ietf
[Top] [All Lists]

Re: Last Call: draft-ietf-pana-framework-06

2006-03-21 08:26:02
Russ,

First of all, thank you very much for your input.

[1] I checked the latest 802.11ma draft and I confirm that the
description in pana-framework draft stating that Class 1 data frames
can be received in any state is not applicable any more.  So the
description on Class 1 data frame should be removed from the
pana-framework draft.

[2] It is not still clear whether running PANA over IEEE 802.1X
Uncontrolled Port is prohibited in IEEE 802.11i specification even in
the latest 802.11ma draft.

In the PANA WG session today, Bob O'Hara indicated the following text
in 802.11i, clause 6.1.4:

  "The IEEE 802.1X Controlled/Uncontrolled Ports discard the MSDU if
  the Controlled Port is not enabled or if the MSDU does not represent
  an IEEE 802.1X frame."

On the other hand, 802.11i clause 5.4.2.2 describes as follows (I
checked the latest 802.11ma draft and the description remains the
same):

  "However, a given protocol may need to bypass the authorization
  function and make use of the IEEE 802.1X Uncontrolled Port."

According to the text, it is still possible to *interpret* this text
such that a give protocol like PANA is allowed to exchanged over
802.1X Uncontrolled Port.

[Note that several days after the email discussion over the EAP
mailing list quoted below, I had a short conversation on this issue
with Jesse Walker during IEEE 802 interim meeting in January in order
to follow-up the email discussion and understand the input from Jesse
more.  As far as I understand, he seemed to agree on this possible
interpretation while he mentioned that there is no existing 802.11i
implementation that uses 802.1X Uncontrolled Port for non-802.1X frame
exchange, but I may be still misunderstanding something.  Also, for
the sake of completeness of the email discussion over the EAP mailing
list, the following email that I sent in response to msg03872 should
be quoted as well:
http://lists.frascone.com/pipermail/eap/msg03879.html.]

The pana-framework draft is written based on the possible
interpretation, not based on existing 802.11i implementation.  As far
as the pana-framework draft is consistent with 802.11i specification
in terms of clause 5.4.2.2, whether an 802.11i implementation runs
PANA over Uncontrolled Port to bootstrap PSK mode seems to be an
implementation or deployment issue.

If the intent of 802.11i specification is to prohibit any data frame
other than 802.1X frame exchanged over Uncontrolled Port without any
exception, I'd suggest removing the above text in clause 5.4.2.2 from
802.11i specification.

Best regards,
Yoshihiro Ohba


On Mon, Mar 20, 2006 at 08:17:22PM -0500, Russ Housley wrote:
Yesterday I had a discussion with Bernard Aboba about PANA.  I think 
that Bernard was talking to me because of my involvement in IEEE 
802.11i.  It appears to me the PANA WG has a major problem.

The PANA WG seems to have a fundamental misunderstanding about 
802.11i.  I believe that the people involved in the PANA WG have been 
told about their misunderstanding by the editor of 802.11i (Jesse 
Walker from Intel), and it seems that this input was ignored this 
input.  As a result the PANA specification that will not work at all 
in wireless LANs that deploy 802.11i.

The PANA framework document states in Section 10.2.2:

   This model does not require any change in the current WPA and IEEE
   802.11i specifications.

The PANA framework document also states in Section 10.2.2:

   The IEEE 802.11 specification [802.11] allows Class 1 data frames to
   be received in any state.  Also, IEEE 802.11i [802.11i] optionally
   allows higher-layer data traffic to be received and processed on the
   IEEE 802.1X Uncontrolled Ports.  This feature allows processing IP-
   based traffic (such as ARP, IPv6 neighbor discovery, DHCP, and PANA)
   on IEEE 802.1X Uncontrolled Port prior to client authentication.

This is wrong on two points.  First, 802.11 ESS mode does not allow 
data frames to be sent except in State 3.  I did not review the most 
recent 802.11ma text, but I understand that this was recently 
clarified in that document.  Also, 802.11i does not allow non-802.1X 
traffic to be received or sent until completion of 802.1X 
authentication and the 802.11i 4-way handshake.

This problem was discussed on the EAP WG in the following exchange 
with Jesse Walker back in January:

   http://lists.frascone.com/pipermail/eap/msg03867.html
   http://lists.frascone.com/pipermail/eap/msg03868.html
   http://lists.frascone.com/pipermail/eap/msg03869.html
   http://lists.frascone.com/pipermail/eap/msg03872.html

Given this situation, an Access Point that implements 802.11i will 
silently discard all PANA traffic, and as a result, the PANA usage 
scenarios 802.11i (either TKIP or CCMP, which are called WPA and WPA2 
by the WiFi Alliance) cannot work as described.

Russ


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf