Presentation is loading. Please wait.

Presentation is loading. Please wait.

PANA Framework Prakash Jayaraman, Rafa Marin Lopez, Yoshihiro Ohba, Mohan Parthasarathy, Alper Yegin IETF 59.

Published byEustacia Logan Modified over 8 years ago

Similar presentations

Presentation on theme: "PANA Framework Prakash Jayaraman, Rafa Marin Lopez, Yoshihiro Ohba, Mohan Parthasarathy, Alper Yegin IETF 59."— Presentation transcript:

1 PANA Framework Prakash Jayaraman, Rafa Marin Lopez, Yoshihiro Ohba, Mohan Parthasarathy, Alper Yegin IETF 59

2 2 Framework Functional model Signaling flow Deployment environments IP address configuration Data traffic protection Provisioning Network selection Authentication method choice DSL deployment WLAN deployment

3 IETF 59 3 Functional Model RADIUS/ Diameter/ +-----+ PANA +-----+ LDAP/ API +-----+ | PaC | | PAA | | AS | +-----+ +-----+ +-----+ ^ ^ | | | +-----+ | IKE/ +-------->| EP |<--------+ SNMP/ API 4-way handshake +-----+

4 IETF 59 4 Signaling Flow PaC EP PAA AS | PANA | | AAA | | | | | | | | | | SNMP | | | | | | | Sec.Assoc. | | | | | | | | Data traffic | | | | | | | | | |

5 IETF 59 5 Deployment Environments (a) Networks where a secure channel is already available prior to running PANA –(a.1) Physical security. E.g.: DSL –(a.2) Cryptographic security. E.g.: cdma2000 (b) Networks where a secure channel is created after running PANA –(b.1) Link-layer per-packet security. E.g.: Using WPA- PSK. –(b.2) Network-layer per-packet security. E.g.: Using IPsec.

6 IETF 59 6 IP Address Configuration Pre-PANA address: PRPA –Configured before PANA Post-PANA address: POPA –Configured after PANA when: IPsec is used, or PRPA is link-local or temporary –PAA informs PaC if POPA needed

7 IETF 59 7 PRPA Configuration Possible ways: –Static –DHCPv4 (global, or private address) –IPv4 link-local –DHCPv6 –IPv6 address autoconfiguration (global, or link- local)

8 IETF 59 8 POPA Configuration (no IPsec) DHCPv4/v6 IPv4: –POPA replaces PRPA (prevent address selection problem) –Host route between PaC and PAA (preserve on- link communication) IPv6: –use both PRPA and POPA at the same time

9 IETF 59 9 POPA Configuration (IPsec) Possible ways: –IKEv2 configuration –DHCP configuration of IPsec tunnel mode (RFC 3456) PRPA used as tunnel outer address, POPA as tunnel inner address

10 IETF 59 10 Combinations PRPAPOPA L1-L2 per-packet security (no IPsec) Static IPv4 (DHCP) IPv6 global (DHCP, stateless) none IPv4 link-local IPv4 temporary (DHCP) IPv4 (DHCP) IPv6 link-localIPv6 global (DHCP, stateless) L3 per-packet security (IPsec) Static IPv6 global (DHCP, stateless) IPv4 (DHCP) IPv6 link-local IPv4 link-local IKEv2 RFC3456 TOA TIA

11 IETF 59 11 Additional Approaches: (1) Using a PRPA as TIA IPv6: –Configure a link-local and global before PANA (DHCPv6 or stateless) –TIA=global, TOA=link-local Requires SPD selection based on the name (session-ID), not the IP address Explicit support in RFC2401bis –Name is set, address selectors are NULL RFC2401? Not clear. –Racoon’s generate_policy directive Authenticate peer by PSK, accept proposed TIA (skip SPD check), than create SPD Should we include this?

12 IETF 59 12 Additional Approaches: (2) Using a PRPA as TIA IPv4: –Configure a global address before PANA (static, or DHCPv4) –TIA=TOA=PRPA RFC2401: Same considerations. Forwarding considerations: –Requires special handling on EP, or else: tunnel_to PRPA(tunnel to PRPA(tunnel to PRPA(to PRPA)))... –FreeSwan handles this. Others? Should we include this?

