100 likes | 270 Views
PANA Mobopts Analysis draft-bournelle-pana-mobopts-analysis-00.txt. Julien Bournelle Maryline Laurent-Maknavicius Rafa Marin Lopez Dan Forsberg Jean-Michel Combes. 1. Goals. Provide an analysis of solutions specified in: draft-ietf-pana-mobopts-01.txt draft-ietf-pana-cxtp-00.txt
E N D
PANA Mobopts Analysisdraft-bournelle-pana-mobopts-analysis-00.txt Julien Bournelle Maryline Laurent-Maknavicius Rafa Marin Lopez Dan Forsberg Jean-Michel Combes 1
Goals • Provide an analysis of solutions specified in: • draft-ietf-pana-mobopts-01.txt • draft-ietf-pana-cxtp-00.txt • Focus on WLAN deployments (AP + AR), Reactive case and intra-domain • Discuss Key transfer issue • AAA considerations • Do not define any new protocols 2
Intermediary Key Transfer • PANA_MAC_Key (PaC-pPAA)derived from AAA-Key • pPAA sends AAA-Key-int to nPAA • nPAA derives AAA-Key-new (Nonces exchanges between PaC and nPAA) • Issue: if pPAA compromised and if attacker gets Nonces, she can derive the new PANA_MAC_Key
R AP pPAA pEP AR PaC nPAA/EP pPAA/EP nPAA AP nEP AR PSR AP AP PSA AP CT-Req PaC AP CT-Rep PBR PBA EP=AR and PAA=AR – Case 1.0 L3 Filtering 4
R AP pPAA pEP AR PaC nPAA/EP pPAA/EP nPAA AP nEP AR PSR AP AP PSA AP CT-Req PaC AP CT-Rep PBR PBA IKE EP=AR and PAA=AR – Case 1.1 IPsec Tunnelling 5
R PAA_1 AP EP_1 AR AP EP_2 AR AP AP AP AP EP=AR and PAA>AR – Case 2.0 L3 Filtering EP_2 doesn’t know PaC • PAA_1 uses same IP src address in PSR • PUR/PUA • PAA_1 uses different IP src address in PSR • Local PANA-mobopts EP_2 knows PaC • How ? PaC 6
R PAA_1 AP EP_1 AR AP EP_2 AR AP AP AP AP EP=AR and PAA>AR – Case 2.1 IPsec Tunnelling EP_2 doesn’t know PaC • PAA_1 uses same IP src address in PSR • PUR/PUA + IKE • PAA_1 uses different IP src address in PSR • Local PANA-mobopts + IKE EP_2 knows PaC • How ? PaC 7
AAA considerations - I • PaC is authenticated by its home EAP/AAA server • AAAH may need to know PaC’s position: • Reauthentication (RFC 4005) • Delegate to local AAA server ? • Current NAS may need to know AAAH • Session Management (Termination) • Accounting =>current NAS needs to share a AAA session with AAAH (or AAAL). 8
AAA Considerations - II • How long do the pPAA keep state of PaC to forward AAA requests from AAAH to the nPAA ? • How to handle ping-pong of the PaC ? AAA aspects of PANA Mobility Optimizations should be further defined 9