PANA Framework Prakash Jayaraman, Rafa Marin Lopez, Yoshihiro Ohba, Mohan Parthasarathy, Alper Yegin IETF 59.

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.
URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.
IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.
IPv6 Network Security.
Network Localized Mobility Management using DHCP
PANA Requirements and Terminology - IETF54 -. PANA WG, IETF 54, Requirements and Terminology draft-ietf-pana-requirements-02.txt Changes Comments/questions.
Labcourse “Routerlab”
AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
IPv6 Address Provisioning In IPv6 world there are three provisioning aspects wich are independent of whether the IPv6 node is a Host or CE router: IPv6.
Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.
IETF 58 PANA WG PANA Update and Open Issues (draft-ietf-pana-pana-02.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.
Doc.: Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the Network.
VLANs Port-based VLAN: switch ports grouped (by switch management software) so that single physical switch …… Switch(es) supporting VLAN capabilities can.
Internet Protocol Security (IPSec)
SNMP for the PAA-EP protocol PANA wg - IETF 61 Washington DC Yacine El Mghazli (Alcatel) Yoshihiro Ohba (Toshiba) Julien Bournelle (GET/INT) draft-ietf-pana-snmp-02.txt.
AAA-Mobile IPv6 Frameworks Alper Yegin IETF Objective Identify various frameworks where AAA is used for the Mobile IPv6 service Agree on one (or.
PaC with unspecified IP address. Requirements Assigning an IP address to the client is outside the scope of PANA. PANA protocol design MAY require the.
1 IPv6 Address Management Rajiv Kumar. 2 Lecture Overview Introduction to IP Address Management Rationale for IPv6 IPv6 Addressing IPv6 Policies & Procedures.
12/05/2007IETF70 PANA WG1 PANA Network Selection draft-ohba-pana-netsel-00.txt Yoshihiro Ohba.
July 15, 2002IETF54 PANA WG1 PANA Usage Scenarios Updates (draft-ietf-pana-usage-scenarios-02.txt) Yoshihiro Ohba Subir Das
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implementing IP Addressing Services Accessing the WAN – Chapter 7.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
1/28/2010 Network Plus Network Device Review. Physical Layer Devices Repeater –Repeats all signals or bits from one port to the other –Can be used extend.
Internet Goes Mobile Alper Yegin KIOW 2003 at APNIC 16 August 19th, Seoul, Korea.
7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.
Module 3: Designing IP Addressing. Module Overview Designing an IPv4 Addressing Scheme Designing DHCP Implementation Designing DHCP Configuration Options.
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
August 1, 2005IETF63 PANA WG Pre-authentication Support for PANA (draft-ohba-pana-preauth-00.txt) Yoshihiro Ohba
KAIS T Security architecture in a multi-hop mesh network Conference in France, Presented by JooBeom Yun.
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
Prefix Delegation Protocol Selection T.J. Kniveton MEXT Working Group IETF 70 - December ’07 - Vancouver.
1 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik MIPv6 authentication MIPv6 authentication – AAAv6 MIPv6 authentication – PANA MIPv6 authentication.
IETF-71, Philadelphia PANA in DSL networks draft-morand-pana-panaoverdsl-01.txt Lionel Morand France Telecom Alper Yegin Samsung Yoshihiro Ohba Toshiba.
SNMP for the PAA-EP protocol PANA wg - IETF 60 San Diego -> Yacine El Mghazli (Alcatel)
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
Doc.: IEEE /xxxr0 Submission November, 2004 Jim TomcikSlide 1 cdma2000-WLAN Interworking Jim Tomcik Raymond Hsu
SNMP for the PAA-2-EP protocol PANA wg - IETF 59 Seoul -> Yacine El Mghazli (Alcatel)
Multi-hop PANA IETF Currently: –“For simplicity, it is assumed that the PAA is attached to the same link as the device (i.e., no intermediary IP.
Bjorn Landfeldt, The University of Sydney 1 NETS 3303 IPv6 and migration methods.
SNMP for the PAA-EP protocol PANA wg - IETF 62 Minneapolis Yacine El Mghazli (Alcatel) Yoshihiro Ohba (Toshiba) Julien Bournelle (GET/INT) draft-ietf-pana-snmp-03.txt.
Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61
IETF 57 PANA WG PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
DSLF Subscriber Auth Requirements and IETF PANA Protocol PANA WG Chairs IETF 70 Dec 7, 2007 – Vancouver, Canada.
Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo.
Nov. 9, 2004IETF61 PANA WG PANA Specification Last Call Issues Yoshihiro Ohba, Alper Yegin, Basavaraj Patil, D. Forsberg, Hannes Tschofenig.
San Diego, August 2004 IETF 60 th – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-01) Gerardo Giaretta.
1 Objectives Identify the basic components of a network Describe the features of Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6)
Minneapolis, March 2005 IETF 62 nd – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria.
Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,
DHCPv4 option for PANA Authentication Agents draft-suraj-dhcpv4-paa-option-00.txt DHC/PANA WG IETF-63 France, Paris.
PANA in DSL networks draft-morand-pana-panaoverdsl-00.txt Lionel Morand Roberta Maglione John Kaippallimalil Alper Yegin IETF-67, San Diego.
7/24/2007IETF69 PANA WG1 PANA Issues and Resolutions draft-ietf-pana-pana-17.txt draft-ietf-pana-framework-09.txt Yoshihiro Ohba Alper Yegin.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
Windows Vista Configuration MCTS : Advanced Networking.
<draft-ohba-pana-framework-00.txt>
Open issues with PANA Protocol
PANA in DSL networks draft-morand-pana-panaoverdsl-01.txt
PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)
PANA Issues and Resolutions
PANA Discussion in DSL Forum Warsaw Meeting
Chapter 10: DHCP Routing & Switching Chapter 10: DHCP
March 2012 doc.: IEEE March 2012 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title:
802.11i Bootstrapping Using PANA
PAA-2-EP protocol PANA wg - IETF 58 Minneapolis
Presentation transcript:

