pana framework
DESCRIPTION
PANA Framework. Prakash Jayaraman, Rafa Marin Lopez, Yoshihiro Ohba, Mohan Parthasarathy, Alper Yegin IETF 59. Framework. Functional model Signaling flow Deployment environments IP address configuration Data traffic protection Provisioning - PowerPoint PPT PresentationTRANSCRIPT
PANA Framework
<draft-ohba-pana-framework-00.txt>
Prakash Jayaraman, Rafa Marin Lopez, Yoshihiro Ohba, Mohan Parthasarathy, Alper Yegin
IETF 59
IETF 59 2
Framework
• Functional model• Signaling flow• Deployment environments• IP address configuration• Data traffic protection• Provisioning• Network selection• Authentication method choice• DSL deployment• WLAN deployment
IETF 59 3
Functional Model
RADIUS/ Diameter/ +-----+ PANA +-----+ LDAP/ API +-----+ | PaC |<----------------->| PAA |<---------------->| AS | +-----+ +-----+ +-----+ ^ ^ | | | +-----+ | IKE/ +-------->| EP |<--------+ SNMP/ API 4-way handshake +-----+
IETF 59 4
Signaling Flow
PaC EP PAA AS | PANA | | AAA | |<---------------------------->|<------------->| | | | | | | SNMP | | | |<------------>| | | Sec.Assoc. | | | |<------------->| | | | | | | | Data traffic | | | |<-----------------> | | | | | |
IETF 59 5
Deployment Environments
(a) Networks where a secure channel is already available prior to running PANA– (a.1) Physical security. E.g.: DSL– (a.2) Cryptographic security. E.g.: cdma2000
(b) Networks where a secure channel is created after running PANA– (b.1) Link-layer per-packet security. E.g.: Using WPA-
PSK.– (b.2) Network-layer per-packet security. E.g.: Using
IPsec.
IETF 59 6
IP Address Configuration
• Pre-PANA address: PRPA– Configured before PANA
• Post-PANA address: POPA– Configured after PANA when:
• IPsec is used, or
• PRPA is link-local or temporary
– PAA informs PaC if POPA needed
IETF 59 7
PRPA Configuration
• Possible ways:– Static– DHCPv4 (global, or private address)– IPv4 link-local– DHCPv6– IPv6 address autoconfiguration (global, or link-
local)
IETF 59 8
POPA Configuration (no IPsec)
• DHCPv4/v6• IPv4:
– POPA replaces PRPA (prevent address selection problem)
– Host route between PaC and PAA (preserve on-link communication)
• IPv6: – use both PRPA and POPA at the same time
IETF 59 9
POPA Configuration (IPsec)
• Possible ways:– IKEv2 configuration– DHCP configuration of IPsec tunnel mode
(RFC 3456)
• PRPA used as tunnel outer address, POPA as tunnel inner address
IETF 59 10
Combinations
PRPA POPA
L1-L2 per-packet security
(no IPsec)
Static
IPv4 (DHCP)
IPv6 global (DHCP, stateless)
none
IPv4 link-local
IPv4 temporary (DHCP)
IPv4 (DHCP)
IPv6 link-local IPv6 global (DHCP, stateless)
L3 per-packet security (IPsec)
Static
IPv6 global (DHCP, stateless)
IPv4 (DHCP)
IPv6 link-local
IPv4 link-local
IKEv2
RFC3456
TOA TIA
IETF 59 11
Additional Approaches: (1)Using a PRPA as TIA
• IPv6:– Configure a link-local and global before PANA (DHCPv6 or
stateless)– TIA=global, TOA=link-local
• Requires SPD selection based on the name (session-ID), not the IP address
• Explicit support in RFC2401bis– Name is set, address selectors are NULL
• RFC2401? Not clear.– Racoon’s generate_policy directive
• Authenticate peer by PSK, accept proposed TIA (skip SPD check), than create SPD
• Should we include this?
IETF 59 12
Additional Approaches: (2)Using a PRPA as TIA
• IPv4:– Configure a global address before PANA (static, or
DHCPv4)– TIA=TOA=PRPA
• RFC2401: Same considerations.• Forwarding considerations:
– Requires special handling on EP, or else:• tunnel_to PRPA(tunnel to PRPA(tunnel to PRPA(to
PRPA)))... – FreeSwan handles this. Others?
• Should we include this?
