Re: [Pana] review of the framework draft
Yoshihiro Ohba <yohba@tari.toshiba.com> Thu, 02 June 2005 00:36 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Dddh3-0001tl-2M; Wed, 01 Jun 2005 20:36:17 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Dddh0-0001sE-UX for pana@megatron.ietf.org; Wed, 01 Jun 2005 20:36:15 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA24211 for <pana@ietf.org>; Wed, 1 Jun 2005 20:36:10 -0400 (EDT)
Received: from inet-tsb5.toshiba.co.jp ([202.33.96.24]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1Dde0v-0000Um-Ji for pana@ietf.org; Wed, 01 Jun 2005 20:56:50 -0400
Received: from tsb-wall.toshiba.co.jp ([133.199.160.134]) by inet-tsb5.toshiba.co.jp with ESMTP id j520a9RD010498; Thu, 2 Jun 2005 09:36:09 +0900 (JST)
Received: (from root@localhost) by tsb-wall.toshiba.co.jp id j520aA04014389; Thu, 2 Jun 2005 09:36:10 +0900 (JST)
Received: from ovp1.toshiba.co.jp [133.199.192.124] by tsb-wall.toshiba.co.jp with SMTP id KAA14377 ; Thu, 2 Jun 2005 09:36:10 +0900
Received: from mx2.toshiba.co.jp (localhost [127.0.0.1]) by ovp1.toshiba.co.jp with ESMTP id j520a8Yd006304; Thu, 2 Jun 2005 09:36:08 +0900 (JST)
Received: from tsb-sgw2.toshiba.co.jp by toshiba.co.jp id j520a0Mf010096; Thu, 2 Jun 2005 09:36:00 +0900 (JST)
Received: from tsbpo1.po.toshiba.co.jp by tsb-sgw2.toshiba.co.jp with ESMTP id j520a0rW017159; Thu, 2 Jun 2005 09:36:00 +0900 (JST)
Received: from steelhead ([172.30.24.97]) by tsbpo1.po.toshiba.co.jp (Sun Internet Mail Server sims.3.5.1999.01.13.19.49.p4) with ESMTP id <0IHF00FSGLNQWR@tsbpo1.po.toshiba.co.jp>; Thu, 2 Jun 2005 09:35:53 +0900 (JST)
Received: from ohba by steelhead with local (Exim 3.36 #1 (Debian)) id 1DdY9V-0001MB-00; Wed, 01 Jun 2005 11:41:17 -0700
Date: Wed, 01 Jun 2005 14:41:17 -0400
From: Yoshihiro Ohba <yohba@tari.toshiba.com>
Subject: Re: [Pana] review of the framework draft
In-reply-to: <429A84BD.7090806@piuha.net>
To: Jari Arkko <jari.arkko@piuha.net>
Message-id: <20050601184117.GD4143@steelhead>
MIME-version: 1.0
Content-type: text/plain; charset="iso-2022-jp"
Content-disposition: inline
Mail-Followup-To: Jari Arkko <jari.arkko@piuha.net>, pana@ietf.org
User-Agent: Mutt/1.5.9i
References: <429A84BD.7090806@piuha.net>
X-Spam-Score: 0.7 (/)
X-Scan-Signature: 827a2a57ca7ab0837847220f447e8d56
Cc: pana@ietf.org
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
Sender: pana-bounces@ietf.org
Errors-To: pana-bounces@ietf.org
Hi Jari, Thank you very much for the review. Please see my comments in line. On Mon, May 30, 2005 at 06:13:01AM +0300, Jari Arkko wrote: > I have reviewed draft-ietf-pana-framework-04.txt. Here are > my comments: > > Technical: > > > The PAA consults an authentication server in order to verify the > > credentials and rights of a PaC. If the authentication server > > resides on the same node as the PAA, an API is sufficient for this > > interaction. When they are separated (a much more common case in > > public access networks), a protocol needs to run between the two. > > LDAP [RFC3377] and AAA protocols like RADIUS [RFC2865] and > > Diameter [RFC3588] are commonly used for this purpose. > > LDAP is indeed often used like this, but I'm not sure it is > appropriate to refer to it in this context. I believe you are > trying to describe how PANA works, and I don't think EAP > works through LDAP. (But I have often been surprised.) I think we can simply remove "LDAP [RFC3377] and ". > > > The secure > > association protocol exchange produces the required security > > associations between the PaC and the EP to enable cryptographic data > > traffic protection. Per-packet cryptographic data traffic protection > > introduces additional per-packet overhead but the overhead exists > > only between the PaC and EP and will not affect communications beyond > > the EP. In this sense it is important to place the EP as close to > > the edge of the network as possible. > > I would suggest deleting the last sentence. Bandwidth bottlenecks are > often in the last (wireless) hop, so moving the EP closer to the edge may > not help. And for security reasons it might often make sense to have an > EP further towards the center of the network than at the edge. In which case it would make sense for security reasons to have EP further towards the center of the network? > > > IKEv2 can enable configuration of one IPv4 IPsec-TIA and one IPv6 > > IPsec-TIA for the same IPsec tunnel mode SA. Therefore, IKEv2 is > > recommended for handling dual-stacked PaCs where single execution > > of PANA and IKE is desired. > > I understand this, but I started to wonder whether you have described > all possible combinations somewhere. What is the order of events when > you start to see both v4 and v6 pre-pana connectivity? And how does a > client know it