290 likes | 478 Views
PANA Framework. <draft-ohba-pana-framework-00.txt> Prakash Jayaraman, Rafa Marin Lopez, Yoshihiro Ohba, Mohan Parthasarathy, Alper Yegin IETF 59. Framework. Functional model Signaling flow Deployment environments IP address configuration Data traffic protection Provisioning
E N D
PANA Framework <draft-ohba-pana-framework-00.txt> Prakash Jayaraman, Rafa Marin Lopez, Yoshihiro Ohba, Mohan Parthasarathy, Alper Yegin IETF 59
Framework • Functional model • Signaling flow • Deployment environments • IP address configuration • Data traffic protection • Provisioning • Network selection • Authentication method choice • DSL deployment • WLAN deployment IETF 59
Functional Model RADIUS/ Diameter/ +-----+ PANA +-----+ LDAP/ API +-----+ | PaC |<----------------->| PAA |<---------------->| AS | +-----+ +-----+ +-----+ ^ ^ | | | +-----+ | IKE/ +-------->| EP |<--------+ SNMP/ API 4-way handshake +-----+ IETF 59
Signaling Flow PaC EP PAA AS | PANA | | AAA | |<---------------------------->|<------------->| | | | | | | SNMP | | | |<------------>| | | Sec.Assoc. | | | |<------------->| | | | | | | | Data traffic | | | |<-----------------> | | | | | | IETF 59
Deployment Environments (a) Networks where a secure channel is already available prior to running PANA • (a.1) Physical security. E.g.: DSL • (a.2) Cryptographic security. E.g.: cdma2000 (b) Networks where a secure channel is created after running PANA • (b.1) Link-layer per-packet security. E.g.: Using WPA-PSK. • (b.2) Network-layer per-packet security. E.g.: Using IPsec. IETF 59
IP Address Configuration • Pre-PANA address: PRPA • Configured before PANA • Post-PANA address: POPA • Configured after PANA when: • IPsec is used, or • PRPA is link-local or temporary • PAA informs PaC if POPA needed IETF 59
PRPA Configuration • Possible ways: • Static • DHCPv4 (global, or private address) • IPv4 link-local • DHCPv6 • IPv6 address autoconfiguration (global, or link-local) IETF 59
POPA Configuration (no IPsec) • DHCPv4/v6 • IPv4: • POPA replaces PRPA (prevent address selection problem) • Host route between PaC and PAA (preserve on-link communication) • IPv6: • use both PRPA and POPA at the same time IETF 59
POPA Configuration (IPsec) • Possible ways: • IKEv2 configuration • DHCP configuration of IPsec tunnel mode (RFC 3456) • PRPA used as tunnel outer address, POPA as tunnel inner address IETF 59
Combinations TIA TOA IETF 59
Additional Approaches: (1)Using a PRPA as TIA • IPv6: • Configure a link-local and global before PANA (DHCPv6 or stateless) • TIA=global, TOA=link-local • Requires SPD selection based on the name (session-ID), not the IP address • Explicit support in RFC2401bis • Name is set, address selectors are NULL • RFC2401? Not clear. • Racoon’s generate_policy directive • Authenticate peer by PSK, accept proposed TIA (skip SPD check), than create SPD • Should we include this? IETF 59
Additional Approaches: (2)Using a PRPA as TIA • IPv4: • Configure a global address before PANA (static, or DHCPv4) • TIA=TOA=PRPA • RFC2401: Same considerations. • Forwarding considerations: • Requires special handling on EP, or else: • tunnel_to PRPA(tunnel to PRPA(tunnel to PRPA(to PRPA)))... • FreeSwan handles this. Others? • Should we include this? IETF 59
Data Traffic Protection • Already available in type (a) environments • Enabled by PANA in type (b) environments • EAP generated keys • Secure association protocol • draft-ietf-pana-ipsec-02 IETF 59
PAA-EP Provisioning Protocol • EP is the closest IP-capable access device to PaCs • Co-located with PAA or separate • draft-yacine-pana-snmp-01 • Carries IP or L2 address, optionally cryptographic keys • One or more EPs per PAA • EP may detect presence of PaC and trigger PANA by notifying PAA IETF 59
Network (ISP) Discovery and Selection • Traditional selection: • NAI-based • Port number or L2 address based • PANA-based discovery and selection: • PAA advertises ISPs • PaC explicitly picks one IETF 59
Authentication Method Choice • Depends on the environment IETF 59
