Pana framework
Download
1 / 29

PANA Framework - PowerPoint PPT Presentation


  • 118 Views
  • Uploaded on

PANA Framework. <draft-ohba-pana-framework-00.txt> Prakash Jayaraman, Rafa Marin Lopez, Yoshihiro Ohba, Mohan Parthasarathy, Alper Yegin IETF 59. Framework. Functional model Signaling flow Deployment environments IP address configuration Data traffic protection Provisioning

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' PANA Framework' - zytka


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Pana framework

PANA Framework

<draft-ohba-pana-framework-00.txt>

Prakash Jayaraman, Rafa Marin Lopez, Yoshihiro Ohba, Mohan Parthasarathy, Alper Yegin

IETF 59


Framework
Framework

  • Functional model

  • Signaling flow

  • Deployment environments

  • IP address configuration

  • Data traffic protection

  • Provisioning

  • Network selection

  • Authentication method choice

  • DSL deployment

  • WLAN deployment

IETF 59


Functional model
Functional Model

RADIUS/

Diameter/

+-----+ PANA +-----+ LDAP/ API +-----+

| PaC |<----------------->| PAA |<---------------->| AS |

+-----+ +-----+ +-----+

^ ^

| |

| +-----+ |

IKE/ +-------->| EP |<--------+ SNMP/ API

4-way handshake +-----+

IETF 59


Signaling flow
Signaling Flow

PaC EP PAA AS

| PANA | | AAA |

|<---------------------------->|<------------->|

| | | |

| | SNMP | |

| |<------------>| |

| Sec.Assoc. | | |

|<------------->| | |

| | | |

| Data traffic | | |

|<-----------------> | |

| | | |

IETF 59


Deployment environments
Deployment Environments

(a) Networks where a secure channel is already available prior to running PANA

  • (a.1) Physical security. E.g.: DSL

  • (a.2) Cryptographic security. E.g.: cdma2000

    (b) Networks where a secure channel is created after running PANA

  • (b.1) Link-layer per-packet security. E.g.: Using WPA-PSK.

  • (b.2) Network-layer per-packet security. E.g.: Using IPsec.

IETF 59


Ip address configuration
IP Address Configuration

  • Pre-PANA address: PRPA

    • Configured before PANA

  • Post-PANA address: POPA

    • Configured after PANA when:

      • IPsec is used, or

      • PRPA is link-local or temporary

    • PAA informs PaC if POPA needed

IETF 59


Prpa configuration
PRPA Configuration

  • Possible ways:

    • Static

    • DHCPv4 (global, or private address)

    • IPv4 link-local

    • DHCPv6

    • IPv6 address autoconfiguration (global, or link-local)

IETF 59


Popa configuration no ipsec
POPA Configuration (no IPsec)

  • DHCPv4/v6

  • IPv4:

    • POPA replaces PRPA (prevent address selection problem)

    • Host route between PaC and PAA (preserve on-link communication)

  • IPv6:

    • use both PRPA and POPA at the same time

IETF 59


Popa configuration ipsec
POPA Configuration (IPsec)

  • Possible ways:

    • IKEv2 configuration

    • DHCP configuration of IPsec tunnel mode (RFC 3456)

  • PRPA used as tunnel outer address, POPA as tunnel inner address

IETF 59


Combinations
Combinations

TIA

TOA

IETF 59


Additional approaches 1 using a prpa as tia
Additional Approaches: (1)Using a PRPA as TIA

  • IPv6:

    • Configure a link-local and global before PANA (DHCPv6 or stateless)

    • TIA=global, TOA=link-local

  • Requires SPD selection based on the name (session-ID), not the IP address

  • Explicit support in RFC2401bis

    • Name is set, address selectors are NULL

  • RFC2401? Not clear.

    • Racoon’s generate_policy directive

      • Authenticate peer by PSK, accept proposed TIA (skip SPD check), than create SPD

  • Should we include this?

IETF 59


Additional approaches 2 using a prpa as tia
Additional Approaches: (2)Using a PRPA as TIA

  • IPv4:

    • Configure a global address before PANA (static, or DHCPv4)

    • TIA=TOA=PRPA

  • RFC2401: Same considerations.

  • Forwarding considerations:

    • Requires special handling on EP, or else:

      • tunnel_to PRPA(tunnel to PRPA(tunnel to PRPA(to PRPA)))...

    • FreeSwan handles this. Others?

  • Should we include this?

IETF 59


Data traffic protection
Data Traffic Protection

  • Already available in type (a) environments

  • Enabled by PANA in type (b) environments

    • EAP generated keys

    • Secure association protocol

  • draft-ietf-pana-ipsec-02

IETF 59


Paa ep provisioning protocol
PAA-EP Provisioning Protocol

  • EP is the closest IP-capable access device to PaCs

  • Co-located with PAA or separate

    • draft-yacine-pana-snmp-01

    • Carries IP or L2 address, optionally cryptographic keys

  • One or more EPs per PAA

  • EP may detect presence of PaC and trigger PANA by notifying PAA

IETF 59


Network isp discovery and selection
Network (ISP) Discovery and Selection

  • Traditional selection:

    • NAI-based

    • Port number or L2 address based

  • PANA-based discovery and selection:

