Re: [Pana] Review of I-D: draft-ietf-pana-preauth-05

To: "'Yoshihiro Ohba'" <yoshihiro.ohba at toshiba.co.jp>, <Basavaraj.Patil at nokia.com>
Subject: Re: [Pana] Review of I-D: draft-ietf-pana-preauth-05
From: "Alper Yegin" <alper.yegin at yegin.org>
Date: Mon, 15 Jun 2009 11:43:24 +0300
Cc: pana at ietf.org
Delivered-to: pana at core3.amsl.com
In-reply-to: <4A355F3D.2080409 at toshiba.co.jp>
List-archive: <http://www.ietf.org/mail-archive/web/pana>
List-help: <mailto:pana-request@ietf.org?subject=help>
List-id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-post: <mailto:pana@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
References: <C657E8FE.29FB4%basavaraj.patil at nokia.com> <4A355F3D.2080409 at toshiba.co.jp>
Thread-index: AcntL8mzJJsywGMSTKeriM/3r8KmuQAY7fHg

> > - In sec 3:
> > "   There may be several mechanisms for a PaC and a CPAA to discover
> each
> >    other.  However, such mechanisms are out of the scope of this
> >    document."
> >
> >    If the discovery of the CPAA is not specified here, would it be
> >    specified in another document? Or is the assumption that the CPAA
> >    could be discovered via DNS, DHCP etc.? Without a reference to the
> >    possible mechanisms, the solution has some gaps.
> >
> 
> We can refer to IEEE 802.21 Information Service as an example method
> for
> the host to discover various network elements in neighboring networks.

Yes, as an informative reference that'd be useful.


> > - "   When pre-authentication is initiated by CPAA, it is possible
> that
> >    multiple CPAAs simultaneously initiate pre-authentication for the
> >    same PaC.  In order to avoid possible resource consumption attacks
> on
> >    the PaC caused by an attacker initiating pre-authentication for
> the
> >    PaC by changing source addresses, the PaC SHOULD limit the maximum
> >    number of CPAAs allowed to communicate."
> >
> >    I think it is better to have pre-auth always initiated by the
> >    PaC. In what specific scenario would you need to have the PAA
> >    initiate pre-auth? Is there a downside to having preauth always
> >    initiated by the PaC only?
> >
> I could not think about a downside of not having PAA-initiated preauth
> for the following reason:
> 
> - PAA-initiated preauth is for network-controlled handover that would
> require a handover command as a trigger at the CPAA.
> 
> - MN (PaC) is also involved in such a handover command, which means the
> command can also trigger PaC-initiated preauth.
> 
> So I do not mind dropping PAA-initiated preauth  and removing the above
> security claim.

PAA-initiated pre-auth raises some questions that can only be answered in an
"architecture design". If people want to drop this case, I don't care much.
But note that the PAA-initiated pre-auth is a natural consequence of the
marriage between pre-auth and the PANA -- PANA already supports
PAA-initiated auth. So, unless we do anything special (to eliminate this
case), it comes for free. 

Alper

References:
- [Pana] Review of I-D: draft-ietf-pana-preauth-05
  - From: Basavaraj.Patil
- Re: [Pana] Review of I-D: draft-ietf-pana-preauth-05
  - From: Yoshihiro Ohba

Prev by Date: Re: [Pana] Review of I-D: draft-ietf-pana-preauth-05
Next by Date: [Pana] Document Action: 'State Machines for Protocol for Carrying Authentication for Network Access (PANA)' to Informational RFC
Previous by thread: Re: [Pana] Review of I-D: draft-ietf-pana-preauth-05
Next by thread: [Pana] pana-preauth-06 available
Index(es):
- Date
- Thread

Re: [Pana] Review of I-D: draft-ietf-pana-preauth-05

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.