Jari,
Sam,
I think your note is asking in fact a number of questions:
1. Is the concept of EAP-authentication over IP for network
access useful, as opposed to link layer mechanisms?
2. Is the PANA realization of this idea good, and
are the documents satisfactory?
3. Is there a specific real-world case where PANA is being
applied or will be applied?
4. What other alternatives exist for the same function
and how do they compare to PANA?
Re 1: I do believe an IP layer solution in this space is
potentially useful. Not as something that replaces existing
link layer solutions and takes over the market, but there are
situations where it would be useful, for instance over link
layers that have no such support, as a solution for networks
where you just want to add a node in the middle of the access
network without updating all access points (kind of like a
replacement for weblogin but without the need for user
intervention), etc.
I am trying to figure out the use case for an IP layer solution in this
space as an access authentication protocol and I am not convinced that
we need something like PANA. If you are in fact, adding a node in the
middle of the access network that is going to perform access control, is
it just performing authentication or also attempting to derive keys and
secure the data traffic? With a solution like PANA, a link layer secure
association protocol or IPsec needs to be run to secure data traffic. If
the former, the authenticator (or at least the EP) needs to be located
at the edge. This needs support at the link layer anyway, and all such
link layers already support EAP.
If the latter, the most natural solution to use is IKEv2 with EAP, since
even with PANA, you still need to run IKE/IKEv2 and IPsec - so, I don't
see what benefit PANA provides here.
Perhaps I am missing something here?
Regards,
Vidya
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf