|
Re: The Emperor Has No Clothes: Is PANA actually useful?,
2006-06-02 08:11:44
I happened to hit this thread and read the PANA framework document. I
eventually had a similar impression below. The framework document may be
a bit meticulous, but the protocol itself doesn’t look so complicated.
L2 level of authentication will usually provide optimal performance on
each individual MAC; however, there is a growing demand to support
multiple wireless technologies on one terminal and if we consider
heterogeneous handover on these wireless technologies, we can see a real
benefit of a link-layer agnostic authentication approach, by which the
terminal doesn’t have to support each authentication method for each
MAC. I’m aware that there are several candidates to meet this
requirement besides PANA, but PANA seems to be ahead of others regarding
the maturity of specifications. This does not mean PANA is the best
choice and I see PANA has not been really deployed yet, but from a
user’s perspective, I would like to see it go and let the market choose
the best suited out of these candidates.
Best regards,
-- Hidetoshi
Subir Das wrote:
I have read both PANA protocol and PANA framework drafts. I understand
the concept and it seems to me an useful protocol. In particular, EAP
over IP is necessary, IMO, and my understanding is that PANA base
protocol is all about EAP over IP. The framework document should be an
informational one and those scenarios that are described in PANA
framework document should be treated as examples only. In fact, we don't
see similar documents in many other WGs and therefore it should not be a
requirement for PANA protocol. I also believe that many folks in IETF
like to see a protocol that support EAP over IP. Since PANA has been
chartered to address this problem, folks should work within the PANA WG
and resolve the issues, if there is any.
AFAIK, several network security experts have reviewed the PANA documents
but I have not seen any major security issue with the PANA protocol
discussed either in the mailing list or at the WG level. We had some
discussions with the operators and many of them think that a protocol
like PANA should have been available yesterday. We know few proprietary
solutions that can be replaced by an IETF work like PANA.
regards, -Subir
-------------------------------------------------------------------
Sam Hartman said:
Hi. Speaking as an individual, I'd like to make an explicit call for
members of the IETF community not involved in the PANA working group
to review draft-ietf-pana-framework. Please speak up if you have done
such a review or attempted such a review and been unsuccessful. Let
us know what you think PANA is intended to be useful for and whether
you think it is actually useful.
My strong hunch is that we've chartered work for some reason, and now
that the working group is nearing the end of its charter, we still
don't understand why we want this thing we've built and whether it's a
good idea. People aren't screaming not so much because they are happy
with results but because no one actually understands PANA.
I understand that there's a strong presumption that once chartered,
work is useful. I'd like to challenge this presumption enough to get
people to actually read the document. If people not involved in the
effort sit down, read the document and understand what it's all about,
my concern is satisfied. But if enough people try to read the
document, try to understand and fail, we're not done yet. We
certainly cannot have consensus to publish something we've tried and
failed to understand.
It's not just me. I've been trying to find people outside of PANA who
claim to understand the effort and what it's good for and why
link-layer solutions are not better. When the first discussion of
PANA hit the IESG, I asked other IESG members why PANA was a good idea
and what problem it solved. "Don't go there," was the advice I got
from the responsible AD.
At that time (a year and a half ago) there was no one on the IESG who
claimed to understand PANA or to think it was a good idea.
I'm fairly sure that with the possible exception of Jari (who is a
technical advisor to PANA), that's still true.
The security community has been trying to understand PANA. I've sent
multiple security reviewers at the PANA document.s They always come
back fundamentally confused about what PANA is trying to do or about
whether it is a good idea. They end up focusing on some detail or
another and asking for some minor part of the system to be fixed. But
I don't get the impression from the reviews they understand the
overall picture; explicit discussion of this also indicates that they
are not confident in their understanding nor do they know whether it
is a good idea.
We keep running back over the same ground, still confused and still
trying to muddle through to no real effect.
I've tried to understand it myself. I tried to understand in the BOF.
It was very clear to me leaving the original PANA BOF that something
was very confused. Every year or so since I've tried to go back and
figure out what I missed. Eventually though I've started wondering
whether the problem wasn't me, but was an actual lack of clarity.
So, folks can you please help us all out. Especially if the internet
area is not your primary focus, especially if you've never heard of
PANA before, take a look at the framework document and all their other
documents. Do you get it? Is it a good idea?
Thanks for your time.
P.S. Again, this is me speaking as an individual. At this late
stage, it would be entirely inappropriate for me to take actions as an
AD claiming that we didn't understand a problem without a strong
community consensus.
_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
|
|