Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

Re: [LinkSec] IETF PANA

To: Yoshihiro Ohba <yohba@tari.toshiba.com>, "CONGDON,PAUL (HP-Roseville,ex1)" <paul.congdon@hp.com>
Subject: Re: [LinkSec] IETF PANA
From: Alper Yegin <alper@docomolabs-usa.com>
Date: Thu, 24 Jul 2003 15:09:23 -0700
CC: "'Jim Burns'" <jeb@mtghouse.com>, <stds-802-1@ieee.org>, <stds-802-linksec@ieee.org>
In-Reply-To: <20030724212105.GA8335@steelhead>
Sender: owner-stds-802-linksec@majordomo.ieee.org


Hi Paul,

>> I believe the PANA conversation is terminated at the first router and it is
>> ok for PANA packets to be flooded everywhere on the local LAN segments
>> between the node and the router.
> 
> Just a minor note that PANA conversation can be terminated not only at
> the first hop router but also at any IP node on the same IP link as
> client IP hosts.

Just to expand a bit more on what Yoshi said: The only requirement of PANA
is that the client (PaC) and the authentication agent (PAA) be on the same
IP-hop. As such, PAA can be on any one of the access routers, or any one of
the access points as well. Or even on a separate dedicated server on that
last hop. Appendix section in
http://ietf.org/internet-drafts/draft-ietf-pana-requirements-07.txt covers
all these scenarios.

Btw, what do you mean by "flooding" PANA packets? Are you asking if one can
send PANA messages between the STA and AP?

Alper


> 
>> 
>> Paul
> 
> Thanks,
> Yoshihiro Ohba
> 
>> 
>>> -----Original Message-----
>>> From: Jim Burns [mailto:jeb@mtghouse.com]
>>> Sent: Thursday, July 17, 2003 4:09 AM
>>> To: stds-802-1@ieee.org; stds-802-linksec@ieee.org
>>> Cc: Alper Yegin; Yoshihiro Ohba
>>> Subject: [LinkSec] IETF PANA
>>> 
>>> 
>>> 
>>> Hi Folks,
>>> I sat down with the IETF PANA lead, Alper Yegin as well as
>>> Yoshihiro Ohba and John Vollbrecht to discuss PANA.  There is
>>> some possibility that we can learn from each other and
>>> possibly find some places where our models/layers could
>>> exchange infomation.  At the very least, we should be able to
>>> share some problem definitions (probably best done by
>>> watching each other's email lists -- see below for details).
>>> 
>>> A very fast and simplistic synopsis of the meeting is:
>>> What are the differences between 802.1X and PANA?
>>> PANA runs over IP and 802.1X runs over ethernet.
>>> PANA will work for the operators who have a link layer that
>>> is not ethernet. This means that PANA passes its keying
>>> material on to IPSEC (while 802.1X passes its on to 802.11i
>>> and perhaps 802.3 in the future). This means that PANA blocks
>>> at layer 3 -- blocking all but PANA packets (while 802.1X
>>> blocks at layer 2 all but eapol packets).
>>> 
>>> For those who are textually challenged and prefer pictures:
>>>                   EAP
>>>   +----------------+---------------------+
>>>   |                                      |
>>> 802.1X                                 PANA
>>>   |                                      |
>>> ethernet                                IP
>>> 
>>> 
>>> The IEEE LinkSec info has been posted to the PANA site.
>>> 
>>> Please see the IETF PANA group information below:
>>>     To get on the IETF PANA email list:
>>>       To Subscribe: pana-request@research.telcordia.com
>>>       In Body: (un)subscribe
>>>       Archive: 
>>> ftp://ftp.research.telcordia.com/pub/Group.archive/pana/archiv
>> e
>>     Let me know if you have any problems.
>>     The IETF PANA home page is at:
>>       http://www.ietf.org/html.charters/pana-charter.html
>>     If you have trouble accessing it pleast let me know.
>> 
>> Sincerely,
>> Jim B.
>> 
>

References:
- Re: [LinkSec] IETF PANA
  - From: Yoshihiro Ohba <yohba@tari.toshiba.com>

Prev by Date: RE: [LinkSec] IETF PANA
Next by Date: [LinkSec] 802.11 architecture and pre-auth paper
Prev by thread: Re: [LinkSec] IETF PANA
Next by thread: RE: [LinkSec] IETF PANA
Index(es):
- Date
- Thread