Presentation is loading. Please wait.

Presentation is loading. Please wait.

SNMP for the PAA-EP protocol PANA wg - IETF 60 San Diego -> Yacine El Mghazli (Alcatel) <- Yoshihiro Ohba (Toshiba) Julien Bournelle (GET/INT) draft-ietf-pana-snmp-01.txt.

Similar presentations


Presentation on theme: "SNMP for the PAA-EP protocol PANA wg - IETF 60 San Diego -> Yacine El Mghazli (Alcatel) <- Yoshihiro Ohba (Toshiba) Julien Bournelle (GET/INT) draft-ietf-pana-snmp-01.txt."— Presentation transcript:

1 SNMP for the PAA-EP protocol PANA wg - IETF 60 San Diego -> Yacine El Mghazli (Alcatel) <- Yoshihiro Ohba (Toshiba) Julien Bournelle (GET/INT) draft-ietf-pana-snmp-01.txt

2 Yacine El Mghazli — 2 All rights reserved © 2004, Alcatel PAA-EP History > PANA charter: The PANA working group mandates SNMP for PAA-EP The PANA wg will not design a new protocol design, it may involve the definition of extensions of an existing one > History: IETF55: PAA-EP interface requirements – draft-ietf-pana-reqs-0x.txt IETF56/57/58: PAA-EP protocol evaluation – draft-yacine-pana-paa2ep-prot-eval-00.txt IETF59: SNMP draft accepted as a PANA work item – draft-yacine-pana-snmp-01.txt IETF60: SNMP draft updated – draft-ietf-pana-snmp-01.txt

3 Yacine El Mghazli — 3 All rights reserved © 2004, Alcatel Re-use of existing IPSec configuration MIBs IP level access control > IPSec configuration MIB splitted into 3 separate modules > IPSec SPD configuration MIB module (IPSP wg) Rule/Filter/Action Policy structure Various IP filters, including IP header filter Notification Variables re-usable for the PaC presence notif > IPSec IKE configuration MIB module (IPSP wg) For IP-based access control (draft-ietf-pana-ipsec) Pre-shared key configuration (PSK) – Derived at the PAA level ID_KEY_ID configuration (aggressive mode) – PANA_Session_id|PANA_Key_Id

4 Yacine El Mghazli — 4 All rights reserved © 2004, Alcatel Additional PANA MIB objects L2 access control + Specific Notifs > Currently PANA-specific objects extends the SPD-MIB L2 Filters L2 protection (keying material) PaC presence Notification > Current version -01: Temptative IEEE 802 filters New PaC Notification

5 Yacine El Mghazli — 5 All rights reserved © 2004, Alcatel Changes since -00 > Edits Terminology section updated PAA/EP separation context section re-writed > New section on MIB usage examples in the PANA context To be reviewed by IPSP wg

6 Yacine El Mghazli — 6 All rights reserved © 2004, Alcatel Feedback on –01(ML) > General Edits… Fixed at next version > On SNMPv3: A MIB doctor to act as a technical advisor for the PANA WG ? Careful use of SNMP terminology > On PANA frwk: New PaC Notification could lead to DoS attacks on the PAA

7 Yacine El Mghazli — 7 All rights reserved © 2004, Alcatel Next steps and open issues for -02 > PANA-specific object design still immature Link-layer filters – Do we support everything ? (guess no…) – Might re-use existing L2 protection – Some additonal objects design might be needed – Might re-use existing > Security section TBD Details the use of SNMPv3 security Depends on the MIB objects definition

8 Yacine El Mghazli — 8 All rights reserved © 2004, Alcatel THANKS

9 Yacine El Mghazli — 9 All rights reserved © 2004, Alcatel PAA-EP Requirements Summary > One-to-many PAA-EP relation: required. a given EP relate to multiple PAAs > Secure Communication: required. authentication, confidentiality, and integrity. > New PaC Notification: required. EP to notify unauthorized PaC presence to the PAA. optional (PANA can do that). > Inactive EP detection: not required. satisfied by other means. the architecture can take it into account with e.g. a request-response mechanism.

10 Yacine El Mghazli — 10 All rights reserved © 2004, Alcatel PAA-EP Requirements Summary (cont’d) > Stateful approach: not required. the PAA does not maintain any EP state. the whole solution does (at application level). needed some implementation guidance. > Accounting/Feedback from the EPs: required. polling sufficient for the PANA needs > EP Configuration information: The PAA-EP protocol must push DI-based filters and keying material down to the EP.

11 Yacine El Mghazli — 11 All rights reserved © 2004, Alcatel Why SNMP ? > Consensus regarding the PAA-EP protocol within PANA wg: No new protocol design Basic configuration needs (No ‘disqualifying‘requirement), but: – No disruptive choice – No immature solutions – Follow the IAB recommendations > SNMPv3 fully satisfies the above conditions v3 satisfies the security conditions widely spread for monitoring (« get » messages) « Set » messages allow simple configuration Lots of MIBs available > SNMP provides a simple solution with a high-level of re-use

12 Yacine El Mghazli — 12 All rights reserved © 2004, Alcatel Functional basic principle PAA AAA backend EP PaCAR PANA auth AAA auth SNMP Install filter # PaC traffic One single IP subnet


Download ppt "SNMP for the PAA-EP protocol PANA wg - IETF 60 San Diego -> Yacine El Mghazli (Alcatel) <- Yoshihiro Ohba (Toshiba) Julien Bournelle (GET/INT) draft-ietf-pana-snmp-01.txt."

Similar presentations


Ads by Google