The IETF does publish protocols that may or may not be viable in the
real world. I think PANA, after a significant clean up, might belong
in that category. I, for instance, have the following high-level issues:
** No real use cases out there, and no real hope either. 3GPP2 HRPD
recently joined the growing list of L2 technologies that ruled out PANA.
** EAP over IKEv2 seems like a more viable alternative: apparently
being proposed in 3G-WLAN interworking scenario as the access auth protocol.
** PANA's notions of EP placement seem vague "the EPs' location can
range from the first-hop router to other routers within the access
network" (I don't want to paste it all here, but it's Section 7.1 in
the framework document). Its crucial for a protocol that sets out to
authenticate clients to enforce access control, to get the EP placement right.
** PANA has a notion of binding PANA authentication to an existing
secure channel. It is not clear whether it makes sense and the
framework document does not have any convincing text. That notion
introduces more problems than solving any, I think. Here are some
excerpts: "Networks where a secure channel is already available prior
to running PANA." "The presence of a secure channel before PANA
exchange eliminates the need for executing a secure association
protocol after PANA."
I guess the notion is that the existing secure channel is
authenticated but for a different reason and PANA authenticates the
client again for network access and binds the "result" using
"filters" to that secure channel. Pretty ad hoc operation, I must
say and I think breaks the EAP model.
I can provide a more detailed review, but that's not the purpose of
this thread.
My conclusion is -- stealing Bernard's words -- EAP/IKEv2 will do for
what PANA is supposed to support. PANA is not needed really. But if
after clarifications, the WG insists that the docs be published, I
guess the IESG might publish them as experimental or even move them
to historic (not sure how the latter would work).
regards,
Lakshminath
At 11:27 AM 5/24/2006, Pekka Savola wrote:
On Wed, 24 May 2006, Sam Hartman wrote:
Hi. Speaking as an individual, I'd like to make an explicit call for
members of the IETF community not involved in the PANA working group
to review draft-ietf-pana-framework. Please speak up if you have done
such a review or attempted such a review and been unsuccessful. Let
us know what you think PANA is intended to be useful for and whether
you think it is actually useful.
...
FWIW, I do not believe the current framework document as written is
sufficiently clear in order to be able to evaluate where and under
which conditions and assumptions the solution could be deployed.
Therefore it is not feasible to evaluate the usefulness or
applicability of the PANA protocol itself either.
My review is here:
http://www1.ietf.org/mail-archive/web/ietf/current/msg41231.html
There has been some follow-up work to clarify and address these.
Based on the discussion, I fear revision would take significant
cycles, so the result remains to be seen.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf