DSLF Subscriber Auth Requirements and IETF PANA Protocol PANA WG Chairs IETF 70 Dec 7, 2007 – Vancouver, Canada.

Slides:



Advertisements
Similar presentations
Authentication.
Advertisements

Protocol carrying Authentication for Network Access (PANA) Subir Das/Basavaraj Patil Telcordia Technologies Inc./Nokia 12/14/2001.
802.1AF - directions define requirements to find and create connections in terms of Discovery - Authentication - Enable 1.Discover of what can be done.
SAVI Requirements and Solutions for ISP IPv6 Access Network ISP-access-01.txt.
URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.
IPv6 Privacy Hannes Tschofenig, Tara Whalen. Agenda Privacy Threats Layering Addressing Policy Questionnaire.
AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.
IPv6 over xDSL: The DIODOS Proposal Athanassios Liakopoulos Greek Research & Technology Network International IPv6 Workshop, Kopaonik,
IPv6 Address Provisioning In IPv6 world there are three provisioning aspects wich are independent of whether the IPv6 node is a Host or CE router: IPv6.
DSL Access Architectures and Protocols. xDSL Architecture.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
PaC with unspecified IP address. Requirements Assigning an IP address to the client is outside the scope of PANA. PANA protocol design MAY require the.
LLDP-MED Location Identification for Emergency Services Emergency Services Workshop, NY Oct 5-6, 2006 Manfred Arndt
Omniran PtP Links across IEEE 802 Bridged Infrastructure Date: Authors: NameAffiliationPhone Max
LLDP-MED Location Identification for Emergency Services Emergency Services Workshop, NY Oct 5-6, 2006 Manfred Arndt
IPv6 RADIUS attributes for IPv6 access networks draft-lourdelet-radext-ipv6-access-01 Glen Zorn, Benoit Lourdelet Wojciech Dec, Behcet Sarikaya Radext/dhc.
Doc.: IEEE /462r0 IEEE / San Francisco / July 2003 July 2003 Jean-Michel Lauriol, AlcatelSlide 1 TIA TR-41 VoIP over WLAN projects.
Access Protocols PPP vs. DHCP Chapter 5. Overview PPP DHCP User identities Assignment of IP addresses Assignment of other parameters.
Basic Transition Mechanisms for IPv6 Hosts and Routers -RFC 4213 Kai-Po Yang
Issues to Consider w.r.t Protocol Solution - IETF54 -
Doc: Submission September 2003 Dorothy Stanley (Agere Systems) IETF Liaison Report September 2003 Dorothy Stanley – Agere Systems IEEE.
50 th IETF BURP BOF, March 20, 2001 Applicability of a User Registration Protocol Yoshihiro Ohba (Toshiba America Research, Inc.) Henry Haverinen (Nokia)
1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and i IKEv2 EAP authentication.
IETF54 Charter Issues Dealt with since IETF53 PANA WG Meeting Basavaraj Patil.
KAIS T Security architecture in a multi-hop mesh network Conference in France, Presented by JooBeom Yun.
Using DHCPv6 for DNS Configuration in Hosts draft-ietf-droms-dnsconfig-dhcpv6-00.txt Ralph Droms.
Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks ANCP WG IETF 71 – Philadelphia draft-ietf-ancp-framework-05.txt.
Prefix Delegation Protocol Selection T.J. Kniveton MEXT Working Group IETF 70 - December ’07 - Vancouver.
1 DHCP Authentication Discussion INTAREA meeting, 70th IETF Vancouver, Canada Jari Arkko and Ralph Droms.
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
Jun Li DHCP Option for Access Network Information draft-lijun-dhc-clf-nass-option-01.
GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements draft-tschofenig-geopriv-l7-lcp-ps-00.txt Hannes Tschofenig, Henning.
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Secure Authentication System for Public WLAN Roaming Ana Sanz Merino, Yasuhiko.
1 © NOKIA Nokia_TIA-835D_MIPv6_authentication / 18AUG03 / ETacsik MIPv6 authentication MIPv6 authentication – AAAv6 MIPv6 authentication – PANA MIPv6 authentication.
IETF-71, Philadelphia PANA in DSL networks draft-morand-pana-panaoverdsl-01.txt Lionel Morand France Telecom Alper Yegin Samsung Yoshihiro Ohba Toshiba.
1 Presentation_ID © 1999, Cisco Systems, Inc. Cisco All-IP Mobile Wireless Network Reference Model Presentation_ID.
SNMP for the PAA-EP protocol PANA wg - IETF 60 San Diego -> Yacine El Mghazli (Alcatel)
PAWS: Security Considerations Yizhuang WU, Yang CUI PAWS WG
EAP Authentication for SIP & HTTP V. Torvinen (Ericsson), J. Arkko (Ericsson), A. Niemi (Nokia),
Doc.: IEEE /0691r0 Submission May 2011 Dorothy Stanley, Aruba NetworksSlide 1 IEEE IETF Liaison Report Date: Authors:
Doc.: 802_Handoff_Architecture_Elements_r2 Submission May David Johnston, IntelSlide 1 Architectural Elements of an 802 Handoff Solution David Johnston.
1 Background and Introduction. 2 Outline History Scope Administrative.
PANA Framework Prakash Jayaraman, Rafa Marin Lopez, Yoshihiro Ohba, Mohan Parthasarathy, Alper Yegin IETF 59.
SNMP for the PAA-2-EP protocol PANA wg - IETF 59 Seoul -> Yacine El Mghazli (Alcatel)
Multi-hop PANA IETF Currently: –“For simplicity, it is assumed that the PAA is attached to the same link as the device (i.e., no intermediary IP.
1 HRPD Roamer Authentication Zhibi Wang, Sarvar Patel, Simon Mizikovsky, Nancy Lee.
IETF 57 PANA WG PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.
IP Multicast Receiver Access Control draft-atwood-mboned-mrac-req draft-atwood-mboned-mrac-arch.
Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo.
Nov. 9, 2004IETF61 PANA WG PANA Specification Last Call Issues Yoshihiro Ohba, Alper Yegin, Basavaraj Patil, D. Forsberg, Hannes Tschofenig.
Layer 2 Control Protocol BoF (L2CP) IETF 65, Dallas, TX Wojciech Dec Matthew Bocci
GEONET Brainstorming Document. Content Purpose of the document Brainstorming process / plan Proposed charter Assumptions Use cases Problem description.
IETF66 PANA WG Problem Statement for a time-basis accounting in an "always-on“ Broadband scenario R. Maglione - Telecom Italia
Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,
V6OPS WG IETF-72 IPv6 in Broadband Networks draft-kaippallimalil-v6ops-ipv6-bbnet Presented by: David Miles Kaippallimalil John Frank Xia July 2008.
1 IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: EAP Pre-authentication Problem Statement in IETF HOKEY WG Date Submitted: September,
DHCPv4 option for PANA Authentication Agents draft-suraj-dhcpv4-paa-option-00.txt DHC/PANA WG IETF-63 France, Paris.
PANA in DSL networks draft-morand-pana-panaoverdsl-00.txt Lionel Morand Roberta Maglione John Kaippallimalil Alper Yegin IETF-67, San Diego.
DM Collaboration – OMA & BBF: Deployment Scenarios Group Name: WG5 - MAS Source: Tim Carey, ALU, Meeting Date:
Discussion on DHCPv6 Routing Configuration
<draft-ohba-pana-framework-00.txt>
Open issues with PANA Protocol
PANA in DSL networks draft-morand-pana-panaoverdsl-01.txt
PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)
Thierry Ernst (INRIA and WIDE) Hesham Soliman (Ericsson)
PANA Issues and Resolutions
PAA-EP protocol considerations PANA wg - IETF 57 Vienna
Secure Authentication System for Public WLAN Roaming
draft-ipdvb-sec-01.txt ULE Security Requirements
PAA-2-EP protocol PANA wg - IETF 58 Minneapolis
Presentation transcript:

