[Pana] comments on draft-ietf-pana-ipsec-00.txt
Jari Arkko <jari.arkko@piuha.net> Thu, 13 November 2003 17:47 UTC
Received: from optimus.ietf.org ([132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA10399 for <pana-archive@lists.ietf.org>; Thu, 13 Nov 2003 12:47:19 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AKLYb-00085c-2b; Thu, 13 Nov 2003 12:47:01 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AKLYY-00085L-Rl for pana@optimus.ietf.org; Thu, 13 Nov 2003 12:46:58 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA10377 for <pana@ietf.org>; Thu, 13 Nov 2003 12:46:45 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AKLYX-0001s3-00 for pana@ietf.org; Thu, 13 Nov 2003 12:46:57 -0500
Received: from p2.piuha.net ([131.160.192.2]) by ietf-mx with esmtp (Exim 4.12) id 1AKLYW-0001rw-00 for pana@ietf.org; Thu, 13 Nov 2003 12:46:56 -0500
Received: from piuha.net (p4.piuha.net [131.160.192.4]) by p2.piuha.net (Postfix) with ESMTP id 69AC36A908; Thu, 13 Nov 2003 19:46:48 +0200 (EET)
Message-ID: <3FB39F1D.8050901@piuha.net>
Date: Thu, 13 Nov 2003 17:11:25 +0200
From: Jari Arkko <jari.arkko@piuha.net>
Reply-To: jari.arkko@piuha.net
Organization: None
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: pana@ietf.org, Mohan Parthasarathy <mohanp@tahoenetworks.com>
Cc: Bernard Aboba <aboba@internaut.com>, James Kempf <kempf@docomolabs-usa.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Subject: [Pana] comments on draft-ietf-pana-ipsec-00.txt
Sender: pana-admin@ietf.org
Errors-To: pana-admin@ietf.org
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
I have read draft-ietf-pana-ipsec-00.txt, and I have a few comments. Apologies if this has been discussed before, I was unable to participate the WG session due to other commitments. Here are the comments: - Section 3.0, bullet 3. This document appears to assume that the IPv6 node has a single address. What about RFC 3041 etc? - Section 4.0, Session ID. I'm glad that the document uses a session ID -- those are indeed needed, as it is possible that more than one EAP session was run, and we need to know where to refer to. However, I still have one problem with this. The problem is that it is not enough to use the Session ID as a part of the IKE pre-shared secret. It is also necessary to carry the session id information in IKE so that the two peers know which key to use. How do you intend to do that? The usual IKE payloads don't appear to carry this information, though it might be that ID_KEY_ID identity type might be usable. (The IKEv1 documents appear to imply that this type is normally used for vendor specific identification.) Or perhaps a new IKE identity type is needed. - Section 5.0, manual keying comment. It seems inappropriate. The purpose of PANA is to do an auth and then use those keys to protect traffic. If manual keys were used in IPsec, those would not be linked to the authentication, so it does not seem like a valid combination. - Section 5.0, main mode. I think the IP addresses are apparent from the packets themselves, but the session ID would have to be transported (perhaps in the identity payload) to distinguish possibly different EAP runs that you had done before. However, this seems problematic, as IKEv1 pre-shared secret mode does not allow the transport of the identity before the identity needs to be known. Are you relying on IKEv2, or would you have to resort to the use of aggressive mode only? - Section 5.0, aggressive mode. I don't understand what the issue with link-locals is. If the link-local addresses were not unique, how would the client - EP communication succeed in the first place? Anyway, as I said above I think the ID_KEY_ID may be needed just to differentiate EAP runs. - Section 6.0, I wish there was some notation to show that the inner and outer addresses are different. They are, right? The text is vague since it only talks about the outer addresses being link-local, but does not say anything about the inner addresses. - Section 7.2, ICMP type selectors. I believe this was added to the IPsec documents a couple of months ago. They are not RFCs yet, but neither is PANA, so maybe you could refer to them. And if you do that, you could use more specific SPD entries, as suggested by draft-arkko-icmpv6-ike-effects-01.txt. Its expired, but you can find it here: http://www.arkko.com/publications/draft-arkko-icmpv6-ike-effects-01.txt - Section 9.0, stealing another PaC's traffic. This is interesting. I believe you are talking about the *inner* addresses in the packets, right? Note that if the PAA were responsible for inner IP address assignment, this would not be a problem. But I'm not sure how. Perhaps you could use IKEv2 and its address assignment function, then the EC and PAA would communicate via a AAA protocol to get the address. But this needs more thought. Bernard, do you know what 802.11i says about this subject? It seems that its a similar issue in there. Or is there a need to do some SEND-like address ownership verification? I'm not sure how all the pieces fit together. Is there a PANA document somewhere that describes what the other mechanisms are that you say the PAA can use? Editorial: - I don't see how the NC-DC-PL-DRL discussion fits section 7.2. Move it elsewhere? - s/TUNEL/TUNNEL/g --Jari _______________________________________________ Pana mailing list Pana@ietf.org https://www1.ietf.org/mailman/listinfo/pana
- [Pana] comments on draft-ietf-pana-ipsec-00.txt Yoshihiro Ohba
- Re: [Pana] comments on draft-ietf-pana-ipsec-00.t… Mohan Parthasarathy
- Re: [Pana] comments on draft-ietf-pana-ipsec-00.t… Yoshihiro Ohba
- Re: [Pana] comments on draft-ietf-pana-ipsec-00.t… Mohan Parthasarathy
- Re: [Pana] comments on draft-ietf-pana-ipsec-00.t… Yoshihiro Ohba
- [Pana] comments on draft-ietf-pana-ipsec-00.txt Jari Arkko
- Re: [Pana] comments on draft-ietf-pana-ipsec-00.t… Mohan Parthasarathy
- Re: [Pana] comments on draft-ietf-pana-ipsec-00.t… Jari Arkko
- Re: [Pana] comments on draft-ietf-pana-ipsec-00.t… Alper Yegin
- Re: [Pana] comments on draft-ietf-pana-ipsec-00.t… Jari Arkko
- Re: [Pana] comments on draft-ietf-pana-ipsec-00.t… Mohan Parthasarathy
- Re: [Pana] comments on draft-ietf-pana-ipsec-00.t… Alper Yegin
- Re: [Pana] comments on draft-ietf-pana-ipsec-00.t… Jari Arkko
- Re: [Pana] comments on draft-ietf-pana-ipsec-00.t… Mohan Parthasarathy
- Re: [Pana] comments on draft-ietf-pana-ipsec-00.t… Rafa Marín López
- Re: [Pana] comments on draft-ietf-pana-ipsec-00.t… Mohan Parthasarathy