PANA Framework Prakash Jayaraman, Rafa Marin Lopez, Yoshihiro Ohba, Mohan Parthasarathy, Alper Yegin IETF 59

2 Framework Functional model Signaling flow Deployment environments IP address configuration Data traffic protection Provisioning Network selection Authentication method choice DSL deployment WLAN deployment

IETF 59 3 Functional Model RADIUS/ Diameter/ PANA LDAP/ API | PaC | | PAA | | AS | ^ ^ | | | | IKE/ >| EP |< SNMP/ API 4-way handshake

IETF 59 4 Signaling Flow PaC EP PAA AS | PANA | | AAA | | | | | | | | | | SNMP | | | | | | | Sec.Assoc. | | | | | | | | Data traffic | | | | | | | | | |

IETF 59 5 Deployment Environments (a) Networks where a secure channel is already available prior to running PANA –(a.1) Physical security. E.g.: DSL –(a.2) Cryptographic security. E.g.: cdma2000 (b) Networks where a secure channel is created after running PANA –(b.1) Link-layer per-packet security. E.g.: Using WPA- PSK. –(b.2) Network-layer per-packet security. E.g.: Using IPsec.

IETF 59 6 IP Address Configuration Pre-PANA address: PRPA –Configured before PANA Post-PANA address: POPA –Configured after PANA when: IPsec is used, or PRPA is link-local or temporary –PAA informs PaC if POPA needed

IETF 59 7 PRPA Configuration Possible ways: –Static –DHCPv4 (global, or private address) –IPv4 link-local –DHCPv6 –IPv6 address autoconfiguration (global, or link- local)

IETF 59 8 POPA Configuration (no IPsec) DHCPv4/v6 IPv4: –POPA replaces PRPA (prevent address selection problem) –Host route between PaC and PAA (preserve on- link communication) IPv6: –use both PRPA and POPA at the same time

IETF 59 9 POPA Configuration (IPsec) Possible ways: –IKEv2 configuration –DHCP configuration of IPsec tunnel mode (RFC 3456) PRPA used as tunnel outer address, POPA as tunnel inner address

IETF Combinations PRPAPOPA L1-L2 per-packet security (no IPsec) Static IPv4 (DHCP) IPv6 global (DHCP, stateless) none IPv4 link-local IPv4 temporary (DHCP) IPv4 (DHCP) IPv6 link-localIPv6 global (DHCP, stateless) L3 per-packet security (IPsec) Static IPv6 global (DHCP, stateless) IPv4 (DHCP) IPv6 link-local IPv4 link-local IKEv2 RFC3456 TOA TIA

IETF Additional Approaches: (1) Using a PRPA as TIA IPv6: –Configure a link-local and global before PANA (DHCPv6 or stateless) –TIA=global, TOA=link-local Requires SPD selection based on the name (session-ID), not the IP address Explicit support in RFC2401bis –Name is set, address selectors are NULL RFC2401? Not clear. –Racoon’s generate_policy directive Authenticate peer by PSK, accept proposed TIA (skip SPD check), than create SPD Should we include this?

IETF Additional Approaches: (2) Using a PRPA as TIA IPv4: –Configure a global address before PANA (static, or DHCPv4) –TIA=TOA=PRPA RFC2401: Same considerations. Forwarding considerations: –Requires special handling on EP, or else: tunnel_to PRPA(tunnel to PRPA(tunnel to PRPA(to PRPA)))... –FreeSwan handles this. Others? Should we include this?