    • PAA advertises ISPs

    • PaC explicitly picks one

IETF 59


Authentication method choice
Authentication Method Choice

  • Depends on the environment

IETF 59


DSL

Host--+ +-------- ISP1

| DSL link |

+----- CPE ---------------- NAS ----+-------- ISP2

| (Bridge/NAPT/Router) |

Host--+ +-------- ISP3

<------- customer --> <------- NAP -----> <---- ISP --->

premise

  • PANA needed when static IP or DHCP-based configuration is used (instead of PPP*)

IETF 59


Dsl deployments
DSL Deployments

Bridging mode:

Host--+

(PaC) |

+----- CPE ---------------- NAS ------------- ISP

| (Bridge) (PAA,EP,AR)

Host--+

(PaC)

Address Translation (NAPT) Mode:

Host--+

|

+----- CPE ---------------- NAS ------------- ISP

| (NAPT, PaC) (PAA,EP,AR

Host--+

IETF 59


Dsl deployment
DSL Deployment

Router mode:

Host--+

|

+----- CPE ---------------- NAS ------------- ISP

| (Router,PaC) (PAA,EP,AR)

Host--+

IETF 59


Dynamic isp selection
Dynamic ISP Selection

  • As part of DHCP protocol or an attribute of DSL access line

    • DHCP client id

    • Run DHCP, and PANA

    • PRPA is the ultimate IP address (no POPA)

  • As part of PANA authentication

    • Temporary PRPA via zeroconf or DHCP with NAP

    • Run PANA for AAA

    • POPA via DHCP, replace PRPA

IETF 59


WLAN

  • Network-layer per-packet security (IPsec):

    • EP and PAA on access router

  • Link-layer per-packet security (WPA-PSK):

    • EP is on access point, PAA is on access router

IETF 59


Ipsec ikev2
IPsec, IKEv2

PaC AP DHCPv4 Server PAA EP(AR)

| Link-layer | | | |

| association| | | |

|<---------->| | | |

| | | | |

| DHCPv4 | | |

|<-----------+------------>| | |

| | | | |

|PANA(Discovery and initial handshake phase |

| & PAR-PAN exchange in authentication phase) |

|<-----------+-------------------------->| |

| | | |

| | |Authorization|

| | |[IKE-PSK, |

| | | PaC-DI, |

| | | Session-Id] |

| | |------------>|

| | | |

|PANA(PBR-PBA exchange in authentication phase) |

|<-----------+-------------------------->| |

| | | |

| | IKE | |

| (with Configuration Payload exchange or equivalent) |

|<-----------+---------------------------------------->|

| | | |

| | | |

  • IPv4:

    • IPsec-TOA=PRPA (dhcp)

    • IPsec-TIA=POPA (IKE)

  • Alternative: RFC 3456

  • IPv6:

    • IPsec-TOA= PRPA (link-local)

    • IPsec-TIA= POPA (IKE)

IETF 59


Bootstrapping wpa ieee 802 11i
Bootstrapping WPA/IEEE 802.11i

  • Pre-shared key mode (PSK) enabled

  • MAC address is used as DI

  • EP is on access point

  • Provides:

    • Centralized AAA

    • Protected disconnection

  • No changes to WPA or IEEE 802.11i required

IETF 59


Flow…

+------------------+

| Physical AP |

| +--------------+ |

| |Virtual AP1 | | Unauth

| |(open-access) |---- VLAN\

| | | | \+-------+

+---+ | +--------------+ | |PAA/AR/|

|PaC| ~~~~ | | |DHCP |

+---+ | +--------------+ | |Server |

| |Virtual AP2 | | /+-------+

| |(WPA PSK mode)|---- Auth / |

| | | | VLAN |

| +--------------+ | |

| | |

+------------------+ Internet

1- Associate with unauthenticated VLAN AP

2- Configure PRPA via DHCP or link-local

3- Perform PANA and generate PMK

4- Associate with authenticated VLAN AP, perform 4-way handshake, generate PTK

5- Obtain new IP address

IETF 59


Co located paa and ap ep
Co-located PAA and AP(EP)

  • Does not require virtual AP switching

  • PANA, DHCP, ARP, ND traffic allowed on the 802.1X uncontrolled port

IETF 59


Capability discovery
Capability Discovery

  • Types of networks:

    • IEEE 802.1X-secured

      • Look at RSN information element in beacon frames

    • PANA-secured

      • Data driven PANA discovery

      • Client initiated discovery

    • Unauthenticated (free)

IETF 59




Ipsec dhcp
IPsec, DHCP

PaC AP DHCPv4 Server PAA EP(AR)

| Link-layer | | | |

| association| | | |

|<---------->| | | |

| | | | |

| DHCPv4 | | |

|<-----------+------------>| | |

| | | | |

|PANA(Discovery and Initial Handshake phase |

| & PAR-PAN exchange in Authentication phase) |

|<-----------+-------------------------->| |

| | | | |

| | | |Authorization|

| | | |[IKE-PSK, |

| | | | PaC-DI, |

| | | | Session-Id] |

| | | |------------>|

| | | | |

|PANA(PBR-PBA exchange in Authentication phase) |

|<-----------+-------------------------->| |

| | | | |

| | IKE | |

|<-----------+---------------------------------------->|

| | | | |

| | | | |

  • IPv4:

    • IPsec-TIA= IPsec-TOA= PRPA (dhcp)

  • IPv6:

    • IPsec-TOA= PRPA (link-local)

    • IPsec-TIA= POPA (dhcp)

  • IPv6 can also use stateless address autoconf.

IETF 59


ad