[Pana] Re: review pana spec

To: yohba at tari.toshiba.com
Subject: [Pana] Re: review pana spec
From: Mohan Parthasarathy <mohanp at sbcglobal.net>
Date: Thu, 30 Nov 2006 10:20:57 -0800 (PST)
Cc: pana at ietf.org
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=sbcglobal.net; h=Message-ID:Received:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding; b=dBc44ScPo9l/VrTb33qCmKsEU8EEM/iznotPOyn6FV58AKMDyXEO3Fx26iVmEnRkfnR9gkM1bfxS2MSxLwjWj8l/8+ZsaBJBIYvh/OOipTLPHWOEAVAZ0Gp+JDdRCw2bmBFMbMRi1BwyUJxfnXSYJf8AgVmFpZsjt7MX7WivrCk= ;
List-help: <mailto:pana-request@ietf.org?subject=help>
List-id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-post: <mailto:pana@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>

Hi Yoshi,

the draft looks pretty good. I mainly went through the differences. Here are my comments. 

- Abstract calls it "link-layer" agnostic where as in the Introduction, there is
  "minimum" link-layer dependency. Having gone through this discussion many
  times it might be better to remove both these terms to avoid lengthy discussions :-)

-Why isn't Key-Id included in the PANA-AUTH-KEY ? If you have multiple MSKs, isn't there
  multiple PANA SAs and hence the Key-Id should be included ?

-Section 5.6 " Pac Updating its IP addresses" : Is this needed for basic operation of PANA ?
 The example given in the section makes me believe that it is not required. But it is required
 depending on what IP address you start with. Hence, some clarification is required.

-In the Security considerations, 
   11.8.  IP Address Spoofing

            There is no way to prove the ownership of the IP address presented by
            the PaC.  Hence an authorized PaC can launch a redirect attack by
            spoofing a victim's IP address.

  the first sentence is worded in such a way that there is no way to do it. But if SEND
  is deployed in access networks, then it should be possible. Sure, PANA by itself
  cannot do it.



-mohan








> -----Original Message-----
> From: Yoshihiro Ohba [mailto:yohba at tari.toshiba.com]
> Sent: Sunday, November 19, 2006 10:39 AM
> To: pana at ietf.org
> Subject: [Pana] Preliminary pana-pana draft (13a)
> 
> is available at:
> 
> http://www.panasec.org/docs/editing/pana-spec.html
> 
> (Now we get 17 pages reduction.)
> 
> Please do sanity check to make sure that all resolutions discussed in
> IETF67 and over mailing list are reflected appropriately.  Diff from
> revision 12 is also available.
> 
> As soon as sanity check is done, I will submit a new revision (13)
> which is to be used for IETF last call.
> 
> Regards,
> Yoshihiro Ohba
> 
> _______________________________________________
> Pana mailing list
> Pana at ietf.org
> https://www1.ietf.org/mailman/listinfo/pana





_______________________________________________
Pana mailing list
Pana at ietf.org
https://www1.ietf.org/mailman/listinfo/pana

Follow-Ups:
- Re: [Pana] Re: review pana spec
  - From: Yoshihiro Ohba

Prev by Date: RE: [Pana] AD review of draft-ietf-dhc-paa-option-04.txt
Next by Date: Re: [Pana] Re: review pana spec
Previous by thread: [Pana] Preliminary pana-pana draft (13a)
Next by thread: Re: [Pana] Re: review pana spec
Index(es):
- Date
- Thread

[Pana] Re: review pana spec

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.