Download presentation
Presentation is loading. Please wait.
Published byDerrick Homer Logan Modified over 9 years ago
1
August 1, 2005IETF63 PANA WG Pre-authentication Support for PANA (draft-ohba-pana-preauth-00.txt) Yoshihiro Ohba (yohba@tari.toshiba.com)
2
Background When a PaC moves from one access network to another, a PANA session in the new access network should be established as fast as possible Existing solutions relying on transferring PANA session attributes between PAAs: –CTP-based solution draft-ietf-pana-mobopts (PANA part) draft-bournelle-pana-ctp (CTP part) –FMIPv6-based solution draft-hiko-pana-fpana (Combining PANA and FMIPv6) The above solutions are not readily applicable to cover the following scenarios –Inter-administrative domain handovers –Heterogeneous handovers (handovers between access network with different authorization characteristics)
3
PANA Pre-authentication Overview Proactively executing EAP authentication and establishing a PANA SA between a PaC in an access network and a PAA in another access network to which the PaC may move –Similar to IEEE 802.11i pre-authentication, but PANA pre- authentication operates at higher-layer Pre-authentication can be performed independently of initial authentication by, e.g., –Using a different AAA server from that was used for initial authentication –Using different authentication credentials from those used for initial authentication
4
Terminology (1/2) PAA PaC Access Network Active PAA (also Local PAA) Local PaC PAA Local PAA Active SA PAA Remote PaC Remote PAA Pre-authentication SA Preparing PAA (also Remote PAA)
5
Terminology (2/2) Pre-authentication: Authentication performed between the PaC and a preparing PAA Pre-authorization: An authorization that is made for the PaC by a preparing PAA as a result of successful pre-authentication Post-authorization: An authorization that was made for the PaC by a PAA that was acting as a preparing PAA and has become the active PAA
6
Pre-authentication Operation (before handover) Initiation of pre-authentication: –Pre-authentication may be initiated by both a PaC and a preparing PAA. Distinguishing pre-authentication from normal authentication –A new flag P-flag is defined in the PANA header –When pre-authentication is performed, the P-flag of PANA messages are set Negotiating pre-authentication (PaC-initiated pre-authentication) –PaC unicasts PDI with the P-flag set. The PAA responds with a PSR with the P-flag set only when it supports pre-authentication. Otherwise, it MUST silently discard the message. Negotiating pre-authentication (PAA-initiated pre-authentication) –PAA sends a PSR with the P-flag set. The PaC responds with a PSA with the P-flag set only when it supports pre-authentication. Otherwise, it MUST silently discard the message After successful pre-authentication negotiation, subsequent PANA messages exchanged between them MUST have the P-flag set
7
Pre-authentication Operation (after handover) The PaC performs an IP address update procedure using PANA-Update exchange –The completion of the PANA-Update procedure will change the pre-authentication SA to the active SA The P-flag is not set in the PANA-Update messages and subsequent PANA messages
8
Example Call Flow (PaC-initiated pre-authentication) PaC l-PAAr-PAA PANA w/o P-flag set Pre-authentication trigger PDI w/ P-flag set PSR w/ P-flag set PSA w/ P-flag set PAR/PAN exchange w/ P-flag set PBR/PBA exchange w/ P-flag set Pre-authorization Movement Post-authorization PUR w/o P-flag set PUA w/o P-flag set
9
Example Call Flow (PAA-initiated pre-authentication) PaC l-PAAr-PAA PANA w/o P-flag set Pre-authentication trigger PSR w/ P-flag set PSA w/ P-flag set PAR/PAN exchange w/ P-flag set PBR/PBA exchange w/ P-flag set Pre-authorization Movement Post-authorization PUR w/o P-flag set PUA w/o P-flag set
10
P-flag in PANA Header 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |R S N P r r r r r r r r r r r r| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ P(re-authentication) When pre-authentication is performed, the P-flag of PANA messages are set in order to indicate whether this PANA run is for establishing a pre-authentication SA. The exact usage of this flag is described in Section 3. This flag is to be assigned by IANA.
11
Authorization Considerations Pre-authorization and a post-authorization for the PaC may have different authorization policies –For example, the pre-authorization policy may not allow the PaC to sent or receive packets through the EP(s) under control of the preparing PAA may allow installing credentials to the EP(s) as post-authorization policy does –This would make bootstrapping lower-layer security after handover faster AAA protocol may need to carry additional attribute so that AAA servers can distinguish pre-authentication from normal authentication –Based on recent comment by Julien Bournelle –This issue might be addressed in pana-aaa-interworking I-D
12
Accounting Considerations A PAA that has an pre-authentication SA for a PaC may start accounting immediately after the pre-authentication Or it may not start accounting until it becomes an active PAA
13
Security Considerations Consideration of false PaC-initiated pre- authentication –The local access network SHOULD NOT allow unauthorized PaC to communicate with remote PAAs using PANA Consideration of false PAA-initiated pre- authentication –The PaC SHOULD limit the maximum number of PAAs allowed to communicate
14
Next Step WG item?
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.