DSL Host--+ +-------- ISP1 | DSL link | +----- CPE ---------------- NAS ----+-------- ISP2 | (Bridge/NAPT/Router) | Host--+ +-------- ISP3 <------- customer --> <------- NAP -----> <---- ISP ---> premise • PANA needed when static IP or DHCP-based configuration is used (instead of PPP*) IETF 59
DSL Deployments Bridging mode: Host--+ (PaC) | +----- CPE ---------------- NAS ------------- ISP | (Bridge) (PAA,EP,AR) Host--+ (PaC) Address Translation (NAPT) Mode: Host--+ | +----- CPE ---------------- NAS ------------- ISP | (NAPT, PaC) (PAA,EP,AR Host--+ IETF 59
DSL Deployment Router mode: Host--+ | +----- CPE ---------------- NAS ------------- ISP | (Router,PaC) (PAA,EP,AR) Host--+ IETF 59
Dynamic ISP Selection • As part of DHCP protocol or an attribute of DSL access line • DHCP client id • Run DHCP, and PANA • PRPA is the ultimate IP address (no POPA) • As part of PANA authentication • Temporary PRPA via zeroconf or DHCP with NAP • Run PANA for AAA • POPA via DHCP, replace PRPA IETF 59
WLAN • Network-layer per-packet security (IPsec): • EP and PAA on access router • Link-layer per-packet security (WPA-PSK): • EP is on access point, PAA is on access router IETF 59
IPsec, IKEv2 PaC AP DHCPv4 Server PAA EP(AR) | Link-layer | | | | | association| | | | |<---------->| | | | | | | | | | DHCPv4 | | | |<-----------+------------>| | | | | | | | |PANA(Discovery and initial handshake phase | | & PAR-PAN exchange in authentication phase) | |<-----------+-------------------------->| | | | | | | | |Authorization| | | |[IKE-PSK, | | | | PaC-DI, | | | | Session-Id] | | | |------------>| | | | | |PANA(PBR-PBA exchange in authentication phase) | |<-----------+-------------------------->| | | | | | | | IKE | | | (with Configuration Payload exchange or equivalent) | |<-----------+---------------------------------------->| | | | | | | | | • IPv4: • IPsec-TOA=PRPA (dhcp) • IPsec-TIA=POPA (IKE) • Alternative: RFC 3456 • IPv6: • IPsec-TOA= PRPA (link-local) • IPsec-TIA= POPA (IKE) IETF 59
Bootstrapping WPA/IEEE 802.11i • Pre-shared key mode (PSK) enabled • MAC address is used as DI • EP is on access point • Provides: • Centralized AAA • Protected disconnection • No changes to WPA or IEEE 802.11i required IETF 59
Flow… +------------------+ | Physical AP | | +--------------+ | | |Virtual AP1 | | Unauth | |(open-access) |---- VLAN\ | | | | \+-------+ +---+ | +--------------+ | |PAA/AR/| |PaC| ~~~~ | | |DHCP | +---+ | +--------------+ | |Server | | |Virtual AP2 | | /+-------+ | |(WPA PSK mode)|---- Auth / | | | | | VLAN | | +--------------+ | | | | | +------------------+ Internet 1- Associate with unauthenticated VLAN AP 2- Configure PRPA via DHCP or link-local 3- Perform PANA and generate PMK 4- Associate with authenticated VLAN AP, perform 4-way handshake, generate PTK 5- Obtain new IP address IETF 59
Co-located PAA and AP(EP) • Does not require virtual AP switching • PANA, DHCP, ARP, ND traffic allowed on the 802.1X uncontrolled port IETF 59
Capability Discovery • Types of networks: • IEEE 802.1X-secured • Look at RSN information element in beacon frames • PANA-secured • Data driven PANA discovery • Client initiated discovery • Unauthenticated (free) IETF 59
IPsec, DHCP PaC AP DHCPv4 Server PAA EP(AR) | Link-layer | | | | | association| | | | |<---------->| | | | | | | | | | DHCPv4 | | | |<-----------+------------>| | | | | | | | |PANA(Discovery and Initial Handshake phase | | & PAR-PAN exchange in Authentication phase) | |<-----------+-------------------------->| | | | | | | | | | |Authorization| | | | |[IKE-PSK, | | | | | PaC-DI, | | | | | Session-Id] | | | | |------------>| | | | | | |PANA(PBR-PBA exchange in Authentication phase) | |<-----------+-------------------------->| | | | | | | | | IKE | | |<-----------+---------------------------------------->| | | | | | | | | | | • IPv4: • IPsec-TIA= IPsec-TOA= PRPA (dhcp) • IPv6: • IPsec-TOA= PRPA (link-local) • IPsec-TIA= POPA (dhcp) • IPv6 can also use stateless address autoconf. IETF 59