RE: [Pana] Preliminary pana-pana draft (13a)
"Alper Yegin" <alper.yegin@yegin.org> Thu, 30 November 2006 15:44 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gpo4x-0005II-2O; Thu, 30 Nov 2006 10:44:03 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gpo4w-0005IC-0x for pana@ietf.org; Thu, 30 Nov 2006 10:44:02 -0500
Received: from mout.perfora.net ([217.160.230.41]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gpo4r-0006QB-MJ for pana@ietf.org; Thu, 30 Nov 2006 10:44:02 -0500
Received: from [85.96.27.150] (helo=IBM52A5038A94F) by mrelay.perfora.net (node=mrelayus1) with ESMTP (Nemesis), id 0MKp2t-1Gpo4m1muu-0003sR; Thu, 30 Nov 2006 10:43:55 -0500
From: Alper Yegin <alper.yegin@yegin.org>
To: 'Yoshihiro Ohba' <yohba@tari.toshiba.com>, pana@ietf.org
Subject: RE: [Pana] Preliminary pana-pana draft (13a)
Date: Thu, 30 Nov 2006 17:43:48 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: AccNA8viG80KCD8rRnqXTgeVPuq5rQHkZNWQ
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
In-Reply-To: <20061119083903.GC31177@steelhead>
Message-ID: <0MKp2t-1Gpo4m1muu-0003sR@mrelay.perfora.net>
X-Provags-ID: perfora.net abuse@perfora.net login:abf7a4bb310ea4dfc9b6841113e2970f
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 6ba8aaf827dcb437101951262f69b3de
Cc:
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
Errors-To: pana-bounces@ietf.org
Yoshi, Thanks a lot for the revision. Here I have few comments and suggestions. By the virtue of enabling transport of EAP above IP, any authentication method that can be carried as an EAP method is made available to PANA and hence to any link-layer technology with a minimum link-layer dependency. There is a clear Alper> What's that dependency? There are components that are part of a complete secure network access solution but are outside of the PANA protocol specification, including IP address configuration, authentication method choice, data traffic protection, PAA-EP protocol, and PAA discovery. PANA authentication output is used for creating access control filters. These components except for IP address configuration are described in separate documents (see [I-D.ietf-pana-framework], [I-D.ietf-pana-snmp] and [I-D.ietf-dhc-paa-option]). The IP address configuration component may be specified in deployment-specific PANA applicability documents. The readers are recommended to read the PANA Framework document [I-D.ietf-pana-framework] prior to reading this protocol specification document. Alper> "IP address configuration" is not really part of a secure network access solution. I'd recommend this re-write of the above paragraph: There are components that are part of a complete secure network access solution but are outside of the PANA protocol specification, including authentication method choice, data traffic protection, PAA-EP protocol, and PAA discovery. PANA authentication output is used for creating access control filters. These components are described in separate documents (see [I-D.ietf-pana-framework], [I-D.ietf-pana-snmp] and [I-D.ietf-dhc-paa-option]). The readers are recommended to read the PANA Framework document [I-D.ietf-pana-framework] prior to reading this protocol specification document. The protocol entity in the access network whose responsibility is to verify the credentials provided by a PANA client (PaC) and authorize network access to the access device associated with the client. The PAA and the EAP authenticator (and optionally the EAP Alper> I'd remove "associated with the client." session cannot be shared across multiple network interfaces. Only one IP address of the PaC is allowed to be bound to a PANA session for simplicity. Alper> i think we can remove the last sentence. Sure we don't explicitly support multi-homed clients, but no need to explicitly limit to single-homed either. Being silent is a better choice. The PAA MAY refrain from retransmitting the PANA-Start-Request message to maintain as less amount of state as possible in the handshake phase. For this reason, the PaC MUST retransmit the PANA- Client-Initiation message until it enters the authentication and authorization phase by receiving a PANA-Auth-Request message from the PAA. Alper> Just to add a bit more elaboration (to prevent questions), I can recommend In order to prevent potential DoS attacks, the PAA MAY refrain from timeout-based retransmission of the PANA-Start-Request message in response to a PaC-initiated handshake. For this reason, the PaC MUST retransmit the PANA-Client-Initiation message until it enters the authentication and authorization phase by receiving the first PANA-Auth-Request message from the PAA. session, it MUST silently discard the message. Transmission of this error request is made optional in case this behavior is leveraged for a DoS attack on the PAA. A Nonce AVP MUST be included in the first Alper> There is no more error message generation. Hence the sentence starting with "Transmission of this..." shall be deleted. If IPsec is used between the PaC and the EPs, an IKE [RFC2409] IKEv2 [RFC4306] or MOBIKE [RFC4555] run is needed following such a change. Alper> This is not something for the base PANA specification to state. It's for PANA-ipsec document. Let's remove the above paragraph. messages MUST be protected with an AUTH AVP. The PAA may also need update the per-packet enforcement policies of the EPs, however, this is out of the scope of this document. Alper> This last sentence shall be removed too. As you said, it's out of scope. For other PANA messages, the source port MUST be set to a value chosen by the sender. and the destination port MUST be set to the Alper> Remove "." [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. Alper> this shall be under the informative references. Thank you. Alper > -----Original Message----- > From: Yoshihiro Ohba [mailto:yohba@tari.toshiba.com] > Sent: Sunday, November 19, 2006 10:39 AM > To: pana@ietf.org > Subject: [Pana] Preliminary pana-pana draft (13a) > > is available at: > > http://www.panasec.org/docs/editing/pana-spec.html > > (Now we get 17 pages reduction.) > > Please do sanity check to make sure that all resolutions discussed in > IETF67 and over mailing list are reflected appropriately. Diff from > revision 12 is also available. > > As soon as sanity check is done, I will submit a new revision (13) > which is to be used for IETF last call. > > Regards, > Yoshihiro Ohba > > _______________________________________________ > Pana mailing list > Pana@ietf.org > https://www1.ietf.org/mailman/listinfo/pana _______________________________________________ Pana mailing list Pana@ietf.org https://www1.ietf.org/mailman/listinfo/pana
- [Pana] Preliminary pana-pana draft (13a) Yoshihiro Ohba
- RE: [Pana] Preliminary pana-pana draft (13a) Alper Yegin
- Re: [Pana] Preliminary pana-pana draft (13a) Victor Fajardo
- Re: [Pana] Preliminary pana-pana draft (13a) Yoshihiro Ohba
- Re: [Pana] Preliminary pana-pana draft (13a) Rafa Marin Lopez
- Re: [Pana] Preliminary pana-pana draft (13a) Yoshihiro Ohba
- RE: [Pana] Preliminary pana-pana draft (13a) Alper Yegin
- Re: [Pana] Preliminary pana-pana draft (13a) Yoshihiro Ohba
- Re: [Pana] Preliminary pana-pana draft (13a) Yoshihiro Ohba