DSLF Subscriber Auth Requirements and IETF PANA Protocol PANA WG Chairs IETF 70 Dec 7, 2007 – Vancouver, Canada

IETF 70 – PANA WG2 DSLF “In 2006 the DSL Forum initiated a work item on "IP Sessions" with the intention of bringing some of the attributes of PPP to purely IP access scenarios. In particular IP over Ethernet over DSL in the context of our technical report TR-101. In the course of this work we have developed and agreed upon a set of requirements for subscriber authentication (summarized on the following page). We are not currently aware of a solution specified in the industry that meets our requirements. Can you advise us if you have a specified solution or whether a suitable solution is under your consideration. “

IETF 70 – PANA WG3 IETF PANA WG RFC 4508 Appendix A. Problem Statement DSL networks are a specific example where PANA has the potential for addressing some of the deployment scenarios. Some DSL deployments do not use PPP [RFC1661] as the access link- layer (IP is carried over ATM and the subscriber device is either statically or DHCP- configured). The operators of these networks are left either using an application-layer web-based login (captive portal) scheme for subscriber authentication, or providing a best-effort service only as they cannot perform subscriber authentication required for the differentiated services. The captive portal scheme is a non-standard solution that has various limitations and security flaws.

IETF 70 – PANA WG4 Analysis DSLF Req # DSLF Requirement DescriptionComplianceExplanation IPAuth-1Authentication must not depend on the use of any given application, eg web browser. Yes PANA implementation does not rely on other applications. IPAuth-2Must re-use existing SP Authentication infrastructure (use Radius Database) and allow mixed mode operation (eg PPP and IP) on the same L3 edge device Yes PANA does not require any changes on the AAA database. It can be used over IP networks that co-exist with PPP networks. IPAuth-3Must offer L3 edge device (BRAS) subscriber policy enforcement via pull and push methods, ie L3 edge must be aware of authentication status and any subscriber credentials Yes PANA Authentication Agent (PAA) can be implemented on the BRAS, or elsewhere. IPAuth-4Must allow for authorization purposes the use of any additional identifiers that may be available, eg MAC address, Option82 circuit-id. Yes MAC address is already available on the IP messages that carry PANA. PANA does not prevent use of Option 82 with DHCP. IPAuth-5Should allow for subscriber nomadicity and support tracking of changes to location. Yes PANA allows establishing a new session or maintaining the same session upon mobility/nomadicity. IPAuth-6Must fit into TR-101 operational model Although we do not see any issues there, IETF does not have the expertise to fully evaluate this requirement. IPAuth-7 Must support revoking authentication Yes PANA Termination message is explicitly designed for that purpose.

IETF 70 – PANA WG5 Analysis DSLF Req # DSLF Requirement DescriptionComplianceExplanation IPAuth-8Must handle L3 CPE device authentication and end-device (PC) user based authentication (likely with L2 CPEs in the latter case) Yes PANA Client (PaC) can be implemented on both CPEs and end-devices. IPAuth-9Should be simple to implement on client (PC or CPE) Yes Implementation does not require changes to the operating system. Open source implementation available. IPAuth-10Must be independent of medium type (eg Fixed Ethernet, Legacy ATM, PON, WiFi, WiMax, etc) Yes This is the original design goal of PANA. IPAuth-11Must not require major re-work for IPv6. None ideally. Yes Same protocol can be used for both IPv4 and IPv6. IPAuth-12Must be resilient to attacks on the subscriber, eg against brute-force challenge attacks, or spoofing of an authenticator edge device Yes Rate limiting, message validation, message authentication are used against such threats. IPAuth-13Must offer authenticator edge device resiliency, eg not be prone to DOS authentication attacks Yes Stateless handshake and rate limiting are used against such threats. IPAuth-14Must allow for authentication and download of subscriber service profile before service IP address is assigned Yes PANA requires an IP address be configured prior to authentication (a IPv4/IPv6 link- local, or a short-lease DHCP address), but allows the “service IP address” be assigned after authentication.

IETF 70 – PANA WG6 Analysis DSLF Req # DSLF Requirement DescriptionComplianceExplanation IPAuth-15Must offer an option to re-authenticate periodically or on demand. Yes Both the client-side and network-side are capable of initiating re-authentication. IPAuth-16At an absolute minimum, must provide equivalent or better security than PPP CHAP/MD5 does today. Must include the ability to move to more secure authentication methods over time. Yes Supports any EAP method (including CHAP/MD5 equivalent of EAP-MD5). IPAuth-17Should offer authentication fail/success reason message to subscriber from authenticator. Yes Supports explicit authentication and authorization result codes (extensible). IPAuth-18Must allow for multiple authenticated subscribers on same physical or logical interface. Yes PANA Session-ID can demultiplex multiple authenticated sessions over the same physical/logical interface. IPAuth-19Must offer scalable subscriber management, eg not rely on subscriber credentials configured on the authenticator Edge Yes PANA is independent of any backend protocol (RADIUS, Diameter, LDAP, etc.) that may or may not be used by the authenticator edge. IPAuth-20Must have a logical path towards standardization Yes PANA specification is already approved by IESG and currently in IETF RFC queue. IPAuth-21Must scale to 10000s of subscribers per L3 edge device (ie must be conservative in use of resources) Yes See PANA Session Attributes in the spec.

IETF 70 – PANA WG7 Conclusion IETF PANA protocol is specifically designed for the problem presented by the DSLF IETF PANA protocol satisfies the DSFL Subscriber Authentication Requirements as presented in their May 25, 2007 liaison. IETF should notify DSLF about PANA WG’s conclusion in response to DSLF’s May 25, 2007 liaison letter DSLF can contact IETF PANA WG for more details

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.