1 / 16

PANA Protocol Update and Open Issues

PANA Protocol Update and Open Issues. IETF 60. Since IETF 59…. Expert reviews by: Erik Nordmark, Pasi Eronen, Randy Turner draft-ietf-pana-pana-{04,05}.txt Resolved 71-80, 83-85, 91-93, 96-100, 103, 107 Still open 94, 95, 102, 105, 106, 108, 109 http://danforsberg.info:8080/pana-issues/.

rea
Download Presentation

PANA Protocol Update and Open Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PANA Protocol Update and Open Issues IETF 60

  2. Since IETF 59… • Expert reviews by: • Erik Nordmark, Pasi Eronen, Randy Turner • draft-ietf-pana-pana-{04,05}.txt • Resolved • 71-80, 83-85, 91-93, 96-100, 103, 107 • Still open • 94, 95, 102, 105, 106, 108, 109 • http://danforsberg.info:8080/pana-issues/

  3. Issue 71 • Issue: PANA-Bind-Request should include the types of post-PANA address configuration mechanisms available. • Resolution: • Post-PANA Address Configuration (PPAC) AVP carried in PBR/PBA • Options: No config, DHCP, RFC2462, RFC3456, IKEv2

  4. Issue 72 • Issue: Currently capability discovery is not accomplished until the end of EAP authentication. Copying some bits, such as POPA types and per-packet protection capability, to PAA discovery may be useful for discovering capability mismatch early on. • Resolution: PSR now includes PPAC and Protection Capability AVPs • Warning about insecurity of discovery and spoofing attacks

  5. Issue 73 • Issue: What type of DI will be used on DSL networks? A lower-layer per-packet identifier (source address) might not be available in all deployments. • Resolution: • Locally significant identifiers are ok (e.g., circuit id, PPP interface id) • DI does not have to be carried in an AVP • Some leftovers are creating ambiguity, hence issue 104 (need editorial fix)

  6. Issue 74 • Issue: The current design is using PRAR and PRAA for mobility feature. We can use PBR and PBA instead, which will be better aligned with the regular signaling. • Resolution: • Use PBR/PBA instead • -----> PDI • <----- PSR • -----> PSA+SessionID • <----- PBR • -----> PBA

  7. Issue 78 • Issue: EAP pass-through authenticator may fail authentication without an EAP-Failure message being forwarded to the EAP peer • Resolution: Send PANA-Error with PANA_UNABLE_TO_COMPLY code

  8. Issue 79 • Issue: Should PANA support the case where EAP authentication succeeds but network access authorization fails due to, e.g., authorization rejected by a AAA proxy or authorization locally rejected by a PAA? • Resolution: PBR result codes: • PANA_SUCCESS • PANA_AUTHORIZATION_REJECTED • PANA_AUTHENTICATION_REJECTED

  9. Issue 85 • Issue: If PRPA is replaced by POPA, PAA needs to be notified • Resolution: PaC sends PANA-Update-Request with IP-Address AVP. • Side fix: PANA-reauth MUST include MAC AVP only when PANA SA is available

  10. Issue 98 • Issue: PANA answers may be lost. PaC/PAA should be ready to respond to retransmitted requests. • Resolution: • PANA-auth-req responses are driven by EAP • MAY respond to duplicate PANA-termination-req • SHOULD respond to any other duplicate requests • Section 4.7 and 4.11 are duplicates (bug).

  11. Issue 100 • Issue: Due to retranmissions and window of acceptable seq. numbers, ISN_* on PAA and PaC may differ. ISNs are used in PANA_MAC_Key computation. • Resolution: • Carry Nonce values in PSR and PSA • Use nonce values instead of ISNs in key computation.

  12. Issue 107 • Issue: Current seq. no scheme does not accommodate rexmited rseq PaC PAA (tseq,rseq) 1 <------ (x,y) 2 -->.. (y+1,x) [msg lost] 3 <------ (x+1,y) • PaC drops msg 3 because “y” was already acknowledged. • Resolution: Relax the expected rseq window to allow rexmit of rseq

  13. Others… • Issue 75: Clarify why DI is exchanged (prevent MitM). • Issue 76: Clarify rate limiting re-authentication (coordination not necessary). • Issue 77: Overlap between pana-pana and pana-fwk (remove text from former). • Issue 80: Remove Appendix on sequence number scheme discussion. • Issue 83: Use Diameter Address type format instead of re-inventing. • Issue 84: Editorial

  14. Others… • Issue 91: Editorial on explanatory content and flow (more actions needed under Issue 102) • Issue 92: Incorrect no. of parameters to SHA1 • Cookie = <secret-version> | HMAC_SHA1( <Device-Id of PaC> , <secret>) • Issue 93: Clarify vendor-IDs are SMI enterprise numbers (IANA) • Issue 96: EAP-TLS should be an informative reference. • Issue 97: The retransmission behavior seems quite complicated (proposals on the ML please!) • Issue 99: Missing IANA considerations section (in accordance with BCP 26). • Issue 103: Clarification on Session and Session ID.

  15. Still Open • Issue 94 & 95: Editorial on security considerations • Issue 102: Reorganize the text flow (editorial) • Issue 105: Ambiguity on two types on reauthentication (EAP- and non-EAP-based). • Issue 106: Should rexmited msg have the same seq no? • Issue 108: Session migration from one interface to another • Issue 109: Adjusting the AVP and PANA msg field sizes

  16. Next Steps • Fix the open issues • Publish -06 • Go to WG last call

More Related