Re: The Emperor Has No Clothes: Is PANA actually useful?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The IETF does publish protocols that may or may not be viable in the real world. I think PANA, after a significant clean up, might belong in that category. I, for instance, have the following high-level issues:

** No real use cases out there, and no real hope either. 3GPP2 HRPD recently joined the growing list of L2 technologies that ruled out PANA. ** EAP over IKEv2 seems like a more viable alternative: apparently being proposed in 3G-WLAN interworking scenario as the access auth protocol.

** PANA's notions of EP placement seem vague "the EPs' location can range from the first-hop router to other routers within the access network" (I don't want to paste it all here, but it's Section 7.1 in the framework document). Its crucial for a protocol that sets out to authenticate clients to enforce access control, to get the EP placement right. ** PANA has a notion of binding PANA authentication to an existing secure channel. It is not clear whether it makes sense and the framework document does not have any convincing text. That notion introduces more problems than solving any, I think. Here are some excerpts: "Networks where a secure channel is already available prior to running PANA." "The presence of a secure channel before PANA exchange eliminates the need for executing a secure association protocol after PANA."

I guess the notion is that the existing secure channel is authenticated but for a different reason and PANA authenticates the client again for network access and binds the "result" using "filters" to that secure channel. Pretty ad hoc operation, I must say and I think breaks the EAP model.

I can provide a more detailed review, but that's not the purpose of this thread.

My conclusion is -- stealing Bernard's words -- EAP/IKEv2 will do for what PANA is supposed to support. PANA is not needed really. But if after clarifications, the WG insists that the docs be published, I guess the IESG might publish them as experimental or even move them to historic (not sure how the latter would work).

regards,
Lakshminath

At 11:27 AM 5/24/2006, Pekka Savola wrote:
On Wed, 24 May 2006, Sam Hartman wrote:
Hi.  Speaking as an individual, I'd like to make an explicit call for
members of the IETF community not involved in the PANA working group
to review draft-ietf-pana-framework.  Please speak up if you have done
such a review or attempted such a review and been unsuccessful.  Let
us know what you think PANA is intended to be useful for and whether
you think it is actually useful.
...

FWIW, I do not believe the current framework document as written is sufficiently clear in order to be able to evaluate where and under which conditions and assumptions the solution could be deployed. Therefore it is not feasible to evaluate the usefulness or applicability of the PANA protocol itself either.

My review is here:
http://www1.ietf.org/mail-archive/web/ietf/current/msg41231.html

There has been some follow-up work to clarify and address these.
Based on the discussion, I fear revision would take significant cycles, so the result remains to be seen.

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf


_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]