IETF Logo Mail Archive

Re: [Pana] Preliminary pana-pana draft (13a)

Yoshihiro Ohba <yohba@tari.toshiba.com> Thu, 30 November 2006 16:15 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GpoZ0-0004uE-Mv; Thu, 30 Nov 2006 11:15:06 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GpoYz-0004u4-EI for pana@ietf.org; Thu, 30 Nov 2006 11:15:05 -0500
Received: from imx12.toshiba.co.jp ([61.202.160.132]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GpoYs-0001lX-Od for pana@ietf.org; Thu, 30 Nov 2006 11:15:05 -0500
Received: from wall11.toshiba.co.jp (wall11 [133.199.90.149]) by imx12.toshiba.co.jp with ESMTP id kAUGEkH3017683; Fri, 1 Dec 2006 01:14:46 +0900 (JST)
Received: (from root@localhost) by wall11.toshiba.co.jp id kAUGEkoG002228; Fri, 1 Dec 2006 01:14:46 +0900 (JST)
Received: from ovp11.toshiba.co.jp [133.199.90.148] by wall11.toshiba.co.jp with ESMTP id BAA02227; Fri, 1 Dec 2006 01:14:45 +0900
Received: from mx2.toshiba.co.jp (localhost [127.0.0.1]) by ovp11.toshiba.co.jp with ESMTP id kAUGEjrd017857; Fri, 1 Dec 2006 01:14:45 +0900 (JST)
Received: from tsbpoa.po.toshiba.co.jp by toshiba.co.jp id kAUGEjK5029370; Fri, 1 Dec 2006 01:14:45 +0900 (JST)
Received: from steelhead ([172.30.24.105]) by mail.po.toshiba.co.jp (Sun Java System Messaging Server 6.1 (built Apr 28 2004)) with ESMTPSA id <0J9J00AXLX4I7300@mail.po.toshiba.co.jp>; Fri, 01 Dec 2006 01:14:45 +0900 (JST)
Received: from ohba by steelhead with local (Exim 4.63) (envelope-from <yohba@tari.toshiba.com>) id 1GpoYe-00038Z-3F; Thu, 30 Nov 2006 08:14:44 -0800
Date: Thu, 30 Nov 2006 11:14:43 -0500
From: Yoshihiro Ohba <yohba@tari.toshiba.com>
Subject: Re: [Pana] Preliminary pana-pana draft (13a)
In-reply-to: <0MKp2t-1Gpo4m1muu-0003sR@mrelay.perfora.net>
To: Alper Yegin <alper.yegin@yegin.org>
Message-id: <20061130161443.GB10356@steelhead>
MIME-version: 1.0
Content-type: text/plain; charset="iso-2022-jp"
Content-disposition: inline
References: <20061119083903.GC31177@steelhead> <0MKp2t-1Gpo4m1muu-0003sR@mrelay.perfora.net>
User-Agent: Mutt/1.5.13 (2006-08-11)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b6657e60309a1317174c9db2ae5f227
Cc: 'Yoshihiro Ohba' <yohba@tari.toshiba.com>, pana@ietf.org
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
Errors-To: pana-bounces@ietf.org

On Thu, Nov 30, 2006 at 05:43:48PM +0200, Alper Yegin wrote:
> 
> Yoshi,
> 
> Thanks a lot for the revision.
> 
> Here I have few comments and suggestions.
> 
> 
>    By the virtue of enabling transport of EAP
>    above IP, any authentication method that can be carried as an EAP
>    method is made available to PANA and hence to any link-layer
>    technology with a minimum link-layer dependency.  There is a clear
> 
> 
> Alper> What's that dependency?

There is no link-layer dependency in the PANA protocol itself but
there is some link-layer dependency in the entire PANA framework
including EP which can be link-layer devices according to
pana-framework I-D.  

Perhaps we can remove "with a minimum link-layer dependency" since
this I-D is about the PANA protocol itself.

> 
> 
> 
>    There are components that are part of a complete secure network
>    access solution but are outside of the PANA protocol specification,
>    including IP address configuration, authentication method choice,
>    data traffic protection, PAA-EP protocol, and PAA discovery.  PANA
>    authentication output is used for creating access control filters.
>    These components except for IP address configuration are described in
>    separate documents (see [I-D.ietf-pana-framework],
>    [I-D.ietf-pana-snmp] and [I-D.ietf-dhc-paa-option]).  The IP address
>    configuration component may be specified in deployment-specific PANA
>    applicability documents.  The readers are recommended to read the
>    PANA Framework document [I-D.ietf-pana-framework] prior to reading
>    this protocol specification document.
> 
> Alper> "IP address configuration" is not really part of a secure network
> access solution. I'd recommend this re-write of the above paragraph:
> 
>    There are components that are part of a complete secure network
>    access solution but are outside of the PANA protocol specification,
>    including authentication method choice,
>    data traffic protection, PAA-EP protocol, and PAA discovery.  PANA
>    authentication output is used for creating access control filters.
>    These components are described in
>    separate documents (see [I-D.ietf-pana-framework],
>    [I-D.ietf-pana-snmp] and [I-D.ietf-dhc-paa-option]).  
>    The readers are recommended to read the
>    PANA Framework document [I-D.ietf-pana-framework] prior to reading
>    this protocol specification document.

OK.

> 
> 
> 
>       The protocol entity in the access network whose responsibility is
>       to verify the credentials provided by a PANA client (PaC) and
>       authorize network access to the access device associated with the
>       client.  The PAA and the EAP authenticator (and optionally the EAP
> 
> Alper> I'd remove "associated with the client."

OK.

> 
> 
>       session cannot be shared across multiple network interfaces.  Only
>       one IP address of the PaC is allowed to be bound to a PANA session
>       for simplicity.
> 
> Alper> i think we can remove the last sentence. Sure we don't explicitly
> support multi-homed clients, but no need to explicitly limit to single-homed
> either. Being silent is a better choice.

I agree.

> 
> 
> 
>    The PAA MAY refrain from retransmitting the PANA-Start-Request
>    message to maintain as less amount of state as possible in the
>    handshake phase.  For this reason, the PaC MUST retransmit the PANA-
>    Client-Initiation message until it enters the authentication and
>    authorization phase by receiving a PANA-Auth-Request message from the
>    PAA.
> 
> 
> Alper> Just to add a bit more elaboration (to prevent questions), I can
> recommend 
> 
> 
>    In order to prevent potential DoS attacks, the PAA MAY refrain from 
>    timeout-based retransmission of the PANA-Start-Request
>    message in response to a PaC-initiated handshake. For this reason, 
>    the PaC MUST retransmit the PANA-Client-Initiation message until it 
>    enters the authentication and authorization phase by receiving 
>    the first PANA-Auth-Request message from the PAA. 

OK.

> 
> 
> 
>    session, it MUST silently discard the message.  Transmission of this
>    error request is made optional in case this behavior is leveraged for
>    a DoS attack on the PAA.  A Nonce AVP MUST be included in the first
> 
> 
> Alper> There is no more error message generation. Hence the sentence
> starting with "Transmission of this..." shall be deleted.

Yes (and there is similar comment from Victor).

> 
> 
>    If IPsec is used between the PaC and the EPs, an IKE [RFC2409] IKEv2
>    [RFC4306] or MOBIKE [RFC4555] run is needed following such a change.
> 
> Alper> This is not something for the base PANA specification to state. It's
> for PANA-ipsec document. Let's remove the above paragraph.

OK.

> 
> 
>    messages MUST be protected with an AUTH AVP.  The PAA may also need
>    update the per-packet enforcement policies of the EPs, however, this
>    is out of the scope of this document.
> 
> Alper> This last sentence shall be removed too. As you said, it's out of
> scope.

OK.

> 
> 
>    For other PANA messages, the source port MUST be set to a value
>    chosen by the sender. and the destination port MUST be set to the
> 
> Alper> Remove "."

OK.

> 
> 
>    [RFC3315]  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
>               and M. Carney, "Dynamic Host Configuration Protocol for
>               IPv6 (DHCPv6)", RFC 3315, July 2003.
> 
> 
> Alper> this shall be under the informative references.

OK.

Regards,
Yoshihiro Ohba

> 
> 
> Thank you.
> 
> Alper
> 
> 
> 
> > -----Original Message-----
> > From: Yoshihiro Ohba [mailto:yohba@tari.toshiba.com]
> > Sent: Sunday, November 19, 2006 10:39 AM
> > To: pana@ietf.org
> > Subject: [Pana] Preliminary pana-pana draft (13a)
> > 
> > is available at:
> > 
> > http://www.panasec.org/docs/editing/pana-spec.html
> > 
> > (Now we get 17 pages reduction.)
> > 
> > Please do sanity check to make sure that all resolutions discussed in
> > IETF67 and over mailing list are reflected appropriately.  Diff from
> > revision 12 is also available.
> > 
> > As soon as sanity check is done, I will submit a new revision (13)
> > which is to be used for IETF last call.
> > 
> > Regards,
> > Yoshihiro Ohba
> > 
> > _______________________________________________
> > Pana mailing list
> > Pana@ietf.org
> > https://www1.ietf.org/mailman/listinfo/pana
> 
> 

_______________________________________________
Pana mailing list
Pana@ietf.org
https://www1.ietf.org/mailman/listinfo/pana

v2.23.0 | Report a Bug | By Email