> > End of Section 1:
> >
> > "filter rule installation," is identified as out of scope. As discussed
> > on the list and with the chairs on the phone, this isn't entirely true
> > when an IP address as a Device ID is communicated via PANA and used to
> > permit packets with that Source IP address to flow after authentication
> > occurs. This is a filter. A very simple one, but a very important one.
> > Thus, I don't think that this statement is factual in its current form.
Filter rule creation is different than filter rule installation. The former
involves identifying the rules (e.g., allow packets with source IP ==
64.236.10.20), the latter involves sending the filters from where they are
created (partially or fully) to where they will be used (e.g., from PAA to
EP).
>
> OK. How about changing the first sensence of the last paragraph of
> Section 1 as follows?
>
> "
> There are components that are part of a complete secure network
> access solution but are outside of the PANA protocol specification,
> including IP address configuration, authentication method choice,
> detailed filter rule installation other than use of device
> identifiers as filtering parameters, data traffic protection,
> PAA-EP protocol and PAA discovery.
> "
So, I'd rewrite this paragraph as:
There are components that are part of a complete secure network
access solution but are outside of the PANA protocol specification,
including IP address configuration, authentication method choice,
data traffic protection, PAA-EP protocol, and PAA discovery. PANA
authentication output is used for creating access control filters. But
creation of fine-granularity filters and their installation on
the enforcement elements are outside the scope as well.
Alper
_______________________________________________
Pana mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/pana