needs to do IKEv2 and a single PANA run? I agree that we need to describe all possible combinations when the PaC starts from having both v4 and v6 PRPAs. I think it is better to create a new issue on this. > > > Network-layer protection, i.e., IPsec, can be used when data traffic > > protection is required but link-layer protection is not available. > > Note that the keying material generated by an EAP method is not > > readily usable by IPsec AH/ESP or most link layer mechanisms. A > > fresh and unique session key derived from the EAP method is still > > insufficient to produce an IPsec SA since both traffic selectors and > > other IPsec SA parameters are missing. The shared secret can be used > > Maybe s/is not readily usable/is insufficient to be used alone/ and > s/A fresh and unique session key derived from the EAP method is still > insufficient to produce an IPsec SA since both traffic selectors and > other IPsec SA parameters are missing/In addition to the fresh > and unique session key derived from the EAP method, IPsec also > needs both traffic selectors and .../ I agree. > > > When a PaC is authenticated and authorized, the PAA should notify > > EP(s) and ask for installing filtering rules to allow the PaC to send > > and receive data traffic. SNMP is used between PAA and EP(s) for > > this purpose when these entities are not co-located [I-D.ietf-pana- > > snmp]. > > It worries me a bit that determining the exact filters to be used is > not easy, given v4/v6, features like RFC 3041, the need to allow > PANA traffic to go through to PAA, the flexibility in the PANA > framework e.g. to allow both no/L2/L3 protection, and error cases. > I'm reviewing all the documents now -- is the set of filters > to be used specified somewhere? draft-ietf-pana-snmp specifies filters, but the draft does not specify which specific filters should be used for each of the above scenarios. However, I think such detailed choice of filters is better to be left open to implementations. > > > In addition to the device > > identifier and keying material, other filter rules, such as the IP > > filter rules specified in NAS-Filter-Rule AVPs carried in Diameter > > EAP application [I-D.ietf-aaa-eap] may be installed on EP. > > Presumably the AAA filter rules are applied for inner packets, > whereas PANA filters are applied on the outer packet, if IPsec > is used. Perhaps this should be stated. I agree. > What if IPsec is not used, > what is the relationship then? When IPsec is not used, the filters are applied to the non-protected IP data packets. > > > The authentication method choice is a function of the underlying > > security of the network (e.g., physically secured, shared link, > > etc.). It is the responsibility of the user and the network operator > > to pick the right method for authentication. PANA carries EAP > > > I agree that individual methods should not be specified in PANA. > But you might still want to describe requirements, as in RFC 4017 > for IEEE 802.11 networks. It may well be that you want to describe > two scenarios -- physical security per line, then maybe mutual auth > is enough, in other scenarios you need key-deriving eap methods. I think describing the generic EAP method choices for the two scenarios is a good idea. > > > There are some EAP- > > based approaches to achieve this goal (see [I-D.josefsson-pppext-eap- > > tls-eap],[I-D.ietf-pppext-eap-ttls] > > ,[I-D.tschofenig-eap-ikev2]). PANA can carry these EAP encapsulating > > methods but it does not concern itself with how they achieve > > protection for the weak methods (i.e., their EAP method payloads). > > I would delete this. There's much more to say about specific methods > if you want to start talking about. I don't recommend starting... I agree. > > Editorial: > > > are not distinguishable until the PaC associates with the AP, get an > > > s/get/gets/ OK. Yoshihiro Ohba > > --Jari > > > _______________________________________________ > Pana mailing list > Pana@ietf.org > https://www1.ietf.org/mailman/listinfo/pana _______________________________________________ Pana mailing list Pana@ietf.org https://www1.ietf.org/mailman/listinfo/pana
- [Pana] review of the framework draft Jari Arkko
- Re: [Pana] review of the framework draft Yoshihiro Ohba
- Re: [Pana] review of the framework draft Jari Arkko
- RE: [Pana] review of the framework draft Alper Yegin
- Re: [Pana] review of the framework draft Yoshihiro Ohba
- Re: [Pana] review of the framework draft Jari Arkko
- Re: [Pana] review of the framework draft Jari Arkko
- Re: [Pana] review of the framework draft Yoshihiro Ohba
- Re: [Pana] review of the framework draft Mohan Parthasarathy
- Re: [Pana] review of the framework draft Jari Arkko
- Re: [Pana] review of the framework draft Jari Arkko