between pana-pana and pana-fwk
    (remove text from former).
  • Issue 80 Remove Appendix on sequence number
    scheme discussion.
  • Issue 83 Use Diameter Address type format
    instead of re-inventing.
  • Issue 84 Editorial

14
Others
  • Issue 91 Editorial on explanatory content and
    flow (more actions needed under Issue 102)
  • Issue 92 Incorrect no. of parameters to SHA1
  • Cookie ltsecret-versiongt HMAC_SHA1( ltDevice-Id
    of PaCgt , ltsecretgt)
  • Issue 93 Clarify vendor-IDs are SMI enterprise
    numbers (IANA)
  • Issue 96 EAP-TLS should be an informative
    reference.
  • Issue 97 The retransmission behavior seems quite
    complicated (proposals on the ML please!)
  • Issue 99 Missing IANA considerations section (in
    accordance with BCP 26).
  • Issue 103 Clarification on Session and Session
    ID.

15
Still Open
  • Issue 94 95 Editorial on security
    considerations
  • Issue 102 Reorganize the text flow (editorial)
  • Issue 105 Ambiguity on two types on
    reauthentication (EAP- and non-EAP-based).
  • Issue 106 Should rexmited msg have the same seq
    no?
  • Issue 108 Session migration from one interface
    to another
  • Issue 109 Adjusting the AVP and PANA msg field
    sizes

16
Next Steps
  • Fix the open issues
  • Publish -06
  • Go to WG last call
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "PANA Protocol Update and Open Issues" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!