Re: The Emperor Has No Clothes: Is PANA actually useful?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Vidya,

>>Re 1: I do believe an IP layer solution in this space is 
>>potentially useful. Not as something that replaces existing 
>>link layer solutions and takes over the market, but there are 
>>situations where it would be useful, for instance over link 
>>layers that have no such support, as a solution for networks 
>>where you just want to add a node in the middle of the access 
>>network without updating all access points (kind of like a 
>>replacement for weblogin but without the need for user 
>>intervention), etc.
>>
>>    
>>
>
>I am trying to figure out the use case for an IP layer solution in this
>space as an access authentication protocol and I am not convinced that
>we need something like PANA. If you are in fact, adding a node in the
>middle of the access network that is going to perform access control, is
>it just performing authentication or also attempting to derive keys and
>secure the data traffic? With a solution like PANA, a link layer secure
>association protocol or IPsec needs to be run to secure data traffic. If
>the former, the authenticator (or at least the EP) needs to be located
>at the edge. This needs support at the link layer anyway, and all such
>link layers already support EAP. 
>
>If the latter, the most natural solution to use is IKEv2 with EAP, since
>even with PANA, you still need to run IKE/IKEv2 and IPsec - so, I don't
>see what benefit PANA provides here. 
>  
>
My comment above relates to the overall interest in an IP layer solution
without considering what protocol is used.

I also wrote in my e-mail something about the different alternative
solutions. It is true that IKEv2 with EAP is potentially a good
fit for this task. IKEv2 is my favorite EAP encapsulation
protocol :-) However, its not clear that it currently has all
the parts (though I could have missed some extension somewhere).
For instance, some mechanism appears to be needed to discover
that you are in a network that requires this type of operation,
and to find the address of the control device that you need
to talk to. I haven't done the research on how easy it would
be to add this (probably quite easy) or if there are other
things that we would need. Thoughts?

Anyway, I agree with Dave Crocker that the bar should be
higher for using "there's another solution" argument in last
call discussion of chartered work than in, say, a BOF
discussion. Perhaps we should focus more on whether
the function itself is something that we agree on, and
what we can do to fix/scope/help PANA.

--Jari


_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]