RE: [Pana] Preliminary pana-pana draft (13a)
"Alper Yegin" <alper.yegin@yegin.org> Thu, 30 November 2006 15:44 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gpo4x-0005II-2O; Thu, 30 Nov 2006 10:44:03 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gpo4w-0005IC-0x for pana@ietf.org; Thu, 30 Nov 2006 10:44:02 -0500
Received: from mout.perfora.net ([217.160.230.41]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gpo4r-0006QB-MJ for pana@ietf.org; Thu, 30 Nov 2006 10:44:02 -0500
Received: from [85.96.27.150] (helo=IBM52A5038A94F) by mrelay.perfora.net (node=mrelayus1) with ESMTP (Nemesis), id 0MKp2t-1Gpo4m1muu-0003sR; Thu, 30 Nov 2006 10:43:55 -0500
From: Alper Yegin <alper.yegin@yegin.org>
To: 'Yoshihiro Ohba' <yohba@tari.toshiba.com>, pana@ietf.org
Subject: RE: [Pana] Preliminary pana-pana draft (13a)
Date: Thu, 30 Nov 2006 17:43:48 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: AccNA8viG80KCD8rRnqXTgeVPuq5rQHkZNWQ
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
In-Reply-To: <20061119083903.GC31177@steelhead>
Message-ID: <0MKp2t-1Gpo4m1muu-0003sR@mrelay.perfora.net>
X-Provags-ID: perfora.net abuse@perfora.net login:abf7a4bb310ea4dfc9b6841113e2970f
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 6ba8aaf827dcb437101951262f69b3de
Cc:
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
Errors-To: pana-bounces@ietf.org
Yoshi,
Thanks a lot for the revision.
Here I have few comments and suggestions.
By the virtue of enabling transport of EAP
above IP, any authentication method that can be carried as an EAP
method is made available to PANA and hence to any link-layer
technology with a minimum link-layer dependency. There is a clear
Alper> What's that dependency?
There are components that are part of a complete secure network
access solution but are outside of the PANA protocol specification,
including IP address configuration, authentication method choice,
data traffic protection, PAA-EP protocol, and PAA discovery. PANA
authentication output is used for creating access control filters.
These components except for IP address configuration are described in
separate documents (see [I-D.ietf-pana-framework],
[I-D.ietf-pana-snmp] and [I-D.ietf-dhc-paa-option]). The IP address
configuration component may be specified in deployment-specific PANA
applicability documents. The readers are recommended to read the
PANA Framework document [I-D.ietf-pana-framework] prior to reading
this protocol specification document.
Alper> "IP address configuration" is not really part of a secure network
access solution. I'd recommend this re-write of the above paragraph:
There are components that are part of a complete secure network
access solution but are outside of the PANA protocol specification,
including authentication method choice,
data traffic protection, PAA-EP protocol, and PAA discovery. PANA
authentication output is used for creating access control filters.
These components are described in
separate documents (see [I-D.ietf-pana-framework],
[I-D.ietf-pana-snmp] and [I-D.ietf-dhc-paa-option]).
The readers are recommended to read the
PANA Framework document [I-D.ietf-pana-framework] prior to reading
this protocol specification document.
The protocol entity in the access network whose responsibility is
to verify the credentials provided by a PANA client (PaC) and
authorize network access to the access device associated with the
client. The PAA and the EAP authenticator (and optionally the EAP
Alper> I'd remove "associated with the client."
session cannot be shared across multiple network interfaces. Only
one IP address of the PaC is allowed to be bound to a PANA session
for simplicity.
Alper> i think we can remove the last sentence. Sure we don't explicitly
support multi-homed clients, but no need to explicitly limit to single-homed
either. Being silent is a better choice.
The PAA MAY refrain from retransmitting the PANA-Start-Request
message to maintain as less amount of state as possible in the
handshake phase. For this reason, the PaC MUST retransmit the PANA-
Client-Initiation message until it enters the authentication and
authorization phase by receiving a PANA-Auth-Request message from the
PAA.
Alper> Just to add a bit more elaboration (to prevent questions), I can
recommend
In order to prevent potential DoS attacks, the PAA MAY refrain from
timeout-based retransmission of the PANA-Start-Request
message in response to a PaC-initiated handshake. For this reason,
the PaC MUST retransmit the PANA-Client-Initiation message until it
enters the authentication and authorization phase by receiving
the first PANA-Auth-Request message from the PAA.
session, it MUST silently discard the message. Transmission of this
error request is made optional in case this behavior is leveraged for
a DoS attack on the PAA. A Nonce AVP MUST be included in the first
Alper> There is no more error message generation. Hence the sentence
starting with "Transmission of this..." shall be deleted.
If IPsec is used between the PaC and the EPs, an IKE [RFC2409] IKEv2
[RFC4306] or MOBIKE [RFC4555] run is needed following such a change.
Alper> This is not something for the base PANA specification to state. It's
for PANA-ipsec document. Let's remove the above paragraph.
messages MUST be protected with an AUTH AVP. The PAA may also need
update the per-packet enforcement policies of the EPs, however, this
is out of the scope of this document.
Alper> This last sentence shall be removed too. As you said, it's out of
scope.
For other PANA messages, the source port MUST be set to a value
chosen by the sender. and the destination port MUST be set to the
Alper> Remove "."
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
and M. Carney, "Dynamic Host Configuration Protocol for
IPv6 (DHCPv6)", RFC 3315, July 2003.
Alper> this shall be under the informative references.
Thank you.
Alper
> -----Original Message-----
> From: Yoshihiro Ohba [mailto:yohba@tari.toshiba.com]
> Sent: Sunday, November 19, 2006 10:39 AM
> To: pana@ietf.org
> Subject: [Pana] Preliminary pana-pana draft (13a)
>
> is available at:
>
> http://www.panasec.org/docs/editing/pana-spec.html
>
> (Now we get 17 pages reduction.)
>
> Please do sanity check to make sure that all resolutions discussed in
> IETF67 and over mailing list are reflected appropriately. Diff from
> revision 12 is also available.
>
> As soon as sanity check is done, I will submit a new revision (13)
> which is to be used for IETF last call.
>
> Regards,
> Yoshihiro Ohba
>
> _______________________________________________
> Pana mailing list
> Pana@ietf.org
> https://www1.ietf.org/mailman/listinfo/pana
_______________________________________________
Pana mailing list
Pana@ietf.org
https://www1.ietf.org/mailman/listinfo/pana
- [Pana] Preliminary pana-pana draft (13a) Yoshihiro Ohba
- RE: [Pana] Preliminary pana-pana draft (13a) Alper Yegin
- Re: [Pana] Preliminary pana-pana draft (13a) Victor Fajardo
- Re: [Pana] Preliminary pana-pana draft (13a) Yoshihiro Ohba
- Re: [Pana] Preliminary pana-pana draft (13a) Rafa Marin Lopez
- Re: [Pana] Preliminary pana-pana draft (13a) Yoshihiro Ohba
- RE: [Pana] Preliminary pana-pana draft (13a) Alper Yegin
- Re: [Pana] Preliminary pana-pana draft (13a) Yoshihiro Ohba
- Re: [Pana] Preliminary pana-pana draft (13a) Yoshihiro Ohba