90 likes | 103 Views
PANA Specification Updates (draft-ietf-pana-pana-10.txt). Yoshihiro Ohba (yohba@tari.toshiba.com). Issue 155: Re-authentication phase. Issue: Re-authentication phase is described as a separate phase from access phase
E N D
PANA Specification Updates(draft-ietf-pana-pana-10.txt) Yoshihiro Ohba (yohba@tari.toshiba.com) IETF63 PANA WG
Issue 155: Re-authentication phase • Issue: Re-authentication phase is described as a separate phase from access phase • Giving an impression that network access is not allowed during re-authentication phase, which is not true • Solution: • Define re-authentication phase within access phase
Issue 163: 2nd review by Jari Arkko • Issue: The following sentence in Abstract is too strong particularly if we describe some EAP method requirement in the spec • “PANA can carry any authentication method that can be specified as an EAP method, and it can be used on any link that can carry IP.” • Resolution: Removed the sentence
Issue 163: 2nd review by Jari Arkko (cont’d) • Issue: It is not clear about S-flag handling during re-authentication • Resolution: S-flag value needs to be inherited from the previous authentication and authorization phase or re-authentication phase
Issue 165: Nonce and stateless PAA discovery • Issue: Inclusion of Nonce AVP in PSR conflicts with stateless PAA discovery • PAA cannot be stateless since the nonce contains a random value • Resolution: • Nonce AVPs are not carried in PSR/PSA in case of stateless PAA discovery • Instead, they are carried in the first PAR/PAN exchange
Issue 166: Retransmission bug • Issue: There is a leftover of old (and incorrect) retransmission rule in Section “Retransmission Timers” • Resolution: Removed the incorrect retransmission rule from the section
Issue 169: Lower-layer ciphering • Issue: Need for an algorithm for deriving a key used for bootstrapping lower-layer ciphering for any lower-layers • Resolution: Defined PaC-EP-Master key PaC-EP-Master-Key = HMAC-SHA-1 (AAA-Key, "PaC-EP master key Session ID | Key-ID | EP-Device-Id) • EP-Device-Id: The Value field of Device-Id AVP of given EP • Since Device-Id contains address family, the key derivation algorithm is generic enough to guarantee cryptographic separation among different EPs even across different lower-layers
Issue 170: Dual stack • Issue: Details are missing in dual stack support • Resolution: • Partitioned D-flag into two • F (DHCPv4) • S (DHCPv6) • The PAA MUST set either the N-flag, or one or more of the other flags • The PaC MUST echo the same flags in response • When IPsec ciphering is not used, F, S or A flag MUST be set by the PAA
Issue: Notification AVP • Issue: Does ‘M’ bit of Notification AVP need to be set? • Notification AVP contains displayable message • No additional processing rule is defined (the receiver can ignore the contents of the Notification AVP) • Resolution: Added the following sentence • “The 'M' bit in the AVP header of this AVP MUST NOT be set.”