130 likes | 262 Views
http://yacine.free.fr/ietf59/pana/draft-yacine-pana-snmp-02.txt. -> Yacine El Mghazli (Alcatel) <- Yoshihiro Ohba (Toshiba) Julien Bournelle (GET/INT). SNMP for the PAA-2-EP protocol PANA wg - IETF 59 Seoul. Presentation Overview. Introduction PAA-2-EP basic principle
E N D
http://yacine.free.fr/ietf59/pana/draft-yacine-pana-snmp-02.txthttp://yacine.free.fr/ietf59/pana/draft-yacine-pana-snmp-02.txt -> Yacine El Mghazli (Alcatel) <- Yoshihiro Ohba (Toshiba) Julien Bournelle (GET/INT) SNMP for the PAA-2-EP protocolPANA wg - IETF 59 Seoul
Presentation Overview Introduction PAA-2-EP basic principle PAA-2-EP within the PANA wg Back on the SNMP choice SNMPv3 applicability against PAA-2-EP protocol reqs SNMP usage for the PAA-2-EP Re-usable existing MIB modules additional PANA-specific MIB objects Next Steps
IntroductionPAA-2-EP functional basic principle AAA auth PAA AAA backend PANA auth PAA-2-EP Install filter PaC AR # EP PaC traffic One single IP subnet
IntroductionPAA-2-EP within the PANA wg PANA charter: The PANA working group must mandate one protocol The PANA wg will not design a new protocol design, it may involve the definition of extensions of an existing one History: IETF55: PAA-2-EP topic introduction draft-ietf-pana-requirements-0x.txt IETF57: PAA-2-EP protocol considerations draft-yacine-pana-paa-ep-reqs-00.txt IETF58: PAA-2-EP protocols evaluation draft-yacine-pana-paa2ep-eval-00.txt Already a fair amount of discussions on the ML
IntroductionWhy SNMP ? Consensus regarding the PAA-2-EP protocol within PANA wg: An existing protocol (no new protocol design) Basic configuration needs (no ‘disqualifying‘requirement), but No disruptive choice No immature solutions Follow the IAB recommendations SNMPv3 fully satisfies the above conditions v3 satisfies the security conditions widely spread for monitoring (« get » messages) « Set » messages allow simple configuration Lots of MIBs available SNMP provides a simple solution with a high-level of re-use
PAA-2-EP protocolSNMPv3 applicability One-to-many relation 1 SNMP manager (PAA) can relate simultaneously to several Agents (EPs) Secure communication User-based Security Model (USM) provides authentication, confidentiality, integrity, replay attacks prevention, time windows for the validity of messages. Notification of PaC presence SNMP can provide this feature using the SMIv2 traps Accounting The PAA can poll its EPs and the counters considered good enough.
PAA-2-EP protocolSNMPv3 applicability (cont’d) Peer liveness SNMP periodic polling sufficient for inactive EP detection Rebooted Peer detection snmpEngineBoots MIB to detect rebooted EP Authorization ACLs and keying material Re-use existing objects
SNMP for PAA-2-EPRe-use of existing IPSec configuration MIBs IPSec configartion MIB recently splitted into 3 separate modules IPSec SPD configuration MIB module (IPSP wg) Rule/Filter/Action Policy structure Various IP filters, including IP header filter Notification Variables re-usable for the PaC presence trap IPSec IKE configuration MIB module (IPSP wg) For IP-based access control (draft-ietf-pana-ipsec-02) Pre-shared key configuration (PSK) Derived at the PAA level ID_KEY_ID configuration (aggressive mode) PANA session_id
SNMP for PAA-2-EPAdditional PANA-specific MIB objects PANA-specific objects extends the SPD-MIB Link-layer Filters PaC presence trap Keying material for L2 protection Current version -02: IEEE 802 filters New PaC Notification Browse the whole current MIB set at the following URL: http://yacine.free.fr/ietf59/pana/dev
Next Steps PANA context usage examples (section 6 TBD) More Link-layer filters Might re-use existing e.g. ADSL ports open/close Some additonal objects design might be needed L2 protection attributes: e.g. 802.11i keys… More ? Gauge room consensus to accept this document as a PANA WG item
PAA-2-EP protocolRequirements Summary One-to-many PAA-EP relation: required. a given EP relate to multiple PAAs Secure Communication: required. authentication, confidentiality, and integrity. New PaC Notification: required. EP to notify unauthorized PaC presence to the PAA. optional (PANA can do that). Inactive EP detection: not required. satisfied by other means. the architecture can take it into account with e.g. a request-response mechanism.
PAA-2-EP protocolRequirements Summary (cont’d) Stateful approach: not required. the PAA does not maintain any EP state. the whole solution does (at application level). needed some implementation guidance. Accounting/Feedback from the EPs: required. polling sufficient for the PANA needs EP Configuration information: The PAA-2-EP protocol must push DI-based filters and keying material down to the EP.