> > > > The above two issues are related. If PANA would eliminate trying to > > operate on L2 access controls, and rely solely on an IP Address and > > associated filter, then it would truly be a Network Layer authentication > > and Network Layer access protocol. I believe this would go a very long > > way to eliminate confusion over where PANA can add value. I cannot > > understate this enough. > > This is fundamental difference in how we view PANA. I don't consider > PANA as "Network Layer access protocol" while I only consider PANA as > a network layer protocol for carrying authentication information for > network access.
This is a terminology issue, I believe. As we said in RFC 4058: After a device is authenticated by using PANA, it MUST be authorized for "network access." That is, the core requirement of PANA is to verify the authorization of a PaC so that PaC's device may send and receive any IP packets. So, PANA authenticates for (and used for authorization of) "network access." Execution of access control is orthogonal to PANA authentication. A network can choose to change IP filters to allow traffic from authenticated client, change L2 filters to do equivalent, or even do some L1 filtering. At the end, what's really allowed/disallowed is the IP network access. I hope this clarifies. Alper _______________________________________________ Pana mailing list [email protected] https://www1.ietf.org/mailman/listinfo/pana
