Disclaimer - I do work in the INT area, but have not been involved in the PANA WG. When this work was chartered, I failed to understand its need and the deployment use cases. Subsequently, about 3 years ago, I recommended against the use of PANA for the needs of my ex-employer. More recently, I have been advocating against the use of PANA in 3gpp2. With that background, some high level confusions that I have about the use of PANA: 1. Reading the framework document, it is simply not clear to me as to why PANA would be useful for any type of network. Actually, even after reading some other PANA documents, this is not clear to me. It seems to have become this complex suite of protocols that aren't specifically buying anything. Why would I want to go through IP address acquisition, for one, if I had a link layer that carried EAP, particularly for link layer security? 2. Link layer agnostic approach has often been cited as a reason to use PANA. I must say that I don't understand how it is link layer agnostic, when it depends on 802.11i 4-way handshake or the like for the secure association protocol. In fact, I am not sure how this even works with the currently defined secure association protocols in lower layers. None of the documents have provided any clarity to me on this. The use of IPsec/IKE for this is even more confusing to me - in this case, why would PANA be used instead of EAP-in-IKEv2? 3. Statements like "...whereas it allows only limited type of traffic (e.g., PANA, DHCP, router discovery, etc.) for the authorized PaCs" do not exactly provide a clear picture of port control - yet another reason IMO to leave the EAP lower layer where it belongs (at the link layer). There are many other such confusions in my mind arising from the PANA documents that I won't get into here. 4. The choices that are left to deployment while using PANA constitute a long list for one protocol! Security before/after the PANA run, global vs local PRPA, DHCP vs 3927 vs 2131 for IPv4 PRPA, dual-stack handling behavior, secure association protocol choice and what it takes to make it work with PANA, need for POPA and "unconfiguring" PRPA, PAA/EP location and choice of protocol between those entities, IKEv1 vs IKEv2 etc. - I am sure I've missed more choices here; but, complex enough, to say the least! Given all of this, publishing these documents in the current stage as proposed standard RFCs concerns me. Vidya > -----Original Message----- > From: Sam Hartman [mailto:hartmans-ietf@xxxxxxx] > Sent: Wednesday, May 24, 2006 8:12 AM > To: ietf@xxxxxxxx > Cc: pana-chairs@xxxxxxxxxxxxxx > Subject: The Emperor Has No Clothes: Is PANA actually useful? > > > > Hi. Speaking as an individual, I'd like to make an explicit > call for members of the IETF community not involved in the > PANA working group to review draft-ietf-pana-framework. > Please speak up if you have done such a review or attempted > such a review and been unsuccessful. Let us know what you > think PANA is intended to be useful for and whether you think > it is actually useful. > > My strong hunch is that we've chartered work for some reason, > and now that the working group is nearing the end of its > charter, we still don't understand why we want this thing > we've built and whether it's a good idea. People aren't > screaming not so much because they are happy with results but > because no one actually understands PANA. > > I understand that there's a strong presumption that once > chartered, work is useful. I'd like to challenge this > presumption enough to get people to actually read the > document. If people not involved in the effort sit down, > read the document and understand what it's all about, my > concern is satisfied. But if enough people try to read the > document, try to understand and fail, we're not done yet. We > certainly cannot have consensus to publish something we've > tried and failed to understand. > > It's not just me. I've been trying to find people outside of > PANA who claim to understand the effort and what it's good > for and why link-layer solutions are not better. When the > first discussion of PANA hit the IESG, I asked other IESG > members why PANA was a good idea and what problem it solved. > "Don't go there," was the advice I got from the responsible AD. > > At that time (a year and a half ago) there was no one on the > IESG who claimed to understand PANA or to think it was a good idea. > > I'm fairly sure that with the possible exception of Jari (who > is a technical advisor to PANA), that's still true. > > > The security community has been trying to understand PANA. > I've sent multiple security reviewers at the PANA document.s > They always come back fundamentally confused about what PANA > is trying to do or about whether it is a good idea. They end > up focusing on some detail or another and asking for some > minor part of the system to be fixed. But I don't get the > impression from the reviews they understand the overall > picture; explicit discussion of this also indicates that they > are not confident in their understanding nor do they know > whether it is a good idea. > > We keep running back over the same ground, still confused and > still trying to muddle through to no real effect. > > > I've tried to understand it myself. I tried to understand in the BOF. > It was very clear to me leaving the original PANA BOF that > something was very confused. Every year or so since I've > tried to go back and figure out what I missed. Eventually > though I've started wondering whether the problem wasn't me, > but was an actual lack of clarity. > > So, folks can you please help us all out. Especially if the > internet area is not your primary focus, especially if you've > never heard of PANA before, take a look at the framework > document and all their other documents. Do you get it? Is > it a good idea? > > Thanks for your time. > > P.S. Again, this is me speaking as an individual. At this > late stage, it would be entirely inappropriate for me to take > actions as an AD claiming that we didn't understand a problem > without a strong community consensus. > > > > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www1.ietf.org/mailman/listinfo/ietf > _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf