pana framework
Download
Skip this Video
Download Presentation
PANA Framework

Loading in 2 Seconds...

play fullscreen
1 / 29

PANA Framework - PowerPoint PPT Presentation


  • 119 Views
  • Uploaded on

PANA Framework. <draft-ohba-pana-framework-00.txt> Prakash Jayaraman, Rafa Marin Lopez, Yoshihiro Ohba, Mohan Parthasarathy, Alper Yegin IETF 59. Framework. Functional model Signaling flow Deployment environments IP address configuration Data traffic protection Provisioning

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' PANA Framework' - zytka


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
pana framework

PANA Framework

<draft-ohba-pana-framework-00.txt>

Prakash Jayaraman, Rafa Marin Lopez, Yoshihiro Ohba, Mohan Parthasarathy, Alper Yegin

IETF 59

framework
Framework
  • Functional model
  • Signaling flow
  • Deployment environments
  • IP address configuration
  • Data traffic protection
  • Provisioning
  • Network selection
  • Authentication method choice
  • DSL deployment
  • WLAN deployment

IETF 59

functional model
Functional Model

RADIUS/

Diameter/

+-----+ PANA +-----+ LDAP/ API +-----+

| PaC |<----------------->| PAA |<---------------->| AS |

+-----+ +-----+ +-----+

^ ^

| |

| +-----+ |

IKE/ +-------->| EP |<--------+ SNMP/ API

4-way handshake +-----+

IETF 59

signaling flow
Signaling Flow

PaC EP PAA AS

| PANA | | AAA |

|<---------------------------->|<------------->|

| | | |

| | SNMP | |

| |<------------>| |

| Sec.Assoc. | | |

|<------------->| | |

| | | |

| Data traffic | | |

|<-----------------> | |

| | | |

IETF 59

deployment environments
Deployment Environments

(a) Networks where a secure channel is already available prior to running PANA

  • (a.1) Physical security. E.g.: DSL
  • (a.2) Cryptographic security. E.g.: cdma2000

(b) Networks where a secure channel is created after running PANA

  • (b.1) Link-layer per-packet security. E.g.: Using WPA-PSK.
  • (b.2) Network-layer per-packet security. E.g.: Using IPsec.

IETF 59

ip address configuration
IP Address Configuration
  • Pre-PANA address: PRPA
    • Configured before PANA
  • Post-PANA address: POPA
    • Configured after PANA when:
      • IPsec is used, or
      • PRPA is link-local or temporary
    • PAA informs PaC if POPA needed

IETF 59

prpa configuration
PRPA Configuration
  • Possible ways:
    • Static
    • DHCPv4 (global, or private address)
    • IPv4 link-local
    • DHCPv6
    • IPv6 address autoconfiguration (global, or link-local)

IETF 59

popa configuration no ipsec
POPA Configuration (no IPsec)
  • DHCPv4/v6
  • IPv4:
    • POPA replaces PRPA (prevent address selection problem)
    • Host route between PaC and PAA (preserve on-link communication)
  • IPv6:
    • use both PRPA and POPA at the same time

IETF 59

popa configuration ipsec
POPA Configuration (IPsec)
  • Possible ways:
    • IKEv2 configuration
    • DHCP configuration of IPsec tunnel mode (RFC 3456)
  • PRPA used as tunnel outer address, POPA as tunnel inner address

IETF 59

combinations
Combinations

TIA

TOA

IETF 59

additional approaches 1 using a prpa as tia
Additional Approaches: (1)Using a PRPA as TIA
  • IPv6:
    • Configure a link-local and global before PANA (DHCPv6 or stateless)
    • TIA=global, TOA=link-local
  • Requires SPD selection based on the name (session-ID), not the IP address
  • Explicit support in RFC2401bis
    • Name is set, address selectors are NULL
  • RFC2401? Not clear.
    • Racoon’s generate_policy directive
      • Authenticate peer by PSK, accept proposed TIA (skip SPD check), than create SPD
  • Should we include this?

IETF 59

additional approaches 2 using a prpa as tia
Additional Approaches: (2)Using a PRPA as TIA
  • IPv4:
    • Configure a global address before PANA (static, or DHCPv4)
    • TIA=TOA=PRPA
  • RFC2401: Same considerations.
  • Forwarding considerations:
    • Requires special handling on EP, or else:
      • tunnel_to PRPA(tunnel to PRPA(tunnel to PRPA(to PRPA)))...
    • FreeSwan handles this. Others?
  • Should we include this?

IETF 59

data traffic protection
Data Traffic Protection
  • Already available in type (a) environments
  • Enabled by PANA in type (b) environments
    • EAP generated keys
    • Secure association protocol
  • draft-ietf-pana-ipsec-02

IETF 59

paa ep provisioning protocol
PAA-EP Provisioning Protocol
  • EP is the closest IP-capable access device to PaCs
  • Co-located with PAA or separate
    • draft-yacine-pana-snmp-01
    • Carries IP or L2 address, optionally cryptographic keys
  • One or more EPs per PAA
  • EP may detect presence of PaC and trigger PANA by notifying PAA

IETF 59

network isp discovery and selection
Network (ISP) Discovery and Selection
  • Traditional selection:
    • NAI-based
    • Port number or L2 address based
  • PANA-based discovery and selection:
    • PAA advertises ISPs
    • PaC explicitly picks one

IETF 59

authentication method choice
Authentication Method Choice
  • Depends on the environment

