Re: [Pana] Preliminary pana-pana draft (13a)
Yoshihiro Ohba <yohba@tari.toshiba.com> Thu, 30 November 2006 16:15 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GpoZ0-0004uE-Mv; Thu, 30 Nov 2006 11:15:06 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GpoYz-0004u4-EI for pana@ietf.org; Thu, 30 Nov 2006 11:15:05 -0500
Received: from imx12.toshiba.co.jp ([61.202.160.132]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GpoYs-0001lX-Od for pana@ietf.org; Thu, 30 Nov 2006 11:15:05 -0500
Received: from wall11.toshiba.co.jp (wall11 [133.199.90.149]) by imx12.toshiba.co.jp with ESMTP id kAUGEkH3017683; Fri, 1 Dec 2006 01:14:46 +0900 (JST)
Received: (from root@localhost) by wall11.toshiba.co.jp id kAUGEkoG002228; Fri, 1 Dec 2006 01:14:46 +0900 (JST)
Received: from ovp11.toshiba.co.jp [133.199.90.148] by wall11.toshiba.co.jp with ESMTP id BAA02227; Fri, 1 Dec 2006 01:14:45 +0900
Received: from mx2.toshiba.co.jp (localhost [127.0.0.1]) by ovp11.toshiba.co.jp with ESMTP id kAUGEjrd017857; Fri, 1 Dec 2006 01:14:45 +0900 (JST)
Received: from tsbpoa.po.toshiba.co.jp by toshiba.co.jp id kAUGEjK5029370; Fri, 1 Dec 2006 01:14:45 +0900 (JST)
Received: from steelhead ([172.30.24.105]) by mail.po.toshiba.co.jp (Sun Java System Messaging Server 6.1 (built Apr 28 2004)) with ESMTPSA id <0J9J00AXLX4I7300@mail.po.toshiba.co.jp>; Fri, 01 Dec 2006 01:14:45 +0900 (JST)
Received: from ohba by steelhead with local (Exim 4.63) (envelope-from <yohba@tari.toshiba.com>) id 1GpoYe-00038Z-3F; Thu, 30 Nov 2006 08:14:44 -0800
Date: Thu, 30 Nov 2006 11:14:43 -0500
From: Yoshihiro Ohba <yohba@tari.toshiba.com>
Subject: Re: [Pana] Preliminary pana-pana draft (13a)
In-reply-to: <0MKp2t-1Gpo4m1muu-0003sR@mrelay.perfora.net>
To: Alper Yegin <alper.yegin@yegin.org>
Message-id: <20061130161443.GB10356@steelhead>
MIME-version: 1.0
Content-type: text/plain; charset="iso-2022-jp"
Content-disposition: inline
References: <20061119083903.GC31177@steelhead> <0MKp2t-1Gpo4m1muu-0003sR@mrelay.perfora.net>
User-Agent: Mutt/1.5.13 (2006-08-11)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b6657e60309a1317174c9db2ae5f227
Cc: 'Yoshihiro Ohba' <yohba@tari.toshiba.com>, pana@ietf.org
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
Errors-To: pana-bounces@ietf.org
On Thu, Nov 30, 2006 at 05:43:48PM +0200, Alper Yegin wrote: > > Yoshi, > > Thanks a lot for the revision. > > Here I have few comments and suggestions. > > > By the virtue of enabling transport of EAP > above IP, any authentication method that can be carried as an EAP > method is made available to PANA and hence to any link-layer > technology with a minimum link-layer dependency. There is a clear > > > Alper> What's that dependency? There is no link-layer dependency in the PANA protocol itself but there is some link-layer dependency in the entire PANA framework including EP which can be link-layer devices according to pana-framework I-D. Perhaps we can remove "with a minimum link-layer dependency" since this I-D is about the PANA protocol itself. > > > > There are components that are part of a complete secure network > access solution but are outside of the PANA protocol specification, > including IP address configuration, authentication method choice, > data traffic protection, PAA-EP protocol, and PAA discovery. PANA > authentication output is used for creating access control filters. > These components except for IP address configuration are described in > separate documents (see [I-D.ietf-pana-framework], > [I-D.ietf-pana-snmp] and [I-D.ietf-dhc-paa-option]). The IP address > configuration component may be specified in deployment-specific PANA > applicability documents. The readers are recommended to read the > PANA Framework document [I-D.ietf-pana-framework] prior to reading > this protocol specification document. > > Alper> "IP address configuration" is not really part of a secure network > access solution. I'd recommend this re-write of the above paragraph: > > There are components that are part of a complete secure network > access solution but are outside of the PANA protocol specification, > including authentication method choice, > data traffic protection, PAA-EP protocol, and PAA discovery. PANA > authentication output is used for creating access control filters. > These components are described in > separate documents (see [I-D.ietf-pana-framework], > [I-D.ietf-pana-snmp] and [I-D.ietf-dhc-paa-option]). > The readers are recommended to read the > PANA Framework document [I-D.ietf-pana-framework] prior to reading > this protocol specification document. OK. > > > > The protocol entity in the access network whose responsibility is > to verify the credentials provided by a PANA client (PaC) and > authorize network access to the access device associated with the > client. The PAA and the EAP authenticator (and optionally the EAP > > Alper> I'd remove "associated with the client." OK. > > > session cannot be shared across multiple network interfaces. Only > one IP address of the PaC is allowed to be bound to a PANA session > for simplicity. > > Alper> i think we can remove the last sentence. Sure we don't explicitly > support multi-homed clients, but no need to explicitly limit to single-homed > either. Being silent is a better choice. I agree. > > > > The PAA MAY refrain from retransmitting the PANA-Start-Request > message to maintain as less amount of state as possible in the > handshake phase. For this reason, the PaC MUST retransmit the PANA- > Client-Initiation message until it enters the authentication and > authorization phase by receiving a PANA-Auth-Request message from the > PAA. > > > Alper> Just to add a bit more elaboration (to prevent questions), I can > recommend > > > In order to prevent potential DoS attacks, the PAA MAY refrain from > timeout-based retransmission of the PANA-Start-Request > message in response to a PaC-initiated handshake. For this reason, > the PaC MUST retransmit the PANA-Client-Initiation message until it > enters the authentication and authorization phase by receiving > the first PANA-Auth-Request message from the PAA. OK. > > > > session, it MUST silently discard the message. Transmission of this > error request is made optional in case this behavior is leveraged for > a DoS attack on the PAA. A Nonce AVP MUST be included in the first > > > Alper> There is no more error message generation. Hence the sentence > starting with "Transmission of this..." shall be deleted. Yes (and there is similar comment from Victor). > > > If IPsec is used between the PaC and the EPs, an IKE [RFC2409] IKEv2 > [RFC4306] or MOBIKE [RFC4555] run is needed following such a change. > > Alper> This is not something for the base PANA specification to state. It's > for PANA-ipsec document. Let's remove the above paragraph. OK. > > > messages MUST be protected with an AUTH AVP. The PAA may also need > update the per-packet enforcement policies of the EPs, however, this > is out of the scope of this document. > > Alper> This last sentence shall be removed too. As you said, it's out of > scope. OK. > > > For other PANA messages, the source port MUST be set to a value > chosen by the sender. and the destination port MUST be set to the > > Alper> Remove "." OK. > > > [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., > and M. Carney, "Dynamic Host Configuration Protocol for > IPv6 (DHCPv6)", RFC 3315, July 2003. > > > Alper> this shall be under the informative references. OK. Regards, Yoshihiro Ohba > > > Thank you. > > Alper > > > > > -----Original Message----- > > From: Yoshihiro Ohba [mailto:yohba@tari.toshiba.com] > > Sent: Sunday, November 19, 2006 10:39 AM > > To: pana@ietf.org > > Subject: [Pana] Preliminary pana-pana draft (13a) > > > > is available at: > > > > http://www.panasec.org/docs/editing/pana-spec.html > > > > (Now we get 17 pages reduction.) > > > > Please do sanity check to make sure that all resolutions discussed in > > IETF67 and over mailing list are reflected appropriately. Diff from > > revision 12 is also available. > > > > As soon as sanity check is done, I will submit a new revision (13) > > which is to be used for IETF last call. > > > > Regards, > > Yoshihiro Ohba > > > > _______________________________________________ > > Pana mailing list > > Pana@ietf.org > > https://www1.ietf.org/mailman/listinfo/pana > > _______________________________________________ Pana mailing list Pana@ietf.org https://www1.ietf.org/mailman/listinfo/pana
- [Pana] Preliminary pana-pana draft (13a) Yoshihiro Ohba
- RE: [Pana] Preliminary pana-pana draft (13a) Alper Yegin
- Re: [Pana] Preliminary pana-pana draft (13a) Victor Fajardo
- Re: [Pana] Preliminary pana-pana draft (13a) Yoshihiro Ohba
- Re: [Pana] Preliminary pana-pana draft (13a) Rafa Marin Lopez
- Re: [Pana] Preliminary pana-pana draft (13a) Yoshihiro Ohba
- RE: [Pana] Preliminary pana-pana draft (13a) Alper Yegin
- Re: [Pana] Preliminary pana-pana draft (13a) Yoshihiro Ohba
- Re: [Pana] Preliminary pana-pana draft (13a) Yoshihiro Ohba