13 IETF 59 13 Data Traffic Protection Already available in type (a) environments Enabled by PANA in type (b) environments –EAP generated keys –Secure association protocol draft-ietf-pana-ipsec-02

14 IETF 59 14 PAA-EP Provisioning Protocol EP is the closest IP-capable access device to PaCs Co-located with PAA or separate –draft-yacine-pana-snmp-01 –Carries IP or L2 address, optionally cryptographic keys One or more EPs per PAA EP may detect presence of PaC and trigger PANA by notifying PAA

15 IETF 59 15 Network (ISP) Discovery and Selection Traditional selection: –NAI-based –Port number or L2 address based PANA-based discovery and selection: –PAA advertises ISPs –PaC explicitly picks one

16 IETF 59 16 Authentication Method Choice Depends on the environment

17 IETF 59 17 DSL Host--+ +-------- ISP1 | DSL link | +----- CPE ---------------- NAS ----+-------- ISP2 | (Bridge/NAPT/Router) | Host--+ +-------- ISP3 premise PANA needed when static IP or DHCP- based configuration is used (instead of PPP*)

18 IETF 59 18 DSL Deployments Bridging mode: Host--+ (PaC) | +----- CPE ---------------- NAS ------------- ISP | (Bridge) (PAA,EP,AR) Host--+ (PaC) Address Translation (NAPT) Mode: Host--+ | +----- CPE ---------------- NAS ------------- ISP | (NAPT, PaC) (PAA,EP,AR Host--+

19 IETF 59 19 DSL Deployment Router mode: Host--+ | +----- CPE ---------------- NAS ------------- ISP | (Router,PaC) (PAA,EP,AR) Host--+

20 IETF 59 20 Dynamic ISP Selection As part of DHCP protocol or an attribute of DSL access line –DHCP client id –Run DHCP, and PANA –PRPA is the ultimate IP address (no POPA) As part of PANA authentication –Temporary PRPA via zeroconf or DHCP with NAP –Run PANA for AAA –POPA via DHCP, replace PRPA

21 IETF 59 21 WLAN Network-layer per-packet security (IPsec): –EP and PAA on access router Link-layer per-packet security (WPA-PSK): –EP is on access point, PAA is on access router

22 IETF 59 22 IPsec, IKEv2 PaC AP DHCPv4 Server PAA EP(AR) | Link-layer | | | | | association| | | | | | | | | | DHCPv4 | | | | | | | | | | | | |PANA(Discovery and initial handshake phase | | & PAR-PAN exchange in authentication phase) | | | | | | | | | | |Authorization| | | |[IKE-PSK, | | | | PaC-DI, | | | | Session-Id] | | | |------------>| | | | | |PANA(PBR-PBA exchange in authentication phase) | | | | | | | | | | IKE | | | (with Configuration Payload exchange or equivalent) | | | | | | | IPv4: –IPsec-TOA=PRPA (dhcp) –IPsec-TIA=POPA (IKE) Alternative: RFC 3456 IPv6: –IPsec-TOA= PRPA (link-local) –IPsec-TIA= POPA (IKE)

23 IETF 59 23 Bootstrapping WPA/IEEE 802.11i Pre-shared key mode (PSK) enabled MAC address is used as DI EP is on access point Provides: –Centralized AAA –Protected disconnection No changes to WPA or IEEE 802.11i required

24 IETF 59 24 Flow… +------------------+ | Physical AP | | +--------------+ | | |Virtual AP1 | | Unauth | |(open-access) |---- VLAN\ | | | | \+-------+ +---+ | +--------------+ | |PAA/AR/| |PaC| ~~~~ | | |DHCP | +---+ | +--------------+ | |Server | | |Virtual AP2 | | /+-------+ | |(WPA PSK mode)|---- Auth / | | | | | VLAN | | +--------------+ | | | | | +------------------+ Internet 1- Associate with unauthenticated VLAN AP 2- Configure PRPA via DHCP or link-local 3- Perform PANA and generate PMK 4- Associate with authenticated VLAN AP, perform 4-way handshake, generate PTK 5- Obtain new IP address

25 IETF 59 25 Co-located PAA and AP(EP) Does not require virtual AP switching PANA, DHCP, ARP, ND traffic allowed on the 802.1X uncontrolled port

