[Pana] Review of I-D: draft-ietf-pana-preauth-05

To: <pana at ietf.org>
Subject: [Pana] Review of I-D: draft-ietf-pana-preauth-05
From: <Basavaraj.Patil at nokia.com>
Date: Fri, 12 Jun 2009 18:14:06 +0200
Accept-language: en-US
Acceptlanguage: en-US
Delivered-to: pana at core3.amsl.com
List-archive: <http://www.ietf.org/mail-archive/web/pana>
List-help: <mailto:pana-request@ietf.org?subject=help>
List-id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-post: <mailto:pana@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
Thread-index: AcnreM8adXnyU6gttE27DjZM4eVdcA==
Thread-topic: Review of I-D: draft-ietf-pana-preauth-05

Hello,

My review comments on the I-D: draft-ietf-pana-preauth-05.txt

- s/to which the PANA client may move./to which the PANA client may
  move to. 

- "Serving Network:  The access network through which the host gains
   access to the Internet/intranet."

   Would it be better to say that the serving network is the network
   via which the host is currently attached. So from a PANA
   perspective the serving network is the one in which the PaC has
   been authenticated and has an active SA.


- In sec 3:
"   There may be several mechanisms for a PaC and a CPAA to discover each
   other.  However, such mechanisms are out of the scope of this
   document."

   If the discovery of the CPAA is not specified here, would it be
   specified in another document? Or is the assumption that the CPAA
   could be discovered via DNS, DHCP etc.? Without a reference to the
   possible mechanisms, the solution has some gaps.

- "  Pre-authentication may be initiated by both a PaC and a CPAA. "

  How can the CPAA initiate pre-auth? How would the CPAA even be aware
  of a PaC that is in a handover state? CPAA initiating pre-auth does
  not appear to be a feasible option.

-  "   The PANA session between the PaC and a CPAA is deleted by entering
   the termination phase of the PANA protocol."

   When does the PaC decide to terminate a PANA session with a CPAA?
   The CPAA either transitions to the SPAA or not. Since the PaC can
   initiate the pre-auth session with several CPAAs, is it the intent
   that the PaC would terminate the sessions with other CPAAs as
   needed?

- Figure 2 shows the PAA initiated pre-auth signaling. What are the
  potential triggers at the CPAA? Would be useful to mention any
  assumptions that are made in CPAA initiated pre-auth. Or drop the
  CPAA initiated pre-auth from the I-D.

- "   When pre-authentication is initiated by CPAA, it is possible that
   multiple CPAAs simultaneously initiate pre-authentication for the
   same PaC.  In order to avoid possible resource consumption attacks on
   the PaC caused by an attacker initiating pre-authentication for the
   PaC by changing source addresses, the PaC SHOULD limit the maximum
   number of CPAAs allowed to communicate."

   I think it is better to have pre-auth always initiated by the
   PaC. In what specific scenario would you need to have the PAA
   initiate pre-auth? Is there a downside to having preauth always
   initiated by the PaC only?

- Is the assumption that the CPAA is within the same administrative
  domain as the serving network? I think it would be useful to mention
  the scenario where the serving and target networks have no security
  relationship. In such a case does the pre-auth still work?


-Raj

Follow-Ups:
- Re: [Pana] Review of I-D: draft-ietf-pana-preauth-05
  - From: Yoshihiro Ohba

Prev by Date: Re: [Pana] draft-ietf-pana-statemachine issue
Next by Date: Re: [Pana] draft-ietf-pana-statemachine issue
Previous by thread: [Pana] draft-ietf-pana-statemachine issue
Next by thread: Re: [Pana] Review of I-D: draft-ietf-pana-preauth-05
Index(es):
- Date
- Thread

[Pana] Review of I-D: draft-ietf-pana-preauth-05

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.