100 likes | 109 Views
This document provides guidelines for deploying PANA over DSL access networks, focusing on the migration from PPP-based models to IP-based models without a standard network access authentication protocol.
E N D
PANA in DSL networksdraft-morand-pana-panaoverdsl-00.txt Lionel Morand Roberta Maglione John Kaippallimalil Alper Yegin IETF-67, San Diego
Output of IETF66 • After IETF66, it was decided to simplify the PANA framework document (-06) • One of the consequences was to: • Remove the PANA use cases for DSL and WLAN • Done in version -07 • Spin off to independent drafts • This draft covers the DSL case • Reusing and expanding the previous material in the PANA framework IETF-67, San Diego
Summary • Provides guidelines for PANA deployment over DSL access networks • Focus on DSL networks migrating from: • a traditional PPP access model • Where PPP is used to carry authentication parameters (PAP/CHAP or EAP methods) • to a pure IP-based access environment • that lacks a standard network access authentication protocol between terminal/CPE and IP Edge router IETF-67, San Diego
Context and Use Case • Evolution of DSL architecture • Evolution in two steps: • Moving from ATM to Gigabit Ethernet • Moving from PPP-based environment to IP-based model • "IP Sessions" model introduced in DSL Forum • Basically, an IP session represents the subscriber IP traffic associated with an IP address • A subscriber may have multiple IP addresses (or sessions) in simultaneous use. • An IP session may be associated with multiple IP flows. • The same subscriber policies govern all IP sessions/flows • No built-in authentication mechanism • A solution is needed in a DHCP-based DSL environment • PANA is a natural candidate IETF-67, San Diego
Why PANA? • PANA fulfills basic and advanced security requirements within an IP session based environment • Examples (non-exhaustive list): • Native support of EAP frames over IP; • IP address based session management mechanisms, using an explicit session identifier; • Authentication mechanism independent of the physical medium type; • Per-session enforcement policies (i.e. filters) depending on the creation and deletion of the PANA session; • Session keep-alive and session monitoring functionalities. IETF-67, San Diego
Location of the PAA and EP • In a PPP based environment • the BRAS is in charge of: • interfacing with CPE for authenticating and authorizing them for the network access • performing policy control by acting as an enforcement point. • In an IP session based environment • Such functionalities may be provided at the same level by locating the PAA and EP entities in the BRAS. • Preserve an improved and well-established DSL network configuration. • No need for an external PAA-to-EP interface • However, it is possible to have PAA and BRAS/EP not collocate • PAA-to-BRAS interface may be based on SNMP or on the future ANCP IETF-67, San Diego
Location of the PaC • The possible location of the PaC depends on the CPE configuration • If CPE is a L2 Ethernet bridge, the PaC should be implemented in hosts • Host and BRAS are on the same IP link. • Any host connected to the CPE is authenticated by the PAA • Network access control on a per-host basis, as required by the IP session model. • If CPE is an IPv4 router, the PaC should be implemented in CPE • Only the CPE is authenticated • Hosts use private IP@, the CPE acting as a NAT • All hosts connected to the CPE have access to the ISP network using private IP@ obtained by the CPE's subscriber • If CPE is an IPv6 router, the PaC should be implemented in the CPE and the hosts • The hosts have to use an non-local IP address • Network access control is also performed on a per-host basis, in addition to the handling of the CPE own IP sessions. IETF-67, San Diego
Other contents • Consideration on IP Address Configuration • How to configure a Pre-PANA address? • How to configure a Post-PANA address? • If needed (e.g. IPv4 case with temporary IP@ as PRPA) • Consideration on Dynamic ISP selection • For BRAS shared by multiple ISP • Consideration on Cryptographic Protection • That may not be needed in all cases • An example of basic IP flows • For the IPv4 case, with hosts using temporary IP@ until authenticated IETF-67, San Diego
Next Step • Collect inputs from the PANA WG • During the meeting • On the PANA mailing list • Is the level of details sufficient? • General guidelines, no specific implementation • Adopt this draft as WG document? • With the objective to have an Informational RFC. IETF-67, San Diego
Thank You IETF-67, San Diego