IETF Logo Mail Archive

Re: [Pana] PANA relay draft

"Alper Yegin" <alper.yegin@yegin.org> Mon, 29 November 2010 12:06 UTC

Return-Path: <alper.yegin@yegin.org>
X-Original-To: pana@core3.amsl.com
Delivered-To: pana@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9AE373A6BC1 for <pana@core3.amsl.com>; Mon, 29 Nov 2010 04:06:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.85
X-Spam-Level:
X-Spam-Status: No, score=-99.85 tagged_above=-999 required=5 tests=[AWL=-1.300, BAYES_50=0.001, MSGID_MULTIPLE_AT=1.449, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wDeJ7WrAtrjt for <pana@core3.amsl.com>; Mon, 29 Nov 2010 04:06:10 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by core3.amsl.com (Postfix) with ESMTP id 947D93A6AB3 for <pana@ietf.org>; Mon, 29 Nov 2010 04:06:10 -0800 (PST)
Received: from ibm (dsl.static.85-105-43069.ttnet.net.tr [85.105.168.61]) by mrelay.perfora.net (node=mrus2) with ESMTP (Nemesis) id 0MdJxT-1P4gH80oxn-00IIsW; Mon, 29 Nov 2010 07:07:02 -0500
From: Alper Yegin <alper.yegin@yegin.org>
To: 'Rafa Marin Lopez' <rafa@um.es>
References: <317A507F-239C-4AAD-B88F-2D5744E7D5F2@gmail.com> <F75BDF80-67C2-4008-8DC1-6EA8E1C00088@um.es> <4CE6E4B1.1080007@toshiba.co.jp> <934C8E59-C49E-4D96-A311-FB48B3DACD78@um.es> <00d601cb8bd3$c1909730$44b1c590$@yegin@yegin.org> <B63989D4-BDD5-449A-8722-BA293988A6F4@um.es>
In-Reply-To: <B63989D4-BDD5-449A-8722-BA293988A6F4@um.es>
Date: Mon, 29 Nov 2010 14:06:49 +0200
Message-ID: <00b101cb8fbd$ee3ce430$cab6ac90$@yegin>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcuNT2vC5VBR/oCwR/2uJkYqTr1jZgCbaPmQ
Content-Language: en-us
X-Provags-ID: V02:K0:NyMJySbiELUy+GBrw4QAE1wO6RIVukvzaSfXzrgLvkK kSi3njMIS8NeiwHH4AJsi/lQd704xbzZABCwjVzOMO+JKu2V3d 8XR/iGWCruvlBiyK/zhRTOjbtzdcOUhKfNBTaYJVLASbuQDzrA 8KyDanVRWddI3ZhbZy0zonmJ5ylrHl3k4FzSKH0n0DA4U56HGu 4Kufr0jK0YjqeeO5zVve/Q8nUQjFmMyhA3zv5EZbOE=
Cc: pana@ietf.org, robert.cragie@gridmerge.com, 'Samita Chakrabarti' <samitac@ipinfusion.com>, 'Ralph Droms' <rdroms.ietf@gmail.com>
Subject: Re: [Pana] PANA relay draft
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pana>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Nov 2010 12:06:11 -0000

Hi Rafa,

> > One way to look at this is the NAS is composed of the PRE and the
> PAA.
> > Or, think of it as the NAS has to IP interfaces, one with the IP
> address of
> > PRE, the other with the IP address of PAA.
> 
> [Rafa] I think if that is the view I believe it should be reflected
> somehow. The reason is that until now in the I-D it seems the PRE is a
> completely different entity from the PAA. In other words, they do not
> part of the same NAS. In fact, the PaC will have a PANA session where
> the "IP address and UDP port number of the PAA" which is actually the
> "IP address and UDP port number of the PRE."
> 
> 
> >
> > Which channel binding solution are you considering that'd have a
> problem
> > with this?
> 
> [Rafa] Basically, what I am thinking is that the PAA would send its IP
> address for example to the AAA server as part of channel binding
> parameter. The PaC however sees the IP address of the PRE. If the AAA
> informs to the PaC that PAA sent as channel binding parameter PAA's IP
> address, the PaC will contrast this parameter with what the PaC saw
> (the PRE IP address) which basically does not match. If we follow the
> idea of that PRE is an interface of the PAA, most probably what the PAA
> would have to send to the AAA is the PRE's IP address as channel
> binding parameter.

Rafa, which specific channel binding solution are you referring to here?
And your proposed remedy above can handle the situation.
My point is, whatever the channel binding solution is, it can handle this
situation (which would also arise in the very simple case where a simple PAA
were using two different IP addresses -- one facing the PaC and the one
facing the PAA). 


> >> What about allowing the PAA to answer the PaC (through the
> >> PRE) with the PAA's IP address? The PCI sent by the PaC will not
> carry
> >> that IP address but the PaC would see a PAR coming from a PAA and it
> >> would engage the PANA authentication with it.
> >
> > PRE sourcing IP packets with PAA's IP address, and accepting IP
> packets
> > destined to PAA, and PaC using its link-local address to communicate
> with
> > the PAA's global IP address... these are not trivial.
> >
> > I'd think a NAS with two IP addresses and using one at one phase and
> another
> > at a latter phase is not such a problem.
> >
> > We could have the same issue in another simpler case: consider PaC
> being
> > authenticated on one interface of PAA, and later PaC attaches to
> another
> > interface of the PAA. PAA may have two different IP addresses on each
> > interface. Yet, the same PANa sessions shall be available thru both
> > interfaces.
> 
> [Rafa] But the PANA session has to change in the attribute "IP address
> and UDP port number of the PAA" and that change (I believe this is
> related with the recent Yoshi's e-mail) must happen in the PaC. 

We can mention that in the I-D.

> In the
> RFC 5191 it is said: "In order to maintain the PANA session, the PAA
> needs to be notified about the change of PaC address." I would expect
> the same in the PaC (I will answer Yoshi's e-mail about this).

If you are suggesting this be changed on PANA RFC 5191, I don't think this
is necessary.
A mention of that in the relay I-D makes sense.

Regards,

Alper


> 
> Best regards.
> 
> >
> > Alper
> >
> >
> >>
> >>>
> >>> Best Regards,
> >>> Yoshihiro Ohba
> >>>
> >>
> >> -------------------------------------------------------
> >> Rafael Marin Lopez, PhD
> >> Dept. Information and Communications Engineering (DIIC)
> >> Faculty of Computer Science-University of Murcia
> >> 30100 Murcia - Spain
> >> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
> >> -------------------------------------------------------
> >>
> >>
> >
> >
> 
> -------------------------------------------------------
> Rafael Marin Lopez, PhD
> Dept. Information and Communications Engineering (DIIC)
> Faculty of Computer Science-University of Murcia
> 30100 Murcia - Spain
> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
> -------------------------------------------------------
> 
>

v2.23.0 | Report a Bug | By Email