Transcript PPT Version

Multi-hop PANA
IETF 62
• Currently:
– “For simplicity, it is assumed that
the PAA is attached to the same link as the
device (i.e., no intermediary IP routers).”
• Objective of this presentation:
– Discuss removal of this constraint
• Benefit: Flexible deployments
• Cost: see slides…
2
mhop EAP Bar Bof
• Need mhop EAP lower-layer for AAA of:
– network access service
• Pre-authentication
• Ad-hoc networks
• Simple
– MIP6
– SNMP
– “any” service
• Scope of mhop PANA is “network access AAA”
– mhop PANA may help some of the network access
scenarios
3
Considerations
•
•
•
•
•
PAA discovery
IP addressing
EP location
NAT traversal
TTL check
4
PAA Discovery
• If the PAA is not on-link, how does the PAA
discovery work?
– Option 1: Define a new DHCP option
– Option 2: “Traffic driven discovery”
• EP detects PDI, RS, DHCP, etc.; triggers PAA via PANASNMP
– Option 3: Preconfigured
– No changes on the PANA spec.
• If there are multiple PAAs?
– Same issue applies to 1-hop PANA as well
– Current spec: PaC picks any
5
IP Addressing
• A link-local PRPA is not suitable for mhop
PANA deployments.
• Include a “deployment consideration” text
in the PANA framework I-D:
– “If PAA is multiple hops away from the PaC,
the access network must allow non-link-local
PRPA configuration.”
6
EP Location
• No changes are proposed on the location of
EP
– L2 access device (e.g., IEEE 802.11 AP)
– Access router
• PAA must know the location of EP(s)
– Same as before.
7
NAT traversal (1/2)
PaC
EP/AR
NAT
PAA
• What happens if there is a NAT between EP and PAA?
– IP-Address and DI AVPs checked against IP header
• DI AVP: Bind DI to PANA session
– PaC DI is the IP address when IPsec is used.
– PAA delivers DI to EP.
• IP-Address AVP:
– Bind PAA IP address to PANA session
– If PaC IP address changes (e.g., run DHCP after PANA), PaC notifies
PAA
• Did we really need the integrity checks?
– IP address theft/spoofing – IP address ownership issue
8
NAT traversal (2/2)
• UDP destination port in request messages set to
PANA_port.
– PAA requests sent to PaC -- port mapping issue
• Proposal:
– Option 1: Remove the integrity checks, handle port
issue
– Option 2: Include a deployment considerations text:
“NAT between PaC and PAA is not supported”.
9
TTL
• Drop the TTL check on both PaC and PAA
10
• Any other issues?
• Re-charter?
– “For simplicity, it is assumed that
the PAA is attached to the same link as the
device (i.e., no intermediary IP routers).”
11