Hello, My review comments on the I-D: draft-ietf-pana-preauth-05.txt
- s/to which the PANA client may move./to which the PANA client may move to. - "Serving Network: The access network through which the host gains access to the Internet/intranet." Would it be better to say that the serving network is the network via which the host is currently attached. So from a PANA perspective the serving network is the one in which the PaC has been authenticated and has an active SA. - In sec 3: " There may be several mechanisms for a PaC and a CPAA to discover each other. However, such mechanisms are out of the scope of this document." If the discovery of the CPAA is not specified here, would it be specified in another document? Or is the assumption that the CPAA could be discovered via DNS, DHCP etc.? Without a reference to the possible mechanisms, the solution has some gaps. - " Pre-authentication may be initiated by both a PaC and a CPAA. " How can the CPAA initiate pre-auth? How would the CPAA even be aware of a PaC that is in a handover state? CPAA initiating pre-auth does not appear to be a feasible option. - " The PANA session between the PaC and a CPAA is deleted by entering the termination phase of the PANA protocol." When does the PaC decide to terminate a PANA session with a CPAA? The CPAA either transitions to the SPAA or not. Since the PaC can initiate the pre-auth session with several CPAAs, is it the intent that the PaC would terminate the sessions with other CPAAs as needed? - Figure 2 shows the PAA initiated pre-auth signaling. What are the potential triggers at the CPAA? Would be useful to mention any assumptions that are made in CPAA initiated pre-auth. Or drop the CPAA initiated pre-auth from the I-D. - " When pre-authentication is initiated by CPAA, it is possible that multiple CPAAs simultaneously initiate pre-authentication for the same PaC. In order to avoid possible resource consumption attacks on the PaC caused by an attacker initiating pre-authentication for the PaC by changing source addresses, the PaC SHOULD limit the maximum number of CPAAs allowed to communicate." I think it is better to have pre-auth always initiated by the PaC. In what specific scenario would you need to have the PAA initiate pre-auth? Is there a downside to having preauth always initiated by the PaC only? - Is the assumption that the CPAA is within the same administrative domain as the serving network? I think it would be useful to mention the scenario where the serving and target networks have no security relationship. In such a case does the pre-auth still work? -Raj _______________________________________________ Pana mailing list Pana@ietf.org https://www.ietf.org/mailman/listinfo/pana
