1 / 14

Pre-authentication Support for PANA (draft-ohba-pana-preauth-00.txt)

Pre-authentication Support for PANA (draft-ohba-pana-preauth-00.txt). Yoshihiro Ohba (yohba@tari.toshiba.com). Background. When a PaC moves from one access network to another, a PANA session in the new access network should be established as fast as possible

foy
Download Presentation

Pre-authentication Support for PANA (draft-ohba-pana-preauth-00.txt)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Pre-authentication Support for PANA(draft-ohba-pana-preauth-00.txt) Yoshihiro Ohba (yohba@tari.toshiba.com) IETF63 PANA WG

  2. Background • When a PaC moves from one access network to another, a PANA session in the new access network should be established as fast as possible • Existing solutions relying on transferring PANA session attributes between PAAs: • CTP-based solution • draft-ietf-pana-mobopts (PANA part) • draft-bournelle-pana-ctp (CTP part) • FMIPv6-based solution • draft-hiko-pana-fpana (Combining PANA and FMIPv6) • The above solutions are not readily applicable to cover the following scenarios • Inter-administrative domain handovers • Heterogeneous handovers (handovers between access network with different authorization characteristics)

  3. PANA Pre-authentication Overview • Proactively executing EAP authentication and establishing a PANA SAbetween a PaC in an access network and a PAAin another access network to which the PaC may move • Similar to IEEE 802.11i pre-authentication, but PANA pre-authentication operates at higher-layer • Pre-authentication can be performed independently of initial authentication by, e.g., • Using a different AAA server from that was used for initial authentication • Using different authentication credentials from those used for initial authentication

  4. Terminology (1/2) Access Network Access Network PAA PAA PAA PAA Active PAA (also Local PAA) Preparing PAA (also Remote PAA) Local PAA Remote PAA Active SA Pre-authentication SA Local PaC PaC Remote PaC

  5. Terminology (2/2) • Pre-authentication: Authentication performed between the PaC and a preparing PAA • Pre-authorization:An authorization that is made for the PaC by a preparing PAA as a result of successful pre-authentication • Post-authorization:An authorization that was made for the PaC by a PAA that was acting as a preparing PAA and has become the active PAA

  6. Pre-authentication Operation (before handover) • Initiation of pre-authentication: • Pre-authentication may be initiated by both a PaC and a preparingPAA. • Distinguishing pre-authentication from normal authentication • A new flag P-flag is defined in the PANA header • When pre-authentication is performed, the P-flag of PANA messages are set • Negotiating pre-authentication (PaC-initiated pre-authentication) • PaC unicasts PDI with the P-flag set. The PAA responds with a PSR with the P-flag set only when it supports pre-authentication. Otherwise, it MUST silently discard the message. • Negotiating pre-authentication (PAA-initiated pre-authentication) • PAA sends a PSR with the P-flag set. The PaC respondswith a PSA with the P-flag set only when itsupports pre-authentication. Otherwise, it MUST silently discard the message • After successful pre-authentication negotiation, subsequent PANA messages exchanged between them MUST have the P-flag set

  7. Pre-authentication Operation (after handover) • The PaC performs an IP address update procedure using PANA-Update exchange • Thecompletion of the PANA-Update procedure will change the pre-authentication SA to the active SA • The P-flag is not set in the PANA-Update messages and subsequent PANA messages

  8. Example Call Flow (PaC-initiated pre-authentication) l-PAA r-PAA PaC PANA w/o P-flag set Pre-authentication trigger PDI w/ P-flag set PSR w/ P-flag set PSA w/ P-flag set PAR/PAN exchange w/ P-flag set Pre-authorization PBR/PBA exchange w/ P-flag set Movement PUR w/o P-flag set Post-authorization PUA w/o P-flag set

  9. Example Call Flow (PAA-initiated pre-authentication) l-PAA r-PAA PaC PANA w/o P-flag set Pre-authentication trigger PSR w/ P-flag set PSA w/ P-flag set PAR/PAN exchange w/ P-flag set Pre-authorization PBR/PBA exchange w/ P-flag set Movement PUR w/o P-flag set Post-authorization PUA w/o P-flag set

  10. P-flag in PANA Header 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |R S N P r r r r r r r r r r r r| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ P(re-authentication) When pre-authentication is performed, the P-flag of PANA messages are set in order to indicate whether this PANA run is for establishing a pre-authentication SA. The exact usage of this flag is described in Section 3. This flag is to be assigned by IANA.

  11. Authorization Considerations • Pre-authorization and a post-authorization for the PaC may havedifferent authorization policies • For example, the pre-authorization policy • may not allow the PaC to sent or receive packets through the EP(s) under control of the preparing PAA • may allow installing credentials to the EP(s) as post-authorization policy does • This would make bootstrapping lower-layer security after handover faster • AAA protocol may need to carry additional attribute so that AAA servers can distinguish pre-authentication from normal authentication • Based on recent comment by Julien Bournelle • This issue might be addressed in pana-aaa-interworking I-D

  12. Accounting Considerations • A PAA that has an pre-authentication SA for a PaC may start accounting immediately after the pre-authentication • Or it may not start accountinguntil it becomes an active PAA

  13. Security Considerations • Consideration of false PaC-initiated pre-authentication • The local access network SHOULD NOT allow unauthorized PaC to communicate with remote PAAs using PANA • Consideration of false PAA-initiated pre-authentication • The PaC SHOULD limit the maximum number of PAAs allowed to communicate

  14. Next Step • WG item?

More Related