DHCPv4 option for PANA Authentication Agents

Download Report

Transcript DHCPv4 option for PANA Authentication Agents

DHCPv4 option for PANA
Authentication Agents
draft-suraj-dhcpv4-paa-option-00.txt
DHC/PANA WG
IETF-63
France, Paris
The Protocol for carrying Authentication for Network
Access (PANA)


The PANA protocol is run between a PANA
Client (PaC) and a PANA Authentication
Agent (PAA) in order to perform
authentication and authorization for the
network access service.
Accessing the network, the PaC needs
to discover the PAA to be authenticated
PAA discovery – Possible ways
Existing


Manual Configuration
Multicast based
Proposed

DHCP based
PANA Authentication Agent DHCPv4
Option


A new DHCPv4 option that allows PANA
client (PaC) to discover PANA Authentication
Agents (PAA).
It carries either a 32-bit (binary) IPv4 address
list or, preferably, a domain name list.
Option Format
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| option-code | option-length |
enc
| ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
PAA Domain Name List
|
|
...
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
DHCPv4 option for PAA Domain Name List
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| option-code | option-length | enc
| ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
PAA IP Address
|
...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
DHCPv4 option for PAA IPv4 Address List
Operations


The client requests PAA DHCPv4 Option in a
Parameter Request List
If a DHCPv4 server is configured with both
PAA domain name list and PAA IP address
list, the DHCPv4 server should responds to
the request with the domain name list to be
used by the PANA client.
Security Consideration


If an adversary manages to modify the
response from a DHCP server or insert its
own response, a PANA Client could be led to
contact a rogue PANA Agent, possibly one
that then intercepts call requests or denies
service.
This is a well-known threat with DHCP
but that this doesn't introduce a new security
hole in the PANA framework.
Action Plan…..


PANA WG consensus on this I-D
DHC WG ??
THANK YOU!