IETF Data Traffic Protection Already available in type (a) environments Enabled by PANA in type (b) environments –EAP generated keys –Secure association protocol draft-ietf-pana-ipsec-02

IETF PAA-EP Provisioning Protocol EP is the closest IP-capable access device to PaCs Co-located with PAA or separate –draft-yacine-pana-snmp-01 –Carries IP or L2 address, optionally cryptographic keys One or more EPs per PAA EP may detect presence of PaC and trigger PANA by notifying PAA

IETF Network (ISP) Discovery and Selection Traditional selection: –NAI-based –Port number or L2 address based PANA-based discovery and selection: –PAA advertises ISPs –PaC explicitly picks one

IETF Authentication Method Choice Depends on the environment

IETF DSL Host ISP1 | DSL link | CPE NAS ISP2 | (Bridge/NAPT/Router) | Host ISP3 premise PANA needed when static IP or DHCP- based configuration is used (instead of PPP*)

IETF DSL Deployments Bridging mode: Host--+ (PaC) | CPE NAS ISP | (Bridge) (PAA,EP,AR) Host--+ (PaC) Address Translation (NAPT) Mode: Host--+ | CPE NAS ISP | (NAPT, PaC) (PAA,EP,AR Host--+

IETF DSL Deployment Router mode: Host--+ | CPE NAS ISP | (Router,PaC) (PAA,EP,AR) Host--+

IETF Dynamic ISP Selection As part of DHCP protocol or an attribute of DSL access line –DHCP client id –Run DHCP, and PANA –PRPA is the ultimate IP address (no POPA) As part of PANA authentication –Temporary PRPA via zeroconf or DHCP with NAP –Run PANA for AAA –POPA via DHCP, replace PRPA

IETF WLAN Network-layer per-packet security (IPsec): –EP and PAA on access router Link-layer per-packet security (WPA-PSK): –EP is on access point, PAA is on access router

IETF IPsec, IKEv2 PaC AP DHCPv4 Server PAA EP(AR) | Link-layer | | | | | association| | | | | | | | | | DHCPv4 | | | | | | | | | | | | |PANA(Discovery and initial handshake phase | | & PAR-PAN exchange in authentication phase) | | | | | | | | | | |Authorization| | | |[IKE-PSK, | | | | PaC-DI, | | | | Session-Id] | | | | >| | | | | |PANA(PBR-PBA exchange in authentication phase) | | | | | | | | | | IKE | | | (with Configuration Payload exchange or equivalent) | | | | | | | IPv4: –IPsec-TOA=PRPA (dhcp) –IPsec-TIA=POPA (IKE) Alternative: RFC 3456 IPv6: –IPsec-TOA= PRPA (link-local) –IPsec-TIA= POPA (IKE)

IETF Bootstrapping WPA/IEEE i Pre-shared key mode (PSK) enabled MAC address is used as DI EP is on access point Provides: –Centralized AAA –Protected disconnection No changes to WPA or IEEE i required

IETF Flow… | Physical AP | | | | |Virtual AP1 | | Unauth | |(open-access) |---- VLAN\ | | | | \ | | |PAA/AR/| |PaC| ~~~~ | | |DHCP | | | |Server | | |Virtual AP2 | | / | |(WPA PSK mode)|---- Auth / | | | | | VLAN | | | | | | | Internet 1- Associate with unauthenticated VLAN AP 2- Configure PRPA via DHCP or link-local 3- Perform PANA and generate PMK 4- Associate with authenticated VLAN AP, perform 4-way handshake, generate PTK 5- Obtain new IP address

IETF Co-located PAA and AP(EP) Does not require virtual AP switching PANA, DHCP, ARP, ND traffic allowed on the 802.1X uncontrolled port

IETF Capability Discovery Types of networks: –IEEE 802.1X-secured Look at RSN information element in beacon frames –PANA-secured Data driven PANA discovery Client initiated discovery –Unauthenticated (free)

The End

Should this I-D become a PANA WG item?

IETF IPsec, DHCP PaC AP DHCPv4 Server PAA EP(AR) | Link-layer | | | | | association| | | | | | | | | | DHCPv4 | | | | | | | | | | | | |PANA(Discovery and Initial Handshake phase | | & PAR-PAN exchange in Authentication phase) | | | | | | | | | | | | |Authorization| | | | |[IKE-PSK, | | | | | PaC-DI, | | | | | Session-Id] | | | | | >| | | | | | |PANA(PBR-PBA exchange in Authentication phase) | | | | | | | | | | | IKE | | | | | | | | | IPv4: –IPsec-TIA= IPsec-TOA= PRPA (dhcp) IPv6: –IPsec-TOA= PRPA (link-local) –IPsec-TIA= POPA (dhcp) IPv6 can also use stateless address autoconf.