ietf
[Top] [All Lists]

Re: The Emperor Has No Clothes: Is PANA actually useful?

2006-05-26 14:30:22
Hi Vidya,

Re 1: I do believe an IP layer solution in this space is 
potentially useful. Not as something that replaces existing 
link layer solutions and takes over the market, but there are 
situations where it would be useful, for instance over link 
layers that have no such support, as a solution for networks 
where you just want to add a node in the middle of the access 
network without updating all access points (kind of like a 
replacement for weblogin but without the need for user 
intervention), etc.

   


I am trying to figure out the use case for an IP layer solution in this
space as an access authentication protocol and I am not convinced that
we need something like PANA. If you are in fact, adding a node in the
middle of the access network that is going to perform access control, is
it just performing authentication or also attempting to derive keys and
secure the data traffic? With a solution like PANA, a link layer secure
association protocol or IPsec needs to be run to secure data traffic. If
the former, the authenticator (or at least the EP) needs to be located
at the edge. This needs support at the link layer anyway, and all such
link layers already support EAP. 

If the latter, the most natural solution to use is IKEv2 with EAP, since
even with PANA, you still need to run IKE/IKEv2 and IPsec - so, I don't
see what benefit PANA provides here. 
 

My comment above relates to the overall interest in an IP layer solution
without considering what protocol is used.

I also wrote in my e-mail something about the different alternative
solutions. It is true that IKEv2 with EAP is potentially a good
fit for this task. IKEv2 is my favorite EAP encapsulation
protocol :-) However, its not clear that it currently has all
the parts (though I could have missed some extension somewhere).
For instance, some mechanism appears to be needed to discover
that you are in a network that requires this type of operation,
and to find the address of the control device that you need
to talk to. I haven't done the research on how easy it would
be to add this (probably quite easy) or if there are other
things that we would need. Thoughts?

Anyway, I agree with Dave Crocker that the bar should be
higher for using "there's another solution" argument in last
call discussion of chartered work than in, say, a BOF
discussion. Perhaps we should focus more on whether
the function itself is something that we agree on, and
what we can do to fix/scope/help PANA.

--Jari


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>