RE: Protection capability needed? (was RE: [Pana] Other suggestions for pana-pana)
"Alper Yegin" <alper.yegin@yegin.org> Sat, 07 October 2006 22:06 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GWKJB-0008QB-Ej; Sat, 07 Oct 2006 18:06:13 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GWKJA-0008OO-3f for pana@ietf.org; Sat, 07 Oct 2006 18:06:12 -0400
Received: from mout.perfora.net ([217.160.230.40]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GWKEi-0000Cy-1u for pana@ietf.org; Sat, 07 Oct 2006 18:01:37 -0400
Received: from [85.103.168.96] (helo=IBM52A5038A94F) by mrelay.perfora.net (node=mrelayus1) with ESMTP (Nemesis), id 0MKp2t-1GWKEZ27vo-0000rR; Sat, 07 Oct 2006 18:01:33 -0400
From: Alper Yegin <alper.yegin@yegin.org>
To: 'Yoshihiro Ohba' <yohba@tari.toshiba.com>
Subject: RE: Protection capability needed? (was RE: [Pana] Other suggestions for pana-pana)
Date: Sun, 08 Oct 2006 01:01:23 +0300
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
In-Reply-To: <20061006203305.GJ3240@steelhead>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
Thread-Index: AcbphsUzuMHfDmW3T2WpHUTPSn6xXgA1IMPw
Message-ID: <0MKp2t-1GWKEZ27vo-0000rR@mrelay.perfora.net>
X-Provags-ID: perfora.net abuse@perfora.net login:abf7a4bb310ea4dfc9b6841113e2970f
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 14582b0692e7f70ce7111d04db3781c8
Cc: 'Mark Townsley' <townsley@cisco.com>, pana@ietf.org
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
Errors-To: pana-bounces@ietf.org
Yoshi, Irrespective of whether PANA is used, "how PaC knows the right layer to enable per-packet security" is an orthogonal issue (note PANA's business). Agreed? If so, unless the appropriate per-packet security was already established prior to PANA execution, PaC can figure out that it needs to be enabled after PANA. I think this is how we can clean PANA off this mechanism. Sure I agree that an explicit message like we have in PANA is, well, "more explicit!" But I think this approach also make sense, especially for the sake of simplifying the PANA. Alper > -----Original Message----- > From: Yoshihiro Ohba [mailto:yohba@tari.toshiba.com] > Sent: Friday, October 06, 2006 11:33 PM > To: Alper Yegin > Cc: 'Yoshihiro Ohba'; 'Mark Townsley'; pana@ietf.org > Subject: Re: Protection capability needed? (was RE: [Pana] Other > suggestions for pana-pana) > > Does it mean bootstrapping lower-layer security (i.e., mechanisms > described > in draft-ietf-pana-ipsec, etc.) is not an aspect introduced by PANA? > > Yoshihiro Ohba > > > > On Fri, Oct 06, 2006 at 11:27:23PM +0300, Alper Yegin wrote: > > > Similar to PPAC discussion, I think we still need one bit to indicate > > > > This is different than PPAC. In PPAC case, configuration of so-called > POPA > > is an aspect introduced by PANA. Hence we deal with it. > > > > The same cannot be said about protection capability of the access > network. > > For that, I'm inclined to think this is not a problem that we need to > deal > > with PANA. > > > > Alper > > > > > > > > > that protection is needed. Actual protection layer can be known from > > > the Address Family information in EP's Device-Id in PBR. > > > > > > Yoshihiro Ohba > > > > > > > > > On Fri, Oct 06, 2006 at 04:12:56PM +0300, Alper Yegin wrote: > > > > > > 8.13: The "Protection Capability" AVP is another layer violation. > > > Why > > > > > does > > > > > > the PANA protocol itself care about what kind of a connection it > is > > > > > running > > > > > > over? At the system level you may be concerned, but why within > PANA > > > > > itself? > > > > > > What if > > > > > > you are using something other than IPsec (DTLS? SSL? etc?)? Do > you > > > > > really > > > > > > want to maintain all of the possibilities here? To what gain? > > > > > > > > > > Similar question: If we don't define Protection-Capability AVP, > how > > > > > the PaC can/should know which layer security needs to be > bootstrapped? > > > > > > > > Similar to my feedback on the earlier comment, maybe this is not our > > > problem > > > > either. Unless we identify some PANA-specific aspect here, we may > not > > > have > > > > to solve this problem as well. > > > > > > > > Alper > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ Pana mailing list Pana@ietf.org https://www1.ietf.org/mailman/listinfo/pana
- [Pana] Other suggestions for pana-pana Mark Townsley
- Re: [Pana] Other suggestions for pana-pana Yoshihiro Ohba
- L2 agnisticism (was RE: [Pana] Other suggestions … Alper Yegin
- Filter rule creation and installation (was RE: [P… Alper Yegin
- Network Layer (was RE: [Pana] Other suggestions f… Alper Yegin
- Duplicate elimination (was RE: [Pana] Other sugge… Alper Yegin
- PPAC needed? (was RE: [Pana] Other suggestions fo… Alper Yegin
- Protection capability needed? (was RE: [Pana] Oth… Alper Yegin
- Global Session-id (was RE: [Pana] Other suggestio… Alper Yegin
- Re: Duplicate elimination (was RE: [Pana] Other s… Yoshihiro Ohba
- Re: PPAC needed? (was RE: [Pana] Other suggestion… Yoshihiro Ohba
- Re: Filter rule creation and installation (was RE… Mark Townsley
- Re: L2 agnisticism (was RE: [Pana] Other suggesti… Mark Townsley
- Re: Network Layer (was RE: [Pana] Other suggestio… Mark Townsley
- Re: Protection capability needed? (was RE: [Pana]… Mark Townsley
- Re: Global Session-id (was RE: [Pana] Other sugge… Mark Townsley
- Re: Protection capability needed? (was RE: [Pana]… Yoshihiro Ohba
- Re: [Pana] Other suggestions for pana-pana Mark Townsley
- Re: PPAC needed? (was RE: [Pana] Other suggestion… Mohan Parthasarathy
- Re: Protection capability needed? (was RE: [Pana]… Yoshihiro Ohba
- Re: Filter rule creation and installation (was RE… Yoshihiro Ohba
- Re: Protection capability needed? (was RE: [Pana]… Mohan Parthasarathy
- Re: PPAC needed? (was RE: [Pana] Other suggestion… Yoshihiro Ohba
- Re: Protection capability needed? (was RE: [Pana]… Yoshihiro Ohba
- Re: Global Session-id (was RE: [Pana] Other sugge… Yoshihiro Ohba
- Re: Protection capability needed? (was RE: [Pana]… Mohan Parthasarathy
- Re: Protection capability needed? (was RE: [Pana]… Yoshihiro Ohba
- RE: PPAC needed? (was RE: [Pana] Other suggestion… Alper Yegin
- RE: Protection capability needed? (was RE: [Pana]… Alper Yegin
- RE: Filter rule creation and installation (was RE… Alper Yegin
- Re: Protection capability needed? (was RE: [Pana]… Yoshihiro Ohba
- Re: Protection capability needed? (was RE: [Pana]… Mohan Parthasarathy
- Re: PPAC needed? (was RE: [Pana] Other suggestion… Mohan Parthasarathy
- RE: Global Session-id (was RE: [Pana] Other sugge… Alper Yegin
- Re: Protection capability needed? (was RE: [Pana]… Yoshihiro Ohba
- RE: L2 agnisticism (was RE: [Pana] Other suggesti… Alper Yegin
- Re: Protection capability needed? (was RE: [Pana]… Mohan Parthasarathy
- Re: Protection capability needed? (was RE: [Pana]… Yoshihiro Ohba
- Re: Protection capability needed? (was RE: [Pana]… Yoshihiro Ohba
- Re: [Pana] Other suggestions for pana-pana Yoshihiro Ohba
- Re: Protection capability needed? (was RE: [Pana]… Mark Townsley
- Re: Global Session-id (was RE: [Pana] Other sugge… Mark Townsley
- RE: Global Session-id (was RE: [Pana] Other sugge… Alper Yegin
- RE: Protection capability needed? (was RE: [Pana]… Alper Yegin
- RE: PPAC needed? (was RE: [Pana] Other suggestion… Alper Yegin
- Re: PPAC needed? (was RE: [Pana] Other suggestion… Yoshihiro Ohba
- Re: Global Session-id (was RE: [Pana] Other sugge… Mark Townsley
- Re: PPAC needed? (was RE: [Pana] Other suggestion… Mark Townsley
- RE: PPAC needed? (was RE: [Pana] Other suggestion… Alper Yegin
- RE: Global Session-id (was RE: [Pana] Other sugge… Alper Yegin
- RE: PPAC needed? (was RE: [Pana] Other suggestion… Alper Yegin
- Re: PPAC needed? (was RE: [Pana] Other suggestion… Yoshihiro Ohba
- Re: Global Session-id (was RE: [Pana] Other sugge… Yoshihiro Ohba
- Re: Global Session-id (was RE: [Pana] Other sugge… Mark Townsley
- Re: PPAC needed? (was RE: [Pana] Other suggestion… Mark Townsley
- Re: Global Session-id (was RE: [Pana] Other sugge… Mark Townsley
- RE: Global Session-id (was RE: [Pana] Other sugge… Alper Yegin
- RE: Global Session-id (was RE: [Pana] Other sugge… Alper Yegin
- RE: PPAC needed? (was RE: [Pana] Other suggestion… Alper Yegin
- RE: PPAC needed? (was RE: [Pana] Other suggestion… Alper Yegin
- RE: Network Layer (was RE: [Pana] Other suggestio… Alper Yegin
- Re: PPAC needed? (was RE: [Pana] Other suggestion… Ralph Droms
- Re: Global Session-id (was RE: [Pana] Other sugge… Mark Townsley
- Re: Network Layer (was RE: [Pana] Other suggestio… Mark Townsley
- Re: PPAC needed? (was RE: [Pana] Other suggestion… Mark Townsley
- Re: Global Session-id (was RE: [Pana] Other sugge… Julien Bournelle
- Re: PPAC needed? (was RE: [Pana] Other suggestion… Mohan Parthasarathy
- Re: Network Layer (was RE: [Pana] Other suggestio… Mohan Parthasarathy
- RE: PPAC needed? (was RE: [Pana] Other suggestion… Alper Yegin
- RE: PPAC needed? (was RE: [Pana] Other suggestion… Alper Yegin
- RE: Network Layer (was RE: [Pana] Other suggestio… Alper Yegin
- Re: PPAC needed? (was RE: [Pana] Other suggestion… Mohan Parthasarathy
- Re: PPAC needed? (was RE: [Pana] Other suggestion… Mark Townsley
- Re: Network Layer (was RE: [Pana] Other suggestio… Mark Townsley
- Re: PPAC needed? (was RE: [Pana] Other suggestion… Mark Townsley
- RE: Network Layer (was RE: [Pana] Other suggestio… Alper Yegin
- RE: Global Session-id (was RE: [Pana] Other sugge… Alper Yegin