Pre-authentication Support for PANA (draft-ietf-pana-preauth-00.txt) - PowerPoint PPT Presentation

About This Presentation
Title:

Pre-authentication Support for PANA (draft-ietf-pana-preauth-00.txt)

Description:

In IETF63, there was a consensus on making pre-authentication support for ... PSA w/ P-flag set. PAR/PAN exchange w/ P-flag set. PBR/PBA exchange w/ P-flag set ... – PowerPoint PPT presentation

Number of Views:27
Avg rating:3.0/5.0
Slides: 8
Provided by: ietf
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: Pre-authentication Support for PANA (draft-ietf-pana-preauth-00.txt)


1
Pre-authentication Support for PANA(draft-ietf-pa
na-preauth-00.txt)
  • Yoshihiro Ohba (yohba_at_tari.toshiba.com)

2
Highlights
  • In IETF63, there was a consensus on making
    pre-authentication support for PANA as a work
    item
  • Three issues were identified in IETF63
  • Distinguishing pre-authentication from normal
    authentication
  • Default accounting behavior
  • More consideration for DoS attack

3
Example Call Flow (PaC-initiated
pre-authentication)
local-PAA
remote-PAA
PaC
PANA w/o P-flag set
Pre-authentication trigger
PDI w/ P-flag set
PSR w/ P-flag set
PSA w/ P-flag set
PAR/PAN exchange w/ P-flag set
Pre-authorization
PBR/PBA exchange w/ P-flag set
Movement
PUR w/o P-flag set
Post-authorization
PUA w/o P-flag set
4
Example Call Flow (PAA-initiated
pre-authentication)
local-PAA
remote-PAA
PaC
PANA w/o P-flag set
Pre-authentication trigger
PSR w/ P-flag set
PSA w/ P-flag set
PAR/PAN exchange w/ P-flag set
Pre-authorization
PBR/PBA exchange w/ P-flag set
Movement
PUR w/o P-flag set
Post-authorization
PUA w/o P-flag set
5
Issue Distinguishing pre-authentication from
normal authentication
  • AAA protocol may need to carry additional
    attribute so that AAA servers can distinguish
    pre-authentication from normal authentication
  • The distinction could be useful, but this is a
    AAA issue orthogonal to PANA
  • Not addressed in this document

6
Issue Accounting
  • A PAA that has an pre-authentication SA for a PaC
    may start accounting immediately after the
    pre-authentication
  • Or it may not start accounting until it becomes
    an active PAA
  • Issue Default accounting behavior should be
    described
  • Added default behavior PAA starts accounting
    when a pre-authentication SA becomes an active SA

7
Issue More consideration for DoS
  • Pre-authentication attempt from arbitrary
    networks should not be allowed
  • Added the following sentence in Security
    Considerations section
  • Each access network that supports
    pre-authentication SHOULD block
    pre-authentication attempts from networks from
    which a handover is not likely to occur.
Write a Comment
User Comments (0)
About PowerShow.com