Hi Glen, On 6/10/09 2:57 AM, "ext Glen Zorn" <g...@net-zen.net> wrote:
> Jari Arkko [mailto:jari.ar...@piuha.net] writes: > >> Glen, >> >>>> The conclusion (in the WG) was that the security >>>> mechanism between the PAA and EP is a choice of the deployment and >>>> hence >>>> does not need to be specified. >>>> >>> >>> That's rather bizarre; the ADs are OK with this? >>> >>> >> >> Frankly, I'm not thrilled about it. Generally speaking this sort of >> thing should be a part of our specifications. However, as I noted in >> the >> other e-mail, the overall level of effort and interest on the IPsec >> document is not very high. > > Well, the IPsec draft talks about securing the entire path from the PaC to > the EP. I guess if the consensus is to use link-layer security (802.11? > How would this work id the PAA & EP aren't co-located?) or a VPN (From the > PaC to the EP? How would this work at all?) that may be fine, but unless > I'm terribly mistaken (always a possibility!) the PAA-EP link is actually > part of the PANA infrastructure in the access network & it seems very odd > that we would leave it w/no specified method of protection... > The intent of the IPsec SA was to secure the user plane traffic. The I-D says: " The IPsec security association protects the traffic between the PaC and EP. In IPsec terms, the EP is a security gateway (therefore a router) and forwards packets coming from the PaC to other nodes. " It is true that the PAA is part of the PANA infrastructure. And as Julien mentioned as well, there was discussion about specifying SNMP as the protocol between PAA and EP which was rejected. The WG decided to leave the protocol between PAA/EP and the security for the same unspecified. In case of the PAA/EP being separate, the deployment can establish an IPsec SA for securing the signaling between the two (it depends on the deployment model and in case where the PAA/EP are within the same domain for example it may not be necessary). PANA does not have to specify it. The operation of PANA itself is not constrained by not having an IETF specified method for securing the PAA/EP signaling when they are separate. A recommendation that the link needs to be secure is sufficient. -Raj >> You could say that I'm equally unhappy with >> both of the possible outcomes... >> >> Jari >> > > _______________________________________________ Pana mailing list Pana@ietf.org https://www.ietf.org/mailman/listinfo/pana
