120 likes | 266 Views
Issues to Consider w.r.t Protocol Solution. - IETF54 -. Goal. Identify issues early enough to provide feedback to requirements Kick-start solution discussions Not to design the solution now!. UDP/ICMP/IP?. What would be PANA based on to encapsulate EAP? UDP ICMP IP ?. Session Hijacking.
E N D
Issues to Consider w.r.t Protocol Solution - IETF54 -
Goal • Identify issues early enough to provide feedback to requirements • Kick-start solution discussions • Not to design the solution now! PANA WG, IETF 54, Solution Issues
UDP/ICMP/IP? • What would be PANA based on to encapsulate EAP? • UDP • ICMP • IP • ? PANA WG, IETF 54, Solution Issues
Session Hijacking • How do we prevent session hijacking? • Per-packet authentication by IPsec • Per-packet authentication by L2 where available • Frequent re-authentication of PaC PANA WG, IETF 54, Solution Issues
PAA Discovery • How does the PaC discover PAA? • Sending multicast packet to a well-known address • Anycast • SLP • Piggybacking on router discovery, dhcp • PAA can contact PaC (i.e., PaC discovery, supplemental) PANA WG, IETF 54, Solution Issues
Heartbeat • What would be the heartbeat mechanism of PANA? • PANA Hello/Bye messages • Ping (icmp echo request/reply) • Local re-authentication • Full re-authentication PANA WG, IETF 54, Solution Issues
Limited Free Access • How will PANA be triggered when PaC attempts to access beyond “free zone”? • PAA (router) sends an ICMP error message to PaC • PAA sends PANA Start message to PaC • Can PaC know on its own to send PANA Start? PANA WG, IETF 54, Solution Issues
Unlimited Access • After a successful PANA authentication, how does the PaC gain unlimited access? • EP updates its filters to let any packet from the PaC go through PANA WG, IETF 54, Solution Issues
New IP Address after PANA • Reasons to get new IP address: • Another IP address with greater scope (e.g., global scope) • Obtain service provider specific IP address • If a new IP address needs to be assigned to PaC, how is this done? • PaC’s decision (policy) • PANA Success message can inform PaC • Router (co-located with PAA) can take an action PANA WG, IETF 54, Solution Issues
Secure Medium Assumption • EAP’s secure medium assumption is no longer valid. How can we ensure protection against eavesdropping and spoofing on PANA? • PANA can recommend use of specific EAP methods when the underlying medium is not secure (e.g., EAP-TTLS, PEAP) • PANA develops its own protection (e.g., ISAKMP, TLS based) PANA WG, IETF 54, Solution Issues
Multi-PAA Case • If there are multiple first-hop routers, how does PANA work? • Each router has a PAA and responds to discovery, and PaC does PANA with all • Each router has a PAA, each PAA responds to discovery, and PaC does PANA with one • Only one router has PAA PANA WG, IETF 54, Solution Issues
Any other? PANA WG, IETF 54, Solution Issues