draft-ietf-pana-preauth-00.txt   draft-ietf-pana-preauth-01.txt 
PANA Working Group Y. Ohba PANA Working Group Y. Ohba
Internet-Draft Toshiba Internet-Draft Toshiba
Expires: April 15, 2006 October 12, 2005 Expires: September 4, 2006 March 3, 2006
Pre-authentication Support for PANA Pre-authentication Support for PANA
draft-ietf-pana-preauth-00 draft-ietf-pana-preauth-01
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 33 skipping to change at page 1, line 33
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 15, 2006. This Internet-Draft will expire on September 4, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2006).
Abstract Abstract
This document defines an extension to the PANA protocol used for This document defines an extension to the PANA protocol used for
proactively establishing a PANA SA (Security Association) between a proactively establishing a PANA SA (Security Association) between a
PaC in an access network and a PAA in another access network to which PaC in an access network and a PAA in another access network to which
the PaC may move. The proposed method operates across multiple the PaC may move. The proposed method operates across multiple
administrative domains. administrative domains.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Specification of Requirements . . . . . . . . . . . . . . 4 1.1. Specification of Requirements . . . . . . . . . . . . . . 3
2. Terminogy . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminogy . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Pre-authentication Procedure . . . . . . . . . . . . . . . . . 7 3. Pre-authentication Procedure . . . . . . . . . . . . . . . . . 7
4. PANA Extensions . . . . . . . . . . . . . . . . . . . . . . . 11 4. PANA Extensions . . . . . . . . . . . . . . . . . . . . . . . 11
5. Authorization and Accounting Considerations . . . . . . . . . 12 5. Authorization and Accounting Considerations . . . . . . . . . 12
6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16
9.1. Normative References . . . . . . . . . . . . . . . . . . . 16 9.1. Normative References . . . . . . . . . . . . . . . . . . . 16
9.2. Informative References . . . . . . . . . . . . . . . . . . 16 9.2. Informative References . . . . . . . . . . . . . . . . . . 16
skipping to change at page 3, line 18 skipping to change at page 3, line 18
PaC (PANA Client) and a PAA (PANA Authentication Agent) in the access PaC (PANA Client) and a PAA (PANA Authentication Agent) in the access
network. If the PaC is a mobile device and is capable of moving one network. If the PaC is a mobile device and is capable of moving one
access network to another while running its applications, it is access network to another while running its applications, it is
critical for the PaC to perform a handover seamlessly without critical for the PaC to perform a handover seamlessly without
degrading the performance of the applications during the handover degrading the performance of the applications during the handover
period. When the handover requires the PaC to establish a PANA period. When the handover requires the PaC to establish a PANA
session with the PAA in the new access network, the signaling to session with the PAA in the new access network, the signaling to
establish the PANA session should be completed as fast as possible. establish the PANA session should be completed as fast as possible.
There is an optimization method based on Context Transfer Protocol There is an optimization method based on Context Transfer Protocol
(CTP) [I-D.ietf-seamoby-ctp] to reduce the signaling delay for (CTP) [RFC4067] to reduce the signaling delay for establishing a PANA
establishing a PANA session with a new PAA upon a handover [I-D.ietf- session with a new PAA upon a handover [I-D.ietf-pana-mobopts][I-
pana-mobopts][I-D.bournelle-pana-ctp]. D.ietf-pana-cxtp].
The CTP-based method have the following issues. First, it is not The CTP-based method have the following issues. First, it is not
readily applicable to handovers across multiple administrative readily applicable to handovers across multiple administrative
domains since having a security association between PAAs in different domains since having a security association between PAAs in different
administrative domains is practically difficult. Second, even within administrative domains is practically difficult. Second, even within
a single administrative domain, the CTP-based method is difficult to a single administrative domain, the CTP-based method is difficult to
work when the previous and new access networks have different work when the previous and new access networks have different
authorization characteristics, e.g., on use of NAP and ISP separate authorization characteristics, e.g., on use of NAP and ISP separate
authentication. Third, the CTP-based method relies on deriving the authentication. Third, the CTP-based method relies on deriving the
PANA_MAC_Key used between the PaC and the PAA in the new access PANA_MAC_Key used between the PaC and the PAA in the new access
network from the AAA-Key used between the PaC and the PAA in the network from the AAA-Key used between the PaC and the PAA in the
previous access network, which does not provide perfect cryptographic previous access network, which does not provide perfect cryptographic
separation between the PAAs. separation between the PAAs.
To address the issues on the CTP-based method, this document defines To address the issues on the CTP-based method, this document defines
an extension to the PANA protocol [I-D.ietf-pana-pana] used for an extension to the PANA protocol [I-D.ietf-pana-pana] used for
proactively executing EAP authentication and establishing a PANA SA proactively executing EAP authentication and establishing a PANA SA
(Security Association) between a PaC in an access network and a PAA (Security Association) between a PaC in an access network and a PAA
in another access network to which the PaC may move. The proposed in another access network to which the PaC may move. The proposed
method operates across multiple administrative domains. The proposed method operates across multiple administrative domains.
method is used as the authentication protocol in the framework of MPA
(Media-independent Pre-authentication) [I-D.ohba-mobopts-mpa-
framework].
Although the proposed method covers the case that is also covered by Although the proposed method covers the case that is also covered by
the CTP-based method (i.e., homogeneous authorization characteristics the CTP-based method (i.e., homogeneous authorization characteristics
in a single administrative domain), the purpose of this document is in a single administrative domain), the purpose of this document is
not to replace the CTP-based method. Instead, the purpose of this not to replace the CTP-based method. Instead, the purpose of this
document is to provide a way to cover the cases that are not covered document is to provide a way to cover the cases that are not covered
by the other method. For the case covered by the CTP-based method, by the other method. For the case covered by the CTP-based method,
the CTP-based method may be used. the CTP-based method may be used.
1.1. Specification of Requirements 1.1. Specification of Requirements
skipping to change at page 8, line 33 skipping to change at page 8, line 33
authenticating to a remote PAA (r-PAA) in another access network. authenticating to a remote PAA (r-PAA) in another access network.
The PaC then initiates a pre-authentication procedure by sending a The PaC then initiates a pre-authentication procedure by sending a
PANA-PAA-Discover message with the P-bit set. PANA messages are PANA-PAA-Discover message with the P-bit set. PANA messages are
exchanged between the PaC and r-PAA, with the P-bit set for all exchanged between the PaC and r-PAA, with the P-bit set for all
messages. On successful completion of the PANA exchanges for pre- messages. On successful completion of the PANA exchanges for pre-
authentication and pre-authorization, a pre-authentication SA will be authentication and pre-authorization, a pre-authentication SA will be
established between the PaC and l-PAA. On the other hand, the active established between the PaC and l-PAA. On the other hand, the active
SA established between the PaC and l-PAA stays active. SA established between the PaC and l-PAA stays active.
At some point after establishing the pre-authentication SA, the PaC At some point after establishing the pre-authentication SA, the PaC
moves to the access network of the r-PAA. Then the PaC initiates a moves to the access network of the r-PAA. The r-PAA may be found by
PANA-Update exchange to inform the PAA of the IP address change. In running PAA discovery over a newly created session or immediately
this PANA-Update exchange, the P-bit is unset. On successful when the PaC attaches a link-layer device that is acting as an EP
completion of the PANA-Update exchange and post-authorization whose device identifier was contained in the list of EP device
procedure, the pre-authentication SA becomes the active SA. The identifiers advertised by the r-PAA in the pre-authentication
active SA between the PaC and l-PAA may stay active for a while to procedure. If the r-PAA is found, the PaC initiates a PANA-Update
deal with the case in which the PaC immediately switches back to the exchange over the session in which the pre-authentication SA has been
previous access network. maintained to inform the PAA of the IP address change. In this PANA-
Update exchange, the P-bit is unset. On successful completion of the
PANA-Update exchange and post-authorization procedure, the pre-
authentication SA becomes the active SA. The active SA between the
PaC and l-PAA may stay active for a while to deal with the case in
which the PaC immediately switches back to the previous access
network.
