Upload
darcy-porter
View
216
Download
0
Embed Size (px)
Citation preview
SNMP for the PAA-2-EP protocolPANA wg - IETF 59 Seoul
-> Yacine El Mghazli (Alcatel) <-Yoshihiro Ohba (Toshiba)Julien Bournelle (GET/INT)
http://yacine.free.fr/ietf59/pana/draft-yacine-pana-snmp-02.txt
Yacine El Mghazli — 2 All rights reserved © 2004, Alcatel
Presentation Overview
> Introduction• PAA-2-EP basic principle• PAA-2-EP within the PANA wg• Back on the SNMP choice
> SNMPv3 applicability against PAA-2-EP protocol reqs
> SNMP usage for the PAA-2-EP• Re-usable existing MIB modules• additional PANA-specific MIB objects
> Next Steps
Yacine El Mghazli — 3 All rights reserved © 2004, Alcatel
IntroductionPAA-2-EP functional basic principle
PAAAAA
backend
EPPaC AR
PANA authAAA auth
PAA-2-EPInstall filter
#PaC traffic
One single IP subnet
Yacine El Mghazli — 4 All rights reserved © 2004, Alcatel
IntroductionPAA-2-EP within the PANA wg
> PANA charter:• The PANA working group must mandate one protocol • The PANA wg will not design a new protocol design, it may
involve the definition of extensions of an existing one
> History:• IETF55: PAA-2-EP topic introduction
– draft-ietf-pana-requirements-0x.txt
• IETF57: PAA-2-EP protocol considerations– draft-yacine-pana-paa-ep-reqs-00.txt
• IETF58: PAA-2-EP protocols evaluation– draft-yacine-pana-paa2ep-eval-00.txt
> Already a fair amount of discussions on the ML
Yacine El Mghazli — 5 All rights reserved © 2004, Alcatel
IntroductionWhy SNMP ?
> Consensus regarding the PAA-2-EP protocol within PANA wg:• An existing protocol (no new protocol design)• Basic configuration needs (no ‘disqualifying‘requirement),
but– No disruptive choice– No immature solutions– Follow the IAB recommendations
> SNMPv3 fully satisfies the above conditions• v3 satisfies the security conditions• widely spread for monitoring (« get » messages)• « Set » messages allow simple configuration • Lots of MIBs available
> SNMP provides a simple solution with a high-level of re-use
Yacine El Mghazli — 6 All rights reserved © 2004, Alcatel
PAA-2-EP protocolSNMPv3 applicability
> One-to-many relation• 1 SNMP manager (PAA) can relate simultaneously to
several Agents (EPs)
> Secure communication• User-based Security Model (USM) provides authentication,
confidentiality, integrity, replay attacks prevention, time windows for the validity of messages.
> Notification of PaC presence• SNMP can provide this feature using the SMIv2 traps
> Accounting• The PAA can poll its EPs and the counters considered good
enough.
Yacine El Mghazli — 7 All rights reserved © 2004, Alcatel
PAA-2-EP protocolSNMPv3 applicability (cont’d)
> Peer liveness• SNMP periodic polling sufficient for inactive EP detection
> Rebooted Peer detection• snmpEngineBoots MIB to detect rebooted EP
> Authorization ACLs and keying material• Re-use existing objects
Yacine El Mghazli — 8 All rights reserved © 2004, Alcatel
SNMP for PAA-2-EPRe-use of existing IPSec configuration MIBs> IPSec configartion MIB recently splitted into 3 separate
modules
> IPSec SPD configuration MIB module (IPSP wg) • Rule/Filter/Action Policy structure• Various IP filters, including IP header filter• Notification Variables re-usable for the PaC presence trap
> IPSec IKE configuration MIB module (IPSP wg)• For IP-based access control (draft-ietf-pana-ipsec-02)• Pre-shared key configuration (PSK)
– Derived at the PAA level
• ID_KEY_ID configuration (aggressive mode)– PANA session_id
Yacine El Mghazli — 9 All rights reserved © 2004, Alcatel
SNMP for PAA-2-EPAdditional PANA-specific MIB objects
> PANA-specific objects extends the SPD-MIB• Link-layer Filters• PaC presence trap• Keying material for L2 protection
> Current version -02:• IEEE 802 filters• New PaC Notification
> Browse the whole current MIB set at the following URL:• http://yacine.free.fr/ietf59/pana/dev
Yacine El Mghazli — 10 All rights reserved © 2004, Alcatel
Next Steps
> PANA context usage examples (section 6 TBD)
> More Link-layer filters• Might re-use existing• e.g. ADSL ports open/close
> Some additonal objects design might be needed• L2 protection attributes: e.g. 802.11i keys…
> More ?
> Gauge room consensus to accept this document as a PANA WG item
Yacine El Mghazli — 11 All rights reserved © 2004, Alcatel
THANKS
Yacine El Mghazli — 12 All rights reserved © 2004, Alcatel
PAA-2-EP protocolRequirements Summary
> One-to-many PAA-EP relation: required.• a given EP relate to multiple PAAs
> Secure Communication: required.• authentication, confidentiality, and integrity.
> New PaC Notification: required.• EP to notify unauthorized PaC presence to the PAA.• optional (PANA can do that).
> Inactive EP detection: not required.• satisfied by other means. the architecture can take it into
account with e.g. a request-response mechanism.
Yacine El Mghazli — 13 All rights reserved © 2004, Alcatel
PAA-2-EP protocolRequirements Summary (cont’d)
> Stateful approach: not required.• the PAA does not maintain any EP state. the whole
solution does (at application level). needed some implementation guidance.
> Accounting/Feedback from the EPs: required.• polling sufficient for the PANA needs
> EP Configuration information:• The PAA-2-EP protocol must push DI-based filters and
keying material down to the EP.