26 IETF 59 26 Capability Discovery Types of networks: –IEEE 802.1X-secured Look at RSN information element in beacon frames –PANA-secured Data driven PANA discovery Client initiated discovery –Unauthenticated (free)

27 The End

28 Should this I-D become a PANA WG item?

29 IETF 59 29 IPsec, DHCP PaC AP DHCPv4 Server PAA EP(AR) | Link-layer | | | | | association| | | | | | | | | | DHCPv4 | | | | | | | | | | | | |PANA(Discovery and Initial Handshake phase | | & PAR-PAN exchange in Authentication phase) | | | | | | | | | | | | |Authorization| | | | |[IKE-PSK, | | | | | PaC-DI, | | | | | Session-Id] | | | | |------------>| | | | | | |PANA(PBR-PBA exchange in Authentication phase) | | | | | | | | | | | IKE | | | | | | | | | IPv4: –IPsec-TIA= IPsec-TOA= PRPA (dhcp) IPv6: –IPsec-TOA= PRPA (link-local) –IPsec-TIA= POPA (dhcp) IPv6 can also use stateless address autoconf.

Download ppt "PANA Framework Prakash Jayaraman, Rafa Marin Lopez, Yoshihiro Ohba, Mohan Parthasarathy, Alper Yegin IETF 59."

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.

Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.
URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.

URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.
IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.

IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.
IPv6 Network Security.

IPv6 Network Security.
Network Localized Mobility Management using DHCP

Network Localized Mobility Management using DHCP
PANA Requirements and Terminology - IETF54 -. PANA WG, IETF 54, Requirements and Terminology draft-ietf-pana-requirements-02.txt Changes Comments/questions.

PANA Requirements and Terminology - IETF54 -. PANA WG, IETF 54, Requirements and Terminology draft-ietf-pana-requirements-02.txt Changes Comments/questions.
Labcourse “Routerlab”

Labcourse “Routerlab”
AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.

AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
IPv6 Address Provisioning In IPv6 world there are three provisioning aspects wich are independent of whether the IPv6 node is a Host or CE router: IPv6.

IPv6 Address Provisioning In IPv6 world there are three provisioning aspects wich are independent of whether the IPv6 node is a Host or CE router: IPv6.
Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.

Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.
IETF 58 PANA WG PANA Update and Open Issues (draft-ietf-pana-pana-02.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.

IETF 58 PANA WG PANA Update and Open Issues (draft-ietf-pana-pana-02.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.
Doc.: Submission, Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the 802.15.4 Network.

Doc.: Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the Network.
VLANs Port-based VLAN: switch ports grouped (by switch management software) so that single physical switch …… Switch(es) supporting VLAN capabilities can.

VLANs Port-based VLAN: switch ports grouped (by switch management software) so that single physical switch …… Switch(es) supporting VLAN capabilities can.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
SNMP for the PAA-EP protocol PANA wg - IETF 61 Washington DC Yacine El Mghazli (Alcatel) Yoshihiro Ohba (Toshiba) Julien Bournelle (GET/INT) draft-ietf-pana-snmp-02.txt.

SNMP for the PAA-EP protocol PANA wg - IETF 61 Washington DC Yacine El Mghazli (Alcatel) Yoshihiro Ohba (Toshiba) Julien Bournelle (GET/INT) draft-ietf-pana-snmp-02.txt.
AAA-Mobile IPv6 Frameworks Alper Yegin IETF 62. 2 Objective Identify various frameworks where AAA is used for the Mobile IPv6 service Agree on one (or.

AAA-Mobile IPv6 Frameworks Alper Yegin IETF Objective Identify various frameworks where AAA is used for the Mobile IPv6 service Agree on one (or.
PaC with unspecified IP address. Requirements Assigning an IP address to the client is outside the scope of PANA. PANA protocol design MAY require the.

PaC with unspecified IP address. Requirements Assigning an IP address to the client is outside the scope of PANA. PANA protocol design MAY require the.
1 IPv6 Address Management Rajiv Kumar. 2 Lecture Overview Introduction to IP Address Management Rationale for IPv6 IPv6 Addressing IPv6 Policies & Procedures.

1 IPv6 Address Management Rajiv Kumar. 2 Lecture Overview Introduction to IP Address Management Rationale for IPv6 IPv6 Addressing IPv6 Policies & Procedures.

Similar presentations

Ads by Google