If no such an r-PAA is found but other PAA(s) in the new access
network, a full PANA authentication or PANA mobility optimization may
be performed between the PaC and one of those PAA(s) based on the
procedures described in [I-D.ietf-pana-pana] and [I-D.ietf-pana-
cxtp].
PaC l-PAA r-PAA PaC l-PAA r-PAA
| | | | | |
| PANA w/o P-bit set | | | PANA w/o P-bit set | |
|<---------------------->| | |<---------------------->| |
| | | | | |
. . . . . .
. . . . . .
+------------------+ | | +------------------+ | |
|Pre-authentication| | | |Pre-authentication| | |
skipping to change at page 15, line 7 skipping to change at page 15, line 7
SHOULD limit the maximum number of PAAs allowed to communicate. SHOULD limit the maximum number of PAAs allowed to communicate.
7. IANA Considerations 7. IANA Considerations
As described in Section 4, a new flag in the Flags field of PANA As described in Section 4, a new flag in the Flags field of PANA
Header needs to be assigned by IANA. The new flag is bit 3 ('P're- Header needs to be assigned by IANA. The new flag is bit 3 ('P're-
authentication). authentication).
8. Acknowledgments 8. Acknowledgments
The author would like to thank Alper Yegin, Ashutosh Dutta and Julien The author would like to thank Alper Yegin, Ashutosh Dutta, Julien
Bournelle for their valuable comments. Bournelle and Sasikanth Bharadwaj for their valuable comments.
9. References 9. References
9.1. Normative References 9.1. Normative References
[I-D.ietf-pana-pana] [I-D.ietf-pana-pana]
Forsberg, D., "Protocol for Carrying Authentication for Forsberg, D., "Protocol for Carrying Authentication for
Network Access (PANA)", draft-ietf-pana-pana-10 (work in Network Access (PANA)", draft-ietf-pana-pana-10 (work in
progress), July 2005. progress), July 2005.
9.2. Informative References 9.2. Informative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[I-D.ohba-mobopts-mpa-framework] [RFC4067] Loughney, J., Nakhjiri, M., Perkins, C., and R. Koodli,
Ohba, Y., "A Framework of Media-Independent Pre- "Context Transfer Protocol (CXTP)", RFC 4067, July 2005.
Authentication (MPA)", draft-ohba-mobopts-mpa-framework-01
(work in progress), July 2005.
[I-D.ietf-pana-mobopts] [I-D.ietf-pana-mobopts]
Forsberg, D., "PANA Mobility Optimizations", Forsberg, D., "PANA Mobility Optimizations",
draft-ietf-pana-mobopts-00 (work in progress), draft-ietf-pana-mobopts-01 (work in progress),
January 2005. October 2005.
[I-D.bournelle-pana-ctp]
Bournelle, J., "Use of Context Transfer Protocol (CxTP)
for PANA", draft-bournelle-pana-ctp-03 (work in progress),
June 2005.
[I-D.ietf-seamoby-ctp] [I-D.ietf-pana-cxtp]
Loughney, J., "Context Transfer Protocol", Bournelle, J., "Use of Context Transfer Protocol (CXTP)
draft-ietf-seamoby-ctp-11 (work in progress), August 2004. for PANA", draft-ietf-pana-cxtp-00 (work in progress),
October 2005.
Author's Address Author's Address
Yoshihiro Ohba Yoshihiro Ohba
Toshiba America Research, Inc. Toshiba America Research, Inc.
1 Telcordia Drive 1 Telcordia Drive
Piscateway, NJ 08854 Piscateway, NJ 08854
USA USA
Phone: +1 732 699 5365 Phone: +1 732 699 5365
skipping to change at page 18, line 41 skipping to change at page 18, line 41
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
 End of changes. 13 change blocks. 
37 lines changed or deleted 40 lines changed or added

This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/