Why not EAP over PANA? Qualcomm, Inc. Vidya Narayanan, Dondeti, Lakshminath, Jun Wang, Pete Barany Notice: QUALCOMM Incorporated grants a free, irrevocable license to 3GPP2 and its Organization Partners to incorporate text or other copyrightable material contained in the contribution and any modifications thereof in the creation of 3GPP2 publications; to copyright and sell in Organizational Partner’s name any Organizational Partner’s standards publication even though it may include portions of the contribution; and at the Organization Partner’s sole discretion to permit others to reproduce in whole or in part such contributions or the resulting Organizational Partner’s standards publication. QUALCOMM Incorporated is also willing to grant licenses under such contributor copyrights to third parties on reasonable, non- discriminatory terms and conditions for purpose of practicing an Organizational Partner’s standard which incorporates this contribution. This document has been prepared by QUALCOMM Incorporated to assist the development of specifications by 3GPP2. It is proposed to the Committee as a basis for discussion and is not to be construed as a binding proposal on QUALCOMM Incorporated. QUALCOMM Incorporated specifically reserves the right to amend or modify the material contained herein and nothing herein shall be construed as conferring or offering licenses or rights with respect to any intellectual property of QUALCOMM Incorporated other than provided in the copyright statement above.
Introduction and Outline PANA is complex at many levels Too many documents Too many protocols Unnecessarily too deep in the stack Need IP address to operate Complex Architecture More susceptible to DoS attacks Configuration Complexity Fundamental issues raised at the IETF Not a coincidence that it is not used anywhere yet!
PANA Document List WG Documents draft-ietf-pana-cxtp draft-ietf-pana-cxtp draft-ietf-pana-mobopts draft-ietf-pana-mobopts draft-ietf-pana-preauth draft-ietf-pana-preauth draft-ietf-pana-snmp draft-ietf-pana-snmp draft-ietf-pana-statemachine draft-ietf-pana-statemachine draft-ieft-pana-aaa-interworking draft-ieft-pana-aaa-interworking draft-ietf-pana-framework draft-ietf-pana-framework draft-ietf-pana-ipsec draft-ietf-pana-ipsec draft-ietf-pana-pana draft-ietf-pana-pana RFC 4058 RFC 4058 RFC 4058 RFC 4016 RFC 4016 RFC 4016 draft-ietf-pana-usage-scenarios draft-ietf-pana-usage-scenarios Related documents draft-anjum-pana-location-requirements-00.txt draft-anjum-pana-location-requirements-00.txt draft-bournelle-pana-mobopts-analysis-00.txt draft-bournelle-pana-mobopts-analysis-00.txt draft-forsberg-pana-skc-00.txt draft-forsberg-pana-skc-00.txt draft-marin-pana-ieee80211doti-00.txt draft-marin-pana-ieee80211doti-00.txt Evidently, a long list of documents to even parse, let alone implement!
Fundamental Issues with PANA IETF Security AD Evaluation of PANA: “The PANA WG seems to have a fundamental misunderstanding about i. I believe that the people involved in the PANA WG have been told about their misunderstanding by the editor of i (Jesse Walker from Intel), and it seems that this input was ignored this input. As a result the PANA specification that will not work at all in wireless LANs that deploy i.”
Fundamental Issues with PANA IETF Security AD Evaluation of PANA: “An Access Point that implements i will silently discard all PANA traffic, and as a result, the PANA usage scenarios i (either TKIP or CCMP, which are called WPA and WPA2 by the WiFi Alliance) cannot work as described.”
PANA Architecture PaCPAAAS EP PANA AAA/LDAP/API SNMP/ API IKE/ 4-way HS
Protocols Involved in PANA EAP over PANA EAP (RFC3748) IPsec PANA-SNMP CxTP PANA-AAA EAP Method Secure Association Protocol i 4-way exchange e 3-way exchange IKE Key management still separate and diverse for different access technologies
Protocols Involved – EAPoHRPD EAP over HRPD EAP (RFC3748) EAP Method GEE
Protocol Layering HRPD EAP Layer Peer Layer Method1Method2 GEE Layer UDP EAP Layer Peer Layer Method1Method2 IPLower LayerPANA EAPoPANA Peer Stack EAPoHRPD Peer Stack
DoS Impacts Worst case impact on system (EAP over PANA) L2 AND L3 equipment! More layers to launch DoS attacks DHCP-based attacks possible Worst case impact on system (EAPoHRPD) L2 equipment only!
Comparison (1 of 2) EAP over HRPD EAP over PANA Number of OTA messages required 7 7 7 7 7 (not counting AT obtaining IP address) NOTE: If not optimized via piggybacking, 13 EAP methods supported AllAll Integrity protection of EAP messages Yes (dependent upon EAP method) Yes Encryption of attributes in EAP messages Yes (dependent upon EAP method) Reliable, in-order delivery Yes (via EAP retransmission and RLP retransmission/sequence numbers) Yes (via PANA retransmission/sequence numbers, EAP retransmission, and RLP retransmission/sequence numbers) Fragmentation Yes (via RLP or specific EAP method) IP address required No Yes (e.g, link-local)
Comparison (2 of 2) EAP over HRPD EAP over PANA Reliable indication that EAP exchange has completed successfully or failed Yes (dependent upon the EAP method) Yes Separate access authentication (NAP) and service authentication (ISP) supported YesYes Identity privacy supported Yes (dependent upon the EAP method) Bandwidth efficient Yes Requires UDP/IP header (maybe use ROHC to help) LightweightYes Not really 3GPP2 standards work required Yes (about the same as for EAPoPANA … see next slide) Yes (about the same as for EAPoHRPDRLP … see next slide) IETF momentum/industry adoption Yes (meaning EAP over a specific link-layer, not EAP over HRPD per se) Questionable … also, 3GPP2 dependent upon IETF to publish PANA RFCs in timely manner
PANA Timeline 2001 Start of PANA work ?? Original Deadline Fundamental Issues Raised; Still in last call Start of EAPoHRPD work Start Of GEE GEE to IESG EAPoHRPD/GEE Timeline EAPoHRPD Completion
Timeline EAPoHRPD 4Q of 2005 GEE Submission to IESG by 5/1/06 PANA Last call in progress Fundamental issues raised by security AD No clear resolution seems possible Work in progress for 5 years now; could prolong much longer
Conclusion Stating the obvious, no reason to use PANA EAPoHRPD is simpler EAPoHRPD with GEE does everything we need