1 / 11

PANA Network Selection draft-ohba-pana-netsel-00.txt

PANA Network Selection draft-ohba-pana-netsel-00.txt. Yoshihiro Ohba. Background. Network selection was defined older revisions of PANA specification to provide following functions NAP and ISP separate authentication ISP selection

ochristie
Download Presentation

PANA Network Selection draft-ohba-pana-netsel-00.txt

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. PANA Network Selectiondraft-ohba-pana-netsel-00.txt Yoshihiro Ohba IETF70 PANA WG

  2. Background • Network selection was defined older revisions of PANA specification to provide following functions • NAP and ISP separate authentication • ISP selection • During IETF last call, network selection was removed from PANA specification, with suggestion to define it in a separate document • This draft is submitted as such a document IETF70 PANA WG

  3. A new bit in PANA Header for NETSEL 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |R S C A P I N r r r r r r r r r| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ • N(Network Selection) This bit is set when the sender supports network selection function IETF70 PANA WG

  4. ‘N’ bit Usage • The PAA andPaC advertise their support for the network selection function in theinitial PAR and PAN messages with both 'S’ (Start) and ‘N’ (Network selection) bits set. • If 'N' bit is set in both messages, the PAA andPaC may start NAP and ISP Separate Authentication and/or ISP selection IETF70 PANA WG

  5. NAP and ISP Separate Authentication • Two PANA sessions are established between the PaC and PAA, one for NAPauthentication and the other for ISP authentication. • For the PANA session used for NAP authentication, PAR message sent in response to the initial PAR-PAN exchange with 'S' (Start) bit set carries one NAP-Information AVP. • The PANA session used for ISP authentication MUST NOT carry a NAP-InformationAVP. • When a PANA SA is established, the same NAP-Information AVPMUST be carried in the last PANA-Auth-Request message with 'C' (Complete) bit set with an AUTH AVP • Issue: PANA SA should be a MUST considering crypto binding (see below) • When NAP and ISP separate authentication is performed, cryptographicbinding MUST be made between the two session • How the cryptographic binding is created is TBD IETF70 PANA WG

  6. ISP Selection • ISP selection MUST NOT be performed over a session used for NAP authentication. • ISP selection MAY be performed in the absence of NAP and ISP separate authentication • The second PAR message (with ‘S’ bit cleared) with ‘N’ bit set carries one or more ISP-Information AVPs • When there is only one ISP-Information AVP, there is only one ISP choice • The PAN message sent in response to this PAR message carries at most one ISP-Information AVP to indicate the ISP chosen by the PaC. • In the absence of an ISP in the PAN, ISP selection is typically performed based on the client identifier(e.g., using the realm portion of an NAI carried in EAP method). • When a PANA SA is established, the ISP-Information AVP for the selected ISP MUST be carried in the last PAR message with 'C' (Complete) bit set with an AUTH AVP IETF70 PANA WG

  7. Example Call Flow(NAP Authentication) PAA PaC PCI PSR[S=N=1]{Algorithm} PSA[S=N=1]{Algorithm} PSR[N=1]{NAP-Information<NAP1>, EAP-Payload} PSA[N=1]{EAP-Payload} PSR[N=1]{EAP-Payload} PSA[N=1]{EAP-Payload} : PAR[C=N=1]{NAP-Information<NAP1>, EAP-Payload, Key-ID, AUTH} PAN[C=N=1]{Key-ID, AUTH} IETF70 PANA WG

  8. Example Call Flow(ISP Selection w/ one ISP choice) PAA PaC PCI PSR[S=N=1]{Algorithm} PSA[S=N=1]{Algorithm} PSR[N=1]{ISP-Information<ISP1>, EAP-Payload} PSA[N=1]{EAP-Payload} PSR[N=1]{EAP-Payload} PSA[N=1]{EAP-Payload} : PAR[C=N=1]{ISP-Information<ISP1>, EAP-Payload, Key-ID, AUTH} PAN[C=N=1]{Key-ID, AUTH} IETF70 PANA WG

  9. Example Call Flow(ISP Selection w/ two ISP choices) PAA PaC PCI PSR[S=N=1,SID=y]{Algorithm} PSA[S=N=1,SID=y]{Algorithm} PSR[N=1]{ISP-Information<ISP1>, ISP-Information<ISP2>, EAP-Payload} PSA[N=1]{ISP-Information<ISP1>,EAP-Payload} PSR[N=1]{EAP-Payload} PSA[N=1]{EAP-Payload} : PAR[C=N=1]{ISP-Information<ISP1>, EAP-Payload, Key-ID, AUTH} PAN[C=N=1]{Key-ID, AUTH} IETF70 PANA WG

  10. NAP-Information AVPISP-Information AVP • {NAP,ISP}-Information AVP is of type Octet-String that carries an {NAP,ISP} name encoded as a RADIUS Operator-Name attribute value [I-D.ietf-geopriv-radius-lo] (see below) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Namespace ID | Operator-Name ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Operator-Name ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Namespace ID = ‘0’ (TADIG in GSM), ‘1’ (REALM), ‘2’ (E212), ‘3’ (ICC) IETF70 PANA WG

  11. Thank You! IETF70 PANA WG

More Related