Jari, > Sam, > > I think your note is asking in fact a number of questions: > > 1. Is the concept of EAP-authentication over IP for network > access useful, as opposed to link layer mechanisms? > > 2. Is the PANA realization of this idea good, and > are the documents satisfactory? > > 3. Is there a specific real-world case where PANA is being > applied or will be applied? > > 4. What other alternatives exist for the same function > and how do they compare to PANA? > > Re 1: I do believe an IP layer solution in this space is > potentially useful. Not as something that replaces existing > link layer solutions and takes over the market, but there are > situations where it would be useful, for instance over link > layers that have no such support, as a solution for networks > where you just want to add a node in the middle of the access > network without updating all access points (kind of like a > replacement for weblogin but without the need for user > intervention), etc. > I am trying to figure out the use case for an IP layer solution in this space as an access authentication protocol and I am not convinced that we need something like PANA. If you are in fact, adding a node in the middle of the access network that is going to perform access control, is it just performing authentication or also attempting to derive keys and secure the data traffic? With a solution like PANA, a link layer secure association protocol or IPsec needs to be run to secure data traffic. If the former, the authenticator (or at least the EP) needs to be located at the edge. This needs support at the link layer anyway, and all such link layers already support EAP. If the latter, the most natural solution to use is IKEv2 with EAP, since even with PANA, you still need to run IKE/IKEv2 and IPsec - so, I don't see what benefit PANA provides here. Perhaps I am missing something here? Regards, Vidya _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf