Re: [LinkSec] IETF PANA
Hi,
On Thu, Jul 24, 2003 at 03:20:26PM -0400, CONGDON,PAUL (HP-Roseville,ex1) wrote:
>
> While 802.1X is designed to run over 802 media, I would argue it could be
> used on other media that supports either the Ethernet or SNAP encapsulation
> and can create the same point-to-point type model we expect.
To create a logical point-to-point link over a bridged network, some
identifier which uniquely identifies the link needs to be included in
each data frame transmitted over the link.
In the case of 802.11, a pair of Transmitter Address and Receiver
Address fields carried in each frame is used for such an identifier,
while Source Address and Destination Address are also carried to
forward frames to/from DS. This is similar to what IPsec tunnel mode
does, where there are two pairs of IP addresses one in outer IP header
and the other in inner IP header. One question here is, what
identifier is carried in each frame to identify a logical
point-to-point link? I believe a pair of Source Address and
Destination Address is insufficient for a logical point-to-point link
identifier unless Linksec is always applied to end-to-end in the
bridged network.
>
> I believe the PANA conversation is terminated at the first router and it is
> ok for PANA packets to be flooded everywhere on the local LAN segments
> between the node and the router.
Just a minor note that PANA conversation can be terminated not only at
the first hop router but also at any IP node on the same IP link as
client IP hosts.
>
> Paul
Thanks,
Yoshihiro Ohba
>
> > -----Original Message-----
> > From: Jim Burns [mailto:jeb@mtghouse.com]
> > Sent: Thursday, July 17, 2003 4:09 AM
> > To: stds-802-1@ieee.org; stds-802-linksec@ieee.org
> > Cc: Alper Yegin; Yoshihiro Ohba
> > Subject: [LinkSec] IETF PANA
> >
> >
> >
> > Hi Folks,
> > I sat down with the IETF PANA lead, Alper Yegin as well as
> > Yoshihiro Ohba and John Vollbrecht to discuss PANA. There is
> > some possibility that we can learn from each other and
> > possibly find some places where our models/layers could
> > exchange infomation. At the very least, we should be able to
> > share some problem definitions (probably best done by
> > watching each other's email lists -- see below for details).
> >
> > A very fast and simplistic synopsis of the meeting is:
> > What are the differences between 802.1X and PANA?
> > PANA runs over IP and 802.1X runs over ethernet.
> > PANA will work for the operators who have a link layer that
> > is not ethernet. This means that PANA passes its keying
> > material on to IPSEC (while 802.1X passes its on to 802.11i
> > and perhaps 802.3 in the future). This means that PANA blocks
> > at layer 3 -- blocking all but PANA packets (while 802.1X
> > blocks at layer 2 all but eapol packets).
> >
> > For those who are textually challenged and prefer pictures:
> > EAP
> > +----------------+---------------------+
> > | |
> > 802.1X PANA
> > | |
> > ethernet IP
> >
> >
> > The IEEE LinkSec info has been posted to the PANA site.
> >
> > Please see the IETF PANA group information below:
> > To get on the IETF PANA email list:
> > To Subscribe: pana-request@research.telcordia.com
> > In Body: (un)subscribe
> > Archive:
> > ftp://ftp.research.telcordia.com/pub/Group.archive/pana/archiv
> e
> Let me know if you have any problems.
> The IETF PANA home page is at:
> http://www.ietf.org/html.charters/pana-charter.html
> If you have trouble accessing it pleast let me know.
>
> Sincerely,
> Jim B.
>