PANA Framework

PANA Framework

<draft-ohba-pana-framework-00.txt>

Prakash Jayaraman, Rafa Marin Lopez, Yoshihiro Ohba, Mohan Parthasarathy, Alper Yegin

IETF 59

IETF 59 2

Framework

• Functional model• Signaling flow• Deployment environments• IP address configuration• Data traffic protection• Provisioning• Network selection• Authentication method choice• DSL deployment• WLAN deployment

IETF 59 3

Functional Model

RADIUS/ Diameter/ +-----+ PANA +-----+ LDAP/ API +-----+ | PaC |<----------------->| PAA |<---------------->| AS | +-----+ +-----+ +-----+ ^ ^ | | | +-----+ | IKE/ +-------->| EP |<--------+ SNMP/ API 4-way handshake +-----+

IETF 59 4

Signaling Flow

PaC EP PAA AS | PANA | | AAA | |<---------------------------->|<------------->| | | | | | | SNMP | | | |<------------>| | | Sec.Assoc. | | | |<------------->| | | | | | | | Data traffic | | | |<-----------------> | | | | | |

IETF 59 5

Deployment Environments

(a) Networks where a secure channel is already available prior to running PANA– (a.1) Physical security. E.g.: DSL– (a.2) Cryptographic security. E.g.: cdma2000

(b) Networks where a secure channel is created after running PANA– (b.1) Link-layer per-packet security. E.g.: Using WPA-

PSK.– (b.2) Network-layer per-packet security. E.g.: Using

IPsec.

IETF 59 6

IP Address Configuration

• Pre-PANA address: PRPA– Configured before PANA

• Post-PANA address: POPA– Configured after PANA when:

• IPsec is used, or

• PRPA is link-local or temporary

– PAA informs PaC if POPA needed

IETF 59 7

PRPA Configuration

• Possible ways:– Static– DHCPv4 (global, or private address)– IPv4 link-local– DHCPv6– IPv6 address autoconfiguration (global, or link-

local)

IETF 59 8

POPA Configuration (no IPsec)

• DHCPv4/v6• IPv4:

– POPA replaces PRPA (prevent address selection problem)

– Host route between PaC and PAA (preserve on-link communication)

• IPv6: – use both PRPA and POPA at the same time

IETF 59 9

POPA Configuration (IPsec)

• Possible ways:– IKEv2 configuration– DHCP configuration of IPsec tunnel mode

(RFC 3456)

• PRPA used as tunnel outer address, POPA as tunnel inner address

IETF 59 10

Combinations

PRPA POPA

L1-L2 per-packet security

(no IPsec)

Static

IPv4 (DHCP)

IPv6 global (DHCP, stateless)

none

IPv4 link-local

IPv4 temporary (DHCP)

IPv4 (DHCP)

IPv6 link-local IPv6 global (DHCP, stateless)

L3 per-packet security (IPsec)

Static

IPv6 global (DHCP, stateless)

IPv4 (DHCP)

IPv6 link-local

IPv4 link-local

IKEv2

RFC3456

TOA TIA

IETF 59 11

Additional Approaches: (1)Using a PRPA as TIA

• IPv6:– Configure a link-local and global before PANA (DHCPv6 or

stateless)– TIA=global, TOA=link-local

• Requires SPD selection based on the name (session-ID), not the IP address

• Explicit support in RFC2401bis– Name is set, address selectors are NULL

• RFC2401? Not clear.– Racoon’s generate_policy directive

• Authenticate peer by PSK, accept proposed TIA (skip SPD check), than create SPD

• Should we include this?

IETF 59 12

Additional Approaches: (2)Using a PRPA as TIA

• IPv4:– Configure a global address before PANA (static, or

DHCPv4)– TIA=TOA=PRPA

• RFC2401: Same considerations.• Forwarding considerations:

– Requires special handling on EP, or else:• tunnel_to PRPA(tunnel to PRPA(tunnel to PRPA(to

PRPA)))... – FreeSwan handles this. Others?

• Should we include this?

IETF 59 13

Data Traffic Protection

• Already available in type (a) environments

• Enabled by PANA in type (b) environments– EAP generated keys– Secure association protocol

• draft-ietf-pana-ipsec-02

IETF 59 14

PAA-EP Provisioning Protocol

• EP is the closest IP-capable access device to PaCs• Co-located with PAA or separate

– draft-yacine-pana-snmp-01

– Carries IP or L2 address, optionally cryptographic keys

• One or more EPs per PAA• EP may detect presence of PaC and trigger PANA

by notifying PAA

IETF 59 15

Network (ISP) Discovery and Selection

• Traditional selection:– NAI-based– Port number or L2 address based

• PANA-based discovery and selection:– PAA advertises ISPs– PaC explicitly picks one

IETF 59 16

Authentication Method Choice

• Depends on the environment

IETF 59 17

DSL

Host--+ +-------- ISP1 | DSL link | +----- CPE ---------------- NAS ----+-------- ISP2 | (Bridge/NAPT/Router) | Host--+ +-------- ISP3

<------- customer --> <------- NAP -----> <---- ISP ---> premise

• PANA needed when static IP or DHCP-based configuration is used (instead of PPP*)

IETF 59 18

DSL DeploymentsBridging mode:

Host--+ (PaC) | +----- CPE ---------------- NAS ------------- ISP | (Bridge) (PAA,EP,AR) Host--+ (PaC)

Address Translation (NAPT) Mode:

Host--+ | +----- CPE ---------------- NAS ------------- ISP | (NAPT, PaC) (PAA,EP,AR Host--+

IETF 59 19

DSL Deployment

Router mode:

Host--+ |

+----- CPE ---------------- NAS ------------- ISP

| (Router,PaC) (PAA,EP,AR)

Host--+

IETF 59 20

Dynamic ISP Selection

• As part of DHCP protocol or an attribute of DSL access line– DHCP client id– Run DHCP, and PANA– PRPA is the ultimate IP address (no POPA)

• As part of PANA authentication– Temporary PRPA via zeroconf or DHCP with NAP– Run PANA for AAA– POPA via DHCP, replace PRPA

IETF 59 21

WLAN

• Network-layer per-packet security (IPsec):– EP and PAA on access router

• Link-layer per-packet security (WPA-PSK):– EP is on access point, PAA is on access router

IETF 59 22

IPsec, IKEv2 PaC AP DHCPv4 Server PAA EP(AR) | Link-layer | | | | | association| | | | |<---------->| | | | | | | | | | DHCPv4 | | | |<-----------+------------>| | | | | | | | |PANA(Discovery and initial handshake phase | | & PAR-PAN exchange in authentication phase) | |<-----------+-------------------------->| | | | | | | | |Authorization| | | |[IKE-PSK, | | | | PaC-DI, | | | | Session-Id] | | | |------------>| | | | | |PANA(PBR-PBA exchange in authentication phase) | |<-----------+-------------------------->| | | | | | | | IKE | | | (with Configuration Payload exchange or equivalent) | |<-----------+---------------------------------------->| | | | | | | | |

• IPv4:– IPsec-TOA=PRPA

(dhcp)

– IPsec-TIA=POPA (IKE)

• Alternative: RFC 3456

• IPv6:– IPsec-TOA= PRPA

(link-local)

– IPsec-TIA= POPA (IKE)

IETF 59 23

Bootstrapping WPA/IEEE 802.11i

• Pre-shared key mode (PSK) enabled• MAC address is used as DI• EP is on access point• Provides:

– Centralized AAA– Protected disconnection

• No changes to WPA or IEEE 802.11i required

IETF 59 24

Flow… +------------------+ | Physical AP | | +--------------+ | | |Virtual AP1 | | Unauth | |(open-access) |---- VLAN\ | | | | \+-------+ +---+ | +--------------+ | |PAA/AR/| |PaC| ~~~~ | | |DHCP | +---+ | +--------------+ | |Server | | |Virtual AP2 | | /+-------+ | |(WPA PSK mode)|---- Auth / | | | | | VLAN | | +--------------+ | | | | | +------------------+ Internet

1- Associate with unauthenticated VLAN AP

2- Configure PRPA via DHCP or link-local

3- Perform PANA and generate PMK

4- Associate with authenticated VLAN AP, perform 4-way handshake, generate PTK

5- Obtain new IP address

IETF 59 25

Co-located PAA and AP(EP)

• Does not require virtual AP switching

• PANA, DHCP, ARP, ND traffic allowed on the 802.1X uncontrolled port

IETF 59 26

Capability Discovery

• Types of networks:– IEEE 802.1X-secured

• Look at RSN information element in beacon frames

– PANA-secured• Data driven PANA discovery

• Client initiated discovery

– Unauthenticated (free)

The End

Should this I-D become a PANA WG item?

IETF 59 29

IPsec, DHCP PaC AP DHCPv4 Server PAA EP(AR) | Link-layer | | | | | association| | | | |<---------->| | | | | | | | | | DHCPv4 | | | |<-----------+------------>| | | | | | | | |PANA(Discovery and Initial Handshake phase | | & PAR-PAN exchange in Authentication phase) | |<-----------+-------------------------->| | | | | | | | | | |Authorization| | | | |[IKE-PSK, | | | | | PaC-DI, | | | | | Session-Id] | | | | |------------>| | | | | | |PANA(PBR-PBA exchange in Authentication phase) | |<-----------+-------------------------->| | | | | | | | | IKE | | |<-----------+---------------------------------------->| | | | | | | | | | |

• IPv4:– IPsec-TIA= IPsec-TOA=

PRPA (dhcp)

• IPv6:– IPsec-TOA= PRPA

(link-local)

– IPsec-TIA= POPA (dhcp)

• IPv6 can also use stateless address autoconf.