PANA Framework
description
Transcript of PANA Framework
PANA Framework
<draft-ohba-pana-framework-00.txt>
Prakash Jayaraman, Rafa Marin Lopez, Yoshihiro Ohba, Mohan Parthasarathy, Alper Yegin
IETF 59
IETF 59 2
Framework
• Functional model• Signaling flow• Deployment environments• IP address configuration• Data traffic protection• Provisioning• Network selection• Authentication method choice• DSL deployment• WLAN deployment
IETF 59 3
Functional Model
RADIUS/ Diameter/ +-----+ PANA +-----+ LDAP/ API +-----+ | PaC |<----------------->| PAA |<---------------->| AS | +-----+ +-----+ +-----+ ^ ^ | | | +-----+ | IKE/ +-------->| EP |<--------+ SNMP/ API 4-way handshake +-----+
IETF 59 4
Signaling Flow
PaC EP PAA AS | PANA | | AAA | |<---------------------------->|<------------->| | | | | | | SNMP | | | |<------------>| | | Sec.Assoc. | | | |<------------->| | | | | | | | Data traffic | | | |<-----------------> | | | | | |
IETF 59 5
Deployment Environments
(a) Networks where a secure channel is already available prior to running PANA– (a.1) Physical security. E.g.: DSL– (a.2) Cryptographic security. E.g.: cdma2000
(b) Networks where a secure channel is created after running PANA– (b.1) Link-layer per-packet security. E.g.: Using WPA-
PSK.– (b.2) Network-layer per-packet security. E.g.: Using
IPsec.
IETF 59 6
IP Address Configuration
• Pre-PANA address: PRPA– Configured before PANA
• Post-PANA address: POPA– Configured after PANA when:
• IPsec is used, or
• PRPA is link-local or temporary
– PAA informs PaC if POPA needed
IETF 59 7
PRPA Configuration
• Possible ways:– Static– DHCPv4 (global, or private address)– IPv4 link-local– DHCPv6– IPv6 address autoconfiguration (global, or link-
local)
IETF 59 8
POPA Configuration (no IPsec)
• DHCPv4/v6• IPv4:
– POPA replaces PRPA (prevent address selection problem)
– Host route between PaC and PAA (preserve on-link communication)
• IPv6: – use both PRPA and POPA at the same time
IETF 59 9
POPA Configuration (IPsec)
• Possible ways:– IKEv2 configuration– DHCP configuration of IPsec tunnel mode
(RFC 3456)
• PRPA used as tunnel outer address, POPA as tunnel inner address
IETF 59 10
Combinations
PRPA POPA
L1-L2 per-packet security
(no IPsec)
Static
IPv4 (DHCP)
IPv6 global (DHCP, stateless)
none
IPv4 link-local
IPv4 temporary (DHCP)
IPv4 (DHCP)
IPv6 link-local IPv6 global (DHCP, stateless)
L3 per-packet security (IPsec)
Static
IPv6 global (DHCP, stateless)
IPv4 (DHCP)
IPv6 link-local
IPv4 link-local
IKEv2
RFC3456
TOA TIA
IETF 59 11
Additional Approaches: (1)Using a PRPA as TIA
• IPv6:– Configure a link-local and global before PANA (DHCPv6 or
stateless)– TIA=global, TOA=link-local
• Requires SPD selection based on the name (session-ID), not the IP address
• Explicit support in RFC2401bis– Name is set, address selectors are NULL
• RFC2401? Not clear.– Racoon’s generate_policy directive
• Authenticate peer by PSK, accept proposed TIA (skip SPD check), than create SPD
• Should we include this?
IETF 59 12
Additional Approaches: (2)Using a PRPA as TIA
• IPv4:– Configure a global address before PANA (static, or
DHCPv4)– TIA=TOA=PRPA
• RFC2401: Same considerations.• Forwarding considerations:
– Requires special handling on EP, or else:• tunnel_to PRPA(tunnel to PRPA(tunnel to PRPA(to
PRPA)))... – FreeSwan handles this. Others?
• Should we include this?
