12/05/2007 IETF70 PANA WG 1
Pre-authentication Extension to PANA
draft-ietf-pana-preauth-02.txt
Yoshihiro Ohba
12/05/2007 IETF70 PANA WG 2
Changes from -01
• Defined ‘E’ (prE-authentication) bit instead of ‘P’ bit – ‘P’ bit is assigned for “Ping” in pana-pana-18
• Updated calls flows to be consistent with pana-pana-18• Revised terms (simplified)
– Changed the name of PAAs in the serving and candidate networks• Local PAA Serving PAA (SPAA)• Remote PAA Candidate PAA (CPAA)
– Changed the name of PANA SA between PaC and CPAA• Pre-authentication SA Pre-authorization SA
– Changed the name of PANA SA bewteen PaC and SPAA• Active SA Post-authorization SA
– Removed non-important terms• {Local,Remote} PaC, {Preparing,Active} PAA
• Added reference to I-D.ietf-hokey-preauth-ps
12/05/2007 IETF70 PANA WG 3
Example Call Flow(PaC-initiated pre-authentication)
PaCCandidate PAA(CPAA)
Pre-authentication trigger
PCI w/ ‘E’ bits set
PAR w/ ‘S’ and ‘E’ bits setPAN w/ ‘S’ and ‘E’ bits set
PAR/PAN exchange w/ ‘E’ bits set
PAR/PAN exchange w/ ‘C’ and ‘E’ bits setPre-authorization
Movement
Post-authorization
PNR w/ ‘P’ bit set and ‘E’ bit cleared
:
PNA w/ ‘P’ bit set and ‘E’ bit cleared
The first PCI message is omitted in the case of PAA-initiated pre-authentication
12/05/2007 IETF70 PANA WG 4
Example Call Flow (IP address update for pre-authorized SA)
PaCCandidate PAA(CPAA)
Movement
IP Address Update
PNR w/ ‘P’ and ‘E’ bit set
PNA w/ ‘P’ and ‘E’ bit set
Issue: MiTM attack with is possible because source IP address is not protected
12/05/2007 IETF70 PANA WG 5
Thank You!