IETF 59 13
Data Traffic Protection
• Already available in type (a) environments
• Enabled by PANA in type (b) environments– EAP generated keys– Secure association protocol
• draft-ietf-pana-ipsec-02
IETF 59 14
PAA-EP Provisioning Protocol
• EP is the closest IP-capable access device to PaCs• Co-located with PAA or separate
– draft-yacine-pana-snmp-01
– Carries IP or L2 address, optionally cryptographic keys
• One or more EPs per PAA• EP may detect presence of PaC and trigger PANA
by notifying PAA
IETF 59 15
Network (ISP) Discovery and Selection
• Traditional selection:– NAI-based– Port number or L2 address based
• PANA-based discovery and selection:– PAA advertises ISPs– PaC explicitly picks one
IETF 59 16
Authentication Method Choice
• Depends on the environment
IETF 59 17
DSL
Host--+ +-------- ISP1 | DSL link | +----- CPE ---------------- NAS ----+-------- ISP2 | (Bridge/NAPT/Router) | Host--+ +-------- ISP3
<------- customer --> <------- NAP -----> <---- ISP ---> premise
• PANA needed when static IP or DHCP-based configuration is used (instead of PPP*)
IETF 59 18
DSL DeploymentsBridging mode:
Host--+ (PaC) | +----- CPE ---------------- NAS ------------- ISP | (Bridge) (PAA,EP,AR) Host--+ (PaC)
Address Translation (NAPT) Mode:
Host--+ | +----- CPE ---------------- NAS ------------- ISP | (NAPT, PaC) (PAA,EP,AR Host--+
IETF 59 19
DSL Deployment
Router mode:
Host--+ |
+----- CPE ---------------- NAS ------------- ISP
| (Router,PaC) (PAA,EP,AR)
Host--+
IETF 59 20
Dynamic ISP Selection
• As part of DHCP protocol or an attribute of DSL access line– DHCP client id– Run DHCP, and PANA– PRPA is the ultimate IP address (no POPA)
• As part of PANA authentication– Temporary PRPA via zeroconf or DHCP with NAP– Run PANA for AAA– POPA via DHCP, replace PRPA
IETF 59 21
WLAN
• Network-layer per-packet security (IPsec):– EP and PAA on access router
• Link-layer per-packet security (WPA-PSK):– EP is on access point, PAA is on access router
IETF 59 22
IPsec, IKEv2 PaC AP DHCPv4 Server PAA EP(AR) | Link-layer | | | | | association| | | | |<---------->| | | | | | | | | | DHCPv4 | | | |<-----------+------------>| | | | | | | | |PANA(Discovery and initial handshake phase | | & PAR-PAN exchange in authentication phase) | |<-----------+-------------------------->| | | | | | | | |Authorization| | | |[IKE-PSK, | | | | PaC-DI, | | | | Session-Id] | | | |------------>| | | | | |PANA(PBR-PBA exchange in authentication phase) | |<-----------+-------------------------->| | | | | | | | IKE | | | (with Configuration Payload exchange or equivalent) | |<-----------+---------------------------------------->| | | | | | | | |
• IPv4:– IPsec-TOA=PRPA
(dhcp)
– IPsec-TIA=POPA (IKE)
• Alternative: RFC 3456
• IPv6:– IPsec-TOA= PRPA
(link-local)
– IPsec-TIA= POPA (IKE)
IETF 59 23
Bootstrapping WPA/IEEE 802.11i
• Pre-shared key mode (PSK) enabled• MAC address is used as DI• EP is on access point• Provides:
– Centralized AAA– Protected disconnection
• No changes to WPA or IEEE 802.11i required
IETF 59 24
Flow… +------------------+ | Physical AP | | +--------------+ | | |Virtual AP1 | | Unauth | |(open-access) |---- VLAN\ | | | | \+-------+ +---+ | +--------------+ | |PAA/AR/| |PaC| ~~~~ | | |DHCP | +---+ | +--------------+ | |Server | | |Virtual AP2 | | /+-------+ | |(WPA PSK mode)|---- Auth / | | | | | VLAN | | +--------------+ | | | | | +------------------+ Internet
1- Associate with unauthenticated VLAN AP
2- Configure PRPA via DHCP or link-local
3- Perform PANA and generate PMK
4- Associate with authenticated VLAN AP, perform 4-way handshake, generate PTK
5- Obtain new IP address
IETF 59 25
Co-located PAA and AP(EP)
• Does not require virtual AP switching
• PANA, DHCP, ARP, ND traffic allowed on the 802.1X uncontrolled port
IETF 59 26
Capability Discovery
• Types of networks:– IEEE 802.1X-secured
• Look at RSN information element in beacon frames
– PANA-secured• Data driven PANA discovery
• Client initiated discovery
– Unauthenticated (free)
The End
Should this I-D become a PANA WG item?
IETF 59 29
IPsec, DHCP PaC AP DHCPv4 Server PAA EP(AR) | Link-layer | | | | | association| | | | |<---------->| | | | | | | | | | DHCPv4 | | | |<-----------+------------>| | | | | | | | |PANA(Discovery and Initial Handshake phase | | & PAR-PAN exchange in Authentication phase) | |<-----------+-------------------------->| | | | | | | | | | |Authorization| | | | |[IKE-PSK, | | | | | PaC-DI, | | | | | Session-Id] | | | | |------------>| | | | | | |PANA(PBR-PBA exchange in Authentication phase) | |<-----------+-------------------------->| | | | | | | | | IKE | | |<-----------+---------------------------------------->| | | | | | | | | | |
• IPv4:– IPsec-TIA= IPsec-TOA=
PRPA (dhcp)
• IPv6:– IPsec-TOA= PRPA
(link-local)
– IPsec-TIA= POPA (dhcp)
• IPv6 can also use stateless address autoconf.