Hi Basavaraj,
Thank you for the review. Please see my comments below.
basavaraj.pa...@nokia.com wrote:
Hello,
My review comments on the I-D: draft-ietf-pana-preauth-05.txt
- s/to which the PANA client may move./to which the PANA client may
move to.
OK.
- "Serving Network: The access network through which the host gains
access to the Internet/intranet."
Would it be better to say that the serving network is the network
via which the host is currently attached. So from a PANA
perspective the serving network is the one in which the PaC has
been authenticated and has an active SA.
How about this?
"Serving Network: The access network to which the host is currently
attached."
- In sec 3:
" There may be several mechanisms for a PaC and a CPAA to discover each
other. However, such mechanisms are out of the scope of this
document."
If the discovery of the CPAA is not specified here, would it be
specified in another document? Or is the assumption that the CPAA
could be discovered via DNS, DHCP etc.? Without a reference to the
possible mechanisms, the solution has some gaps.
We can refer to IEEE 802.21 Information Service as an example method for
the host to discover various network elements in neighboring networks.
- " Pre-authentication may be initiated by both a PaC and a CPAA. "
How can the CPAA initiate pre-auth? How would the CPAA even be aware
of a PaC that is in a handover state? CPAA initiating pre-auth does
not appear to be a feasible option.
A handover command (such as 802.21 handover command) can be used for the
CPAA to discover PaC in a handover state.
- " The PANA session between the PaC and a CPAA is deleted by entering
the termination phase of the PANA protocol."
When does the PaC decide to terminate a PANA session with a CPAA?
The CPAA either transitions to the SPAA or not. Since the PaC can
initiate the pre-auth session with several CPAAs, is it the intent
that the PaC would terminate the sessions with other CPAAs as
needed?
For example, when the PaC moves to other PAA, the CPAA may not be a
candidate any more nor the SPAA. In this case, the PaC may wants to
terminate the PANA session with the CPAA.
- Figure 2 shows the PAA initiated pre-auth signaling. What are the
potential triggers at the CPAA? Would be useful to mention any
assumptions that are made in CPAA initiated pre-auth. Or drop the
CPAA initiated pre-auth from the I-D.
This is related to your 4th comment. A handover command can be used as a
trigger at the CPAA.
- " When pre-authentication is initiated by CPAA, it is possible that
multiple CPAAs simultaneously initiate pre-authentication for the
same PaC. In order to avoid possible resource consumption attacks on
the PaC caused by an attacker initiating pre-authentication for the
PaC by changing source addresses, the PaC SHOULD limit the maximum
number of CPAAs allowed to communicate."
I think it is better to have pre-auth always initiated by the
PaC. In what specific scenario would you need to have the PAA
initiate pre-auth? Is there a downside to having preauth always
initiated by the PaC only?
I could not think about a downside of not having PAA-initiated preauth
for the following reason:
- PAA-initiated preauth is for network-controlled handover that would
require a handover command as a trigger at the CPAA.
- MN (PaC) is also involved in such a handover command, which means the
command can also trigger PaC-initiated preauth.
So I do not mind dropping PAA-initiated preauth and removing the above
security claim.
- Is the assumption that the CPAA is within the same administrative
domain as the serving network? I think it would be useful to mention
the scenario where the serving and target networks have no security
relationship. In such a case does the pre-auth still work?
The serving and target networks may not be in the same administrative
domain and there may not be a security relationship between them, and
PANA preauth will work for those cases as long as there is a way for the
PaC and CPAA to discover each other. We can mention it in Introduction
section.
Regards,
Yoshihiro Ohba
-Raj
_______________________________________________
Pana mailing list
Pana@ietf.org
https://www.ietf.org/mailman/listinfo/pana
_______________________________________________
Pana mailing list
Pana@ietf.org
https://www.ietf.org/mailman/listinfo/pana
