Protocol for Carrying Authentication for Network Access (pana)

MONDAY, March 20, 2006
1740-1840 Afternoon Session III

CHAIRS: Basavaraj Patil <basavaraj.patil@nokia.com>
         Alper Yegin <alper01.yegin@partner.samsung.com>

Meeting minutes courtesy of: 1. Madjid Nakhjiri (Madjid.Nakhjiri@motorola.com)

------------------------------------------------

1. Preliminaries (bluesheets, minute takers, agenda bashing, document
   status) : 5 min, Chairs

last call document:
pana-pana-11
pana-framework

pana-snmp-05 did not receive much feedback, another last call issued.

Pana-statemachine-03 ready for last call.
More work needs to be done before the last call on the following
pana-pre-auth-01, 
pana-cxtp-01
pana-mobopts...
.....

2. Base specification: 5 min, Yoshihiro Ohba
   draft-ietf-pana-pana-11.txt

Yoshi will present the issues, they are not open for discussions as the doc is on last call.
issues on stateless PAA discovery:
-cookie example,
-concern on stateless discovery? AD expressed concern on complexibility, but issue was rejected.
-stateless discovery indication
-PaC updating its IP address
-PANA lower layer ciphering and KDF
HMAC-SHA1 is hardcoded in the spec. More flexibility is needed.
resolution: Use IKEv2 prf+ to generate keys of arbitrary length.
-Rate limitation to responding to request (prevent DoS)
details were missing.

3. Framework: 5 min, Yoshihiro Ohba
   draft-ietf-pana-framework-06.txt

4 issues:
-Is SNMP for PAA-EP protocol mandatory?
-802.11i bootstrapping issues
--not only uncontrolled port based solution but also Virtual AP based solution should be described.
--

Raj: The discussion was you could use other protocols than SNMP between PAA-EP and we wanted to have one default protocol for ensuring interop, so that is why SNMP was chosen, but people could use RADIUS/Diameter, etc.

Yoshi: Ok, agreed.

4. SNMP usage: 5 min, Yacine El Mghazli
   draft-ietf-pana-snmp-05.txt

Presented by Julien Bournelle
Julien presented changes from 04 based on ml.
typos in the MIB.
-issues on the notification usage. 
resolution, we will end with a notification.

last called was done in feb. But would like to have a LC on V6.


5. Pre-authentication: 5 min, Yoshihiro, Ohba
   draft-ietf-pana-preauth-01.txt   

issues were listed.
-co-existence with PANA mobopts.
After handover, How could the PaC know that is it is attached to a network of the realm of a remote PAA with which it has a pre-auth sA?

resolution: 
PaC may find the r-PAA by 1) by running PAA discovery, or immediatley when the PaC attaches a link layer device that is acting 

-MPA reference is not needed.
res: removed reference to ohba... 

Alper: how far are we from WGLC
Yoshi: we need expert reviews, after that it should be ready.

6. Context transfers: 5 min, Julien Bournelle
   draft-ietf-pana-cxtp-01.txt

avoid re-auth from scratch

issues: 
-session lifetime elapsed and so it is not enough nPAA
-how do pPAA get nPAA ID (to compute AAA-key-int)

proposal: add nPAA ID in the CDB by tlv and add text accordingly.
-details on how the PSA message is sent between pPAA and nPAA

res: text added.
-identifier for the CTD received by nPAA (match request and response)
res: a PANA specific solution was added.

Next steps: AAA interactions, AAA infrastructure needs to know PAA in charge of the PaC.

This doc cannot go into last call unless PANA-mobopts goes to last call.
Q: What is the relation between PANA CXTP and PANA-pre-auth?
What is the prefered solution (PANA CXTP or Pre-auth)? 

A: it is depending on the capability?
Q: depending on whether it is single domain or multidomain, we should have CTXP versus Pre-auth? In that case why does the PaC needs to do capability discovery?

Yoshi: If you had methods such as 802.21 for capability discovery, you could know
Q: Is it mandatory to put the PANA pre-auth AVP in the spec.
To be discussed more in details.

7. PAA discovery via DHCP: 5 min, Lionel Morand
   draft-ietf-dhc-paa-option-01.txt
defines DHCP options to locate PAAs in the access network
DHCP server provides client with either....
Doc is approved as WG work item. the doc is presented in DHC WG.
change from 00:
-common draft for DHCPv4 and DHCPv6.
-redefined DHCPv4 subptions.
open issue: use of domain names
-DHCP server may currently provide IP address list or domain name list
-are unatuhenticated PaC able to reach DNS server?

Please comment.

8. PANA bootstrapping IEEE 802.11 security: 10 min, Rafa Marin Lopez 
   draft-marin-pana-ieee802doti-00.txt

purpose: complement PANA framework in terms of 802.11i
PANA over 1x uncontrolled port.
PANA over non-RSN (open) AP (case 2)
PSK derivation and 4 way handshake shown
capability discovery issues discussed.

Pat C: Are we changing the semantics of 802.11i. 
Q: Can we use PANA to boostrap the PSK or not?
Pat C: WiFi has a new provisioning procedure for 802.11 client. Is there a difference there?

Alper: Is that about provisioning a master key? In this case, the client has a master key already.

Lady: That is changing 11i, because that assumes you are using EAP or 1x.
The port is closed until you use 

BoB: all data is dropped except 1x frame.
Pat C: Anybody who implements the product according to spec, will drop MSD.
Cisco: What you are trying to do is not really 802.11i. What you are doing is a 4-way mechanism using the uncontrolled port.
Pat C: As the group goes down this path, can this implemented with issues with that spec.

Rafa: So there is no issue with case 2?
Pat C: one of the issues what 11 is that the BSSID is not associated to a physical device.
Rafa: there is something out of band that tells the other BSSID.

Lady: In the case 2 there is no security, so there is no issue with finding BSSID anyway.
Nokia: how do you restrict it, if it unrestricted?

slides on 802.11i bootstrapping from PANA pre-authentication.
Pat C: how is different 802.11i or how is different from 802.11r pre-auth
Rafa: what protocol are using when two APs are not within the same distribution systems:
Pat C: CAPWAP.
Patc: why is there so much emphasis on PSK?
Yoshi: We could also use EAP mode and bootstrap the PSK from higher layer.

Question from Rafa: should this be a WG item? informational?
 

9. Location-based Authorization Services within the PANA framework: 10 min,
   Farooq Anjum 
   draft-anjum-pana-location-requirements-00.txt

Yoshi presented. 
Requirements for LBAr was presented.
PAA must be able to obtain loc info for a PaC.
PAA must be able to determine changes in paC locations
PAA must be capable of termination network access in case PaC loca is outside region
PaC must be to send loc ...

a bunch of issues were presented:
-privacy issues.


Q: The PAA role? location was requested by AAA infra not by PAA?
why is the loc needed at the PAA?


10. Next steps: 5 min, Chairs


Address IETF last call and IESG comments on the base spec and the framework doc.
Please send comments on the PANA base document.

Ipsec doc is currently being reviewed by the AD.
Sam and Russel will review ait and will give comment.
Dorothy: would you consider asking for IEEE comment? 
A: absolutely

state amchine to go to last call.