PAA-2-EP protocol PANA wg - IETF 58 Minneapolis Yacine El Mghazli draft-yacine-pana-paa2ep-prot-eval-00.txt

Overview PANA terminology Discussion objective PAA-2-EP protocol requirements PAA-EP protocol evaluation Focus on SNMP applicability Next Steps

PANA terminology PAA (PANA Authentication Agent) PaC (PANA client) verify the credentials provided by a PaC and grant/deny access to the associated device PaC (PANA client) provides the credentials to prove its identity for networkn access authorization EP (Enforcement Point) node in the NA where per-packet policies (filters) are applied on the inbound/outbound traffic of client device. Information such as DI and (optionally) cryptographic keys are provided by PAA per client for constructing filters on the EP

Discussion objective History: PANA charter item: Objective today IETF55: PAA-2-EP topic introduction draft-ietf-pana-requirements-0x.txt IETF57: PAA-2-EP protocol considerations draft-yacine-pana-paa-ep-reqs-00.txt PANA charter item: The PANA working group must mandate one protocol The PANA wg will not design a new protocol design, it may involve the definition of extensions of an existing one Objective today gauge consensus of the WG on the selection of the PAA-2-EP protocol as proposed in draft-yacine-pana-paa2ep-prot-eval-00.txt

PAA-2-EP protocol requirements Secure communication PAA-EP protocol needs to guarantee message authentication, confidentiality and integrity One-to-many PAA-EP relation there might be several EPs provisioned by a single PAA Access control Information The protocol must carry DI-based filters and keying material PAA-initiated communication Push model New PaC Notification to the PAA EP detects unauthorized data traffic and triggers a notification

PAA-EP protocol evaluation summary PAA-2-EP reqs soft enough to allow any not only a technical choice SNMP widely spread for monitoring (GETs) SETs allow configuration (rarely used) MIBs available MIDCOM compliant COPS-PR efficient dynamic device configuration IAB does not recommend further investigation on COPS-PR PIBs available

PAA-EP protocol evaluation summary (cont'd) NetConf recommended by IAB on-going design no information model available Other solutions were considered immature or non-appropriate: Diameter, Radius, ForCES.

SNMP applicability against the PAA-2-EP Reqs Access Control info Existing MIB modules (e.g. IPSEC conf MIB) can be re-used. Secure communication User-based Security Model (USM) provides authentication, confidentiality, integrity, replay attacks prevention, time windows for the validity of messages. One-to-many PAA-EP relation An SNMP manager (PAA) can communicate simultaneously with several agents (EPs). Push model SET messages. New PaC notification SMIv2 Notifications

SNMP applicability re-usable existing MIB objects IPSec Configuration MIB IPSec & IKE configuration Rule/Filter/Action Policy structure Various IP filters, including IP header filter Notification Variables re-usable for the New PaC Notification Direct usage for IPSec-based EP access control Good starting point for a PANA-specific MIB module DiffServ MIB IP Multi-Field Classifier re-usable Connected Building block structure with « Next » Pointers

SNMP applicability additional PANA-specific MIB objects needed L2 address-based filters definition E.g. IEEE 802 filters PANA Session ID attribute For pre-shared key derivation when IPSec used to perform access control at the EP New PaC Notification PANA-specific object should support this feature

Next Steps Selection of the PAA-2-EP protocol: SNMP ? Need for a new PANA work providing: General applicability statement The existing re-usable information models Needed PANA-specific extensions to existing modules Under the form of either: An annex to the PANA protocol document A new PANA working group document

THANKS