Re: Filter rule creation and installation (was RE: [Pana] Other suggestions for pana-pana)

Fri, 06 Oct 2006 07:27:30 -0700 

Alper Yegin wrote:

End of Section 1:

"filter rule installation," is identified as out of scope. As discussed
on the list and with the chairs on the phone, this isn't entirely true
when an IP address as a Device ID is communicated via PANA and used to
permit packets with that Source IP address to flow after authentication
occurs. This is a filter. A very simple one, but a very important one.
Thus, I don't think that this statement is factual in its current form.



Filter rule creation is different than filter rule installation. The former
involves identifying the rules (e.g., allow packets with source IP ==
64.236.10.20), the latter involves sending the filters from where they are
created (partially or fully) to where they will be used (e.g., from PAA to
EP).
Wouldn't that be the PAA-EP protocol? That is listed separately in the same paragraph. 


OK.  How about changing the first sensence of the last paragraph of
Section 1 as follows?

"
   There are components that are part of a complete secure network
   access solution but are outside of the PANA protocol specification,
   including IP address configuration, authentication method choice,
   detailed filter rule installation other than use of device
   identifiers as filtering parameters, data traffic protection,
   PAA-EP protocol and PAA discovery.
"


So, I'd rewrite this paragraph as:

    There are components that are part of a complete secure network
    access solution but are outside of the PANA protocol specification,
    including IP address configuration, authentication method choice,
    data traffic protection, PAA-EP protocol, and PAA discovery. PANA
    authentication output is used for creating access control filters. But
creation of fine-granularity filters and their installation on the enforcement elements are outside the scope as well.
OK, in the first part you have simply removed "filter rule installation"- I agree that helps. I don't think you need the extra sentence at the end though. Read without context of this discussion, it raises more questions than answers (what does "fine-granularity" mean, for example; a single filter on a single IP hostroute sounds pretty "granular" to me!). 

- Mark

Alper



_______________________________________________
Pana mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/pana

Reply via email to