Hi Margaret, EAP and PANA protocols are designed to operate over unsecure links. They don't expect any encryption, integrity/replay protection, data origin authentication from the layers below. As far as the EAP and PANA are concerned, PRE is no different than a bridge or a router relaying the EAP/PANA payloads between the PaC and the PAA. In fact, PRE's only role is to transport the PANA packets. Therefore, there does not need to be a security association between the PRE and the PAA in order to carry out the EAP/PANA authentication.
Alper > -----Original Message----- > From: Margaret Wasserman [mailto:margaret...@gmail.com] > Sent: Friday, November 19, 2010 10:28 PM > To: padu...@cisco.com; Samita Chakrabarti; robert.cra...@gridmerge.com; > yoshihiro.o...@toshiba.co.jp; Alper Yegin > Cc: Ralph Droms; pana@ietf.org > Subject: Security Comment: draft-ohba-pana-relay-02.txt > > Hi All, > > As part of asking the Security Directorate to review draft-ohba-pana- > relay-02.txt, I reviewed the Security Considerations section and tried > to determine how/if this relay changes the security model for PANA. > > As I understand it, the original PANA protocol relied on return > routability... We didn't worry about address spoofing, because the > credentials were returned to the address they were meant for, meaning > that only an on-link (or on path? -- but we didn't allow a path > originally) attacker could spoof a client address and see the > response. With introduction of relay code on the PAA, any node can > pretend to be a PRE > and get credentials for any other node. > > This isn't mentioned in the Security considerations section, but it is > potentially significant. So, there might be a need for the PAA to > authorize the PRE before responding to messages from it. If there is > some reason why you don't believe the PAA needs to authorize the PRE, > you would (at the very least) need to explain that in the Security > Considerations section. > > Thanks, > Margaret > _______________________________________________ Pana mailing list Pana@ietf.org https://www.ietf.org/mailman/listinfo/pana