IETF 59 13
Data Traffic Protection
• Already available in type (a) environments
• Enabled by PANA in type (b) environments– EAP generated keys– Secure association protocol
• draft-ietf-pana-ipsec-02
IETF 59 14
PAA-EP Provisioning Protocol
• EP is the closest IP-capable access device to PaCs• Co-located with PAA or separate
– draft-yacine-pana-snmp-01
– Carries IP or L2 address, optionally cryptographic keys
• One or more EPs per PAA• EP may detect presence of PaC and trigger PANA
by notifying PAA
IETF 59 15
Network (ISP) Discovery and Selection
• Traditional selection:– NAI-based– Port number or L2 address based
• PANA-based discovery and selection:– PAA advertises ISPs– PaC explicitly picks one
IETF 59 16
Authentication Method Choice
• Depends on the environment
IETF 59 17
DSL
Host--+ +-------- ISP1 | DSL link | +----- CPE ---------------- NAS ----+-------- ISP2 | (Bridge/NAPT/Router) | Host--+ +-------- ISP3
<------- customer --> <------- NAP -----> <---- ISP ---> premise
• PANA needed when static IP or DHCP-based configuration is used (instead of PPP*)
IETF 59 18
DSL DeploymentsBridging mode:
Host--+ (PaC) | +----- CPE ---------------- NAS ------------- ISP | (Bridge) (PAA,EP,AR) Host--+ (PaC)
Address Translation (NAPT) Mode:
Host--+ | +----- CPE ---------------- NAS ------------- ISP | (NAPT, PaC) (PAA,EP,AR Host--+
IETF 59 19
DSL Deployment
Router mode:
Host--+ |
+----- CPE ---------------- NAS ------------- ISP
| (Router,PaC) (PAA,EP,AR)
Host--+
IETF 59 20
Dynamic ISP Selection
• As part of DHCP protocol or an attribute of DSL access line– DHCP client id– Run DHCP, and PANA– PRPA is the ultimate IP address (no POPA)
• As part of PANA authentication– Temporary PRPA via zeroconf or DHCP with NAP– Run PANA for AAA– POPA via DHCP, replace PRPA
IETF 59 21
WLAN
• Network-layer per-packet security (IPsec):– EP and PAA on access router
• Link-layer per-packet security (WPA-PSK):– EP is on access point, PAA is on access router
IETF 59 22
IPsec, IKEv2 PaC AP DHCPv4 Server PAA EP(AR) | Link-layer | | | | | association| | | | |<---------->| | | | | | | | | | DHCPv4 | | | |<-----------+------------>| | | | | | | | |PANA(Discovery and initial handshake phase | | & PAR-PAN exchange in authentication phase) | |<-----------+-------------------------->| | | | | | | | |Authorization| | | |[IKE-PSK, | | | | PaC-DI, | | | | Session-Id] | | | |------------>| | | | | |PANA(PBR-PBA exchange in authentication phase) | |<-----------+-------------------------->| | | | | | | | IKE | | | (with Configuration Payload exchange or equivalent) | |<-----------+---------------------------------------->| | | | | | | | |
• IPv4:– IPsec-TOA=PRPA
(dhcp)
– IPsec-TIA=POPA (IKE)
• Alternative: RFC 3456
• IPv6:– IPsec-TOA= PRPA
(link-local)
– IPsec-TIA= POPA (IKE)
IETF 59 23
Bootstrapping WPA/IEEE 802.11i
• Pre-shared key mode (PSK) enabled• MAC address is used as DI• EP is on access point• Provides:
– Centralized AAA– Protected disconnection
• No changes to WPA or IEEE 802.11i required
IETF 59 24
Flow… +------------------+ | Physical AP | | +--------------+ | | |Virtual AP1 | | Unauth | |(open-access) |---- VLAN\ | | | | \+-------+ +---+ | +--------------+ | |PAA/AR/| |PaC| ~~~~ | | |DHCP | +---+ | +--------------+ | |Server | | |Virtual AP2 | | /+-------+ | |(WPA PSK mode)|---- Auth / | | | | | VLAN | | +--------------+ | | | | | +------------------+ Internet
1- Associate with unauthenticated VLAN AP
2- Configure PRPA via DHCP or link-local
3- Perform PANA and generate PMK
4- Associate with authenticated VLAN AP, perform 4-way handshake, generate PTK
5- Obtain new IP address
IETF 59 25
Co-located PAA and AP(EP)
• Does not require virtual AP switching
• PANA, DHCP, ARP, ND traffic allowed on the 802.1X uncontrolled port
IETF 59 26
Capability Discovery
• Types of networks:– IEEE 802.1X-secured
• Look at RSN information element in beacon frames
– PANA-secured• Data driven PANA discovery
• Client initiated discovery
– Unauthenticated (free)
The End
Should this I-D become a PANA WG item?
IETF 59 29
IPsec, DHCP PaC AP DHCPv4 Server PAA EP(AR) | Link-layer | | | | | association| | | | |<---------->| | | | | | | | | | DHCPv4 | | | |<-----------+------------>| | | | | | | | |PANA(Discovery and Initial Handshake phase | | & PAR-PAN exchange in Authentication phase) | |<-----------+-------------------------->| | | | | | | | | | |Authorization| | | | |[IKE-PSK, | | | | | PaC-DI, | | | | | Session-Id] | | | | |------------>| | | | | | |PANA(PBR-PBA exchange in Authentication phase) | |<-----------+-------------------------->| | | | | | | | | IKE | | |<-----------+---------------------------------------->| | | | | | | | | | |
• IPv4:– IPsec-TIA= IPsec-TOA=
PRPA (dhcp)
• IPv6:– IPsec-TOA= PRPA
(link-local)
– IPsec-TIA= POPA (dhcp)
• IPv6 can also use stateless address autoconf.