IETF 59

slide17
DSL

Host--+ +-------- ISP1

| DSL link |

+----- CPE ---------------- NAS ----+-------- ISP2

| (Bridge/NAPT/Router) |

Host--+ +-------- ISP3

<------- customer --> <------- NAP -----> <---- ISP --->

premise

  • PANA needed when static IP or DHCP-based configuration is used (instead of PPP*)

IETF 59

dsl deployments
DSL Deployments

Bridging mode:

Host--+

(PaC) |

+----- CPE ---------------- NAS ------------- ISP

| (Bridge) (PAA,EP,AR)

Host--+

(PaC)

Address Translation (NAPT) Mode:

Host--+

|

+----- CPE ---------------- NAS ------------- ISP

| (NAPT, PaC) (PAA,EP,AR

Host--+

IETF 59

dsl deployment
DSL Deployment

Router mode:

Host--+

|

+----- CPE ---------------- NAS ------------- ISP

| (Router,PaC) (PAA,EP,AR)

Host--+

IETF 59

dynamic isp selection
Dynamic ISP Selection
  • As part of DHCP protocol or an attribute of DSL access line
    • DHCP client id
    • Run DHCP, and PANA
    • PRPA is the ultimate IP address (no POPA)
  • As part of PANA authentication
    • Temporary PRPA via zeroconf or DHCP with NAP
    • Run PANA for AAA
    • POPA via DHCP, replace PRPA

IETF 59

slide21
WLAN
  • Network-layer per-packet security (IPsec):
    • EP and PAA on access router
  • Link-layer per-packet security (WPA-PSK):
    • EP is on access point, PAA is on access router

IETF 59

ipsec ikev2
IPsec, IKEv2

PaC AP DHCPv4 Server PAA EP(AR)

| Link-layer | | | |

| association| | | |

|<---------->| | | |

| | | | |

| DHCPv4 | | |

|<-----------+------------>| | |

| | | | |

|PANA(Discovery and initial handshake phase |

| & PAR-PAN exchange in authentication phase) |

|<-----------+-------------------------->| |

| | | |

| | |Authorization|

| | |[IKE-PSK, |

| | | PaC-DI, |

| | | Session-Id] |

| | |------------>|

| | | |

|PANA(PBR-PBA exchange in authentication phase) |

|<-----------+-------------------------->| |

| | | |

| | IKE | |

| (with Configuration Payload exchange or equivalent) |

|<-----------+---------------------------------------->|

| | | |

| | | |

  • IPv4:
    • IPsec-TOA=PRPA (dhcp)
    • IPsec-TIA=POPA (IKE)
  • Alternative: RFC 3456
  • IPv6:
    • IPsec-TOA= PRPA (link-local)
    • IPsec-TIA= POPA (IKE)

IETF 59

bootstrapping wpa ieee 802 11i
Bootstrapping WPA/IEEE 802.11i
  • Pre-shared key mode (PSK) enabled
  • MAC address is used as DI
  • EP is on access point
  • Provides:
    • Centralized AAA
    • Protected disconnection
  • No changes to WPA or IEEE 802.11i required

IETF 59

slide24
Flow…

+------------------+

| Physical AP |

| +--------------+ |

| |Virtual AP1 | | Unauth

| |(open-access) |---- VLAN\

| | | | \+-------+

+---+ | +--------------+ | |PAA/AR/|

|PaC| ~~~~ | | |DHCP |

+---+ | +--------------+ | |Server |

| |Virtual AP2 | | /+-------+

| |(WPA PSK mode)|---- Auth / |

| | | | VLAN |

| +--------------+ | |

| | |

+------------------+ Internet

1- Associate with unauthenticated VLAN AP

2- Configure PRPA via DHCP or link-local

3- Perform PANA and generate PMK

4- Associate with authenticated VLAN AP, perform 4-way handshake, generate PTK

5- Obtain new IP address

IETF 59

co located paa and ap ep
Co-located PAA and AP(EP)
  • Does not require virtual AP switching
  • PANA, DHCP, ARP, ND traffic allowed on the 802.1X uncontrolled port

IETF 59

capability discovery
Capability Discovery
  • Types of networks:
    • IEEE 802.1X-secured
      • Look at RSN information element in beacon frames
    • PANA-secured
      • Data driven PANA discovery
      • Client initiated discovery
    • Unauthenticated (free)

IETF 59

ipsec dhcp
IPsec, DHCP

PaC AP DHCPv4 Server PAA EP(AR)

| Link-layer | | | |

| association| | | |

|<---------->| | | |

| | | | |

| DHCPv4 | | |

|<-----------+------------>| | |

| | | | |

|PANA(Discovery and Initial Handshake phase |

| & PAR-PAN exchange in Authentication phase) |

|<-----------+-------------------------->| |

| | | | |

| | | |Authorization|

| | | |[IKE-PSK, |

| | | | PaC-DI, |

| | | | Session-Id] |

| | | |------------>|

| | | | |

|PANA(PBR-PBA exchange in Authentication phase) |

|<-----------+-------------------------->| |

| | | | |

| | IKE | |

|<-----------+---------------------------------------->|

| | | | |

| | | | |

  • IPv4:
    • IPsec-TIA= IPsec-TOA= PRPA (dhcp)
  • IPv6:
    • IPsec-TOA= PRPA (link-local)
    • IPsec-TIA= POPA (dhcp)
  • IPv6 can also use stateless address autoconf.

IETF 59

ad