snmp for the paa-ep protocol pana wg - ietf 62 minneapolis yacine el mghazli (alcatel) yoshihiro...
TRANSCRIPT
SNMP for the PAA-EP protocolPANA wg - IETF 62 Minneapolis
Yacine El Mghazli (Alcatel)Yoshihiro Ohba (Toshiba)Julien Bournelle (GET/INT)
draft-ietf-pana-snmp-03.txt
Yacine El Mghazli — 2 All rights reserved © 2004, Alcatel
Changes since -02
> Section on MIB usage examples in the PANA context• Changes based on review by IPSP wg (Robert Story)• A filter example for allowing DHCP traffic to pass through
EP
> Security section• Addings based on review by PANA MIB doctor (David
Perkins)– Use of cryptographic protection is RECOMMENED– Passphrase management issues for USM– Caution for MIB objectes for which SET operation is allowed
– USM or VACM MUST be used for panaL2FilterTable
> Support for reliable notification of PaC presence in section 5.3:
“If reliability needs to be guaranteed for the notifications (panaNewPacIPNotification and panaNewPacL2Notification), hence inform notification, which is acknowledged, MUST be used. Then the PAA needs to have engine-id to be the authoritative of SNMP clock between EP and PAA (for inform operation the responder becomes the authoritative).”
Yacine El Mghazli — 3 All rights reserved © 2004, Alcatel
Next steps & open issues for -04
> Link-layer protection• PANA separate document for L2 protection provisioning
– 802.11i, etc.
> SNMPv3 usage• Is the security section recommendations enough ?• Some additonal objects design might be needed
> One more iteration before WGLC
Yacine El Mghazli — 4 All rights reserved © 2004, Alcatel
THANKS
Yacine El Mghazli — 5 All rights reserved © 2004, Alcatel
Functional basic principle
PAAAAA
backend
EPPaC AR
PANA authAAA auth
SNMPInstall filter
#PaC traffic
One single IP subnet
Yacine El Mghazli — 6 All rights reserved © 2004, Alcatel
PANA MIB objectsfor L2 access control & Notifications
> PANA-specific objects extends the IPSP SPD-MIB with:• Generic L2 Filters
– Very simple (only the DI)– Not linked with the whole IPSP structure
• New PaC presence Notification triggered by:– L2 or IP unauthorized traffic
• L2 protection (keying material)– Not treated
> IP-level access control re-uses the SPD module
Yacine El Mghazli — 7 All rights reserved © 2004, Alcatel
Re-use of existing IPSec configuration MIBsfor IP level access control> IPSec configuration MIB splitted into 3 separate
modules
> IPSec SPD configuration MIB module (IPSP wg) • Rule/Filter/Action Policy structure• Various IP filters, including IP header filter• Notification Variables re-usable for the PaC presence notif
> IPSec IKE configuration MIB module (IPSP wg)• For IP-based access control (draft-ietf-pana-ipsec)• Pre-shared key configuration (PSK)
– Derived at the PAA level
• ID_KEY_ID configuration (aggressive mode)– PANA_Session_id|PANA_Key_Id