12/05/2007 IETF70 PANA WG 1

Pre-authentication Extension to PANA

draft-ietf-pana-preauth-02.txt

Yoshihiro Ohba

12/05/2007 IETF70 PANA WG 2

Changes from -01

• Defined ‘E’ (prE-authentication) bit instead of ‘P’ bit – ‘P’ bit is assigned for “Ping” in pana-pana-18

• Updated calls flows to be consistent with pana-pana-18• Revised terms (simplified)

– Changed the name of PAAs in the serving and candidate networks• Local PAA Serving PAA (SPAA)• Remote PAA Candidate PAA (CPAA)

– Changed the name of PANA SA between PaC and CPAA• Pre-authentication SA Pre-authorization SA

– Changed the name of PANA SA bewteen PaC and SPAA• Active SA Post-authorization SA

– Removed non-important terms• {Local,Remote} PaC, {Preparing,Active} PAA

• Added reference to I-D.ietf-hokey-preauth-ps

12/05/2007 IETF70 PANA WG 3

Example Call Flow(PaC-initiated pre-authentication)

PaCCandidate PAA(CPAA)

Pre-authentication trigger

PCI w/ ‘E’ bits set

PAR w/ ‘S’ and ‘E’ bits setPAN w/ ‘S’ and ‘E’ bits set

PAR/PAN exchange w/ ‘E’ bits set

PAR/PAN exchange w/ ‘C’ and ‘E’ bits setPre-authorization

Movement

Post-authorization

PNR w/ ‘P’ bit set and ‘E’ bit cleared

:

PNA w/ ‘P’ bit set and ‘E’ bit cleared

The first PCI message is omitted in the case of PAA-initiated pre-authentication

12/05/2007 IETF70 PANA WG 4

Example Call Flow (IP address update for pre-authorized SA)

PaCCandidate PAA(CPAA)

Movement

IP Address Update

PNR w/ ‘P’ and ‘E’ bit set

PNA w/ ‘P’ and ‘E’ bit set

Issue: MiTM attack with is possible because source IP address is not protected

12/05/2007 IETF70 PANA WG 5

Thank You!