multi-hop pana ietf 62. 2 currently: –“for simplicity, it is assumed that the paa is attached to...
TRANSCRIPT
Multi-hop PANA
IETF 62
2
• Currently:– “For simplicity, it is assumed that
the PAA is attached to the same link as the device (i.e., no intermediary IP routers).”
• Objective of this presentation:– Discuss removal of this constraint
• Benefit: Flexible deployments
• Cost: see slides…
3
mhop EAP Bar Bof
• Need mhop EAP lower-layer for AAA of:– network access service
• Pre-authentication• Ad-hoc networks• Simple
– MIP6– SNMP– “any” service
• Scope of mhop PANA is “network access AAA”– mhop PANA may help some of the network access
scenarios
4
Considerations
• PAA discovery
• IP addressing
• EP location
• NAT traversal
• TTL check
5
PAA Discovery
• If the PAA is not on-link, how does the PAA discovery work?– Option 1: Define a new DHCP option– Option 2: “Traffic driven discovery”
• EP detects PDI, RS, DHCP, etc.; triggers PAA via PANA-SNMP
– Option 3: Preconfigured– No changes on the PANA spec.
• If there are multiple PAAs?– Same issue applies to 1-hop PANA as well– Current spec: PaC picks any
6
IP Addressing
• A link-local PRPA is not suitable for mhop PANA deployments.
• Include a “deployment consideration” text in the PANA framework I-D:– “If PAA is multiple hops away from the PaC,
the access network must allow non-link-local PRPA configuration.”
7
EP Location
• No changes are proposed on the location of EP– L2 access device (e.g., IEEE 802.11 AP)– Access router
• PAA must know the location of EP(s)– Same as before.
8
NAT traversal (1/2)
• What happens if there is a NAT between EP and PAA?– IP-Address and DI AVPs checked against IP header
• DI AVP: Bind DI to PANA session– PaC DI is the IP address when IPsec is used.– PAA delivers DI to EP.
• IP-Address AVP: – Bind PAA IP address to PANA session– If PaC IP address changes (e.g., run DHCP after PANA), PaC notifies
PAA
• Did we really need the integrity checks?– IP address theft/spoofing – IP address ownership issue
PaC EP/AR NAT PAA
9
NAT traversal (2/2)
• UDP destination port in request messages set to PANA_port.– PAA requests sent to PaC -- port mapping issue
• Proposal:– Option 1: Remove the integrity checks, handle port
issue
– Option 2: Include a deployment considerations text: “NAT between PaC and PAA is not supported”.
10
TTL
• Drop the TTL check on both PaC and PAA
11
• Any other issues?
• Re-charter?– “For simplicity, it is assumed that
the PAA is attached to the same link as the device (i.e., no intermediary IP routers).”