OK. Let me propose text.
[1] In Section 3, change:
"
o Re-authentication phase: During the access phase, the PAA must
initiate re-authentication before the PANA session lifetime
expires. EAP is carried by PANA to perform authentication. This
phase may be optionally triggered by both the PaC and the PAA
without any respect to the session lifetime. The session moves to
this phase from the access phase, and returns back there upon
successful re-authentication.
"
to:
"
Re-authentication phase: During the access phase, the PAA may,
and the PaC should, initiate re-authentication if they want to
update the PANA session lifetime before the PANA
session lifetime expires. EAP is carried by PANA to perform
authentication. This phase may be optionally triggered by both
the PaC and the PAA without any respect to the session lifetime.
The session moves to this phase from the access phase, and
returns back there upon successful re-authentication.
"
[2] In Section 4.3, 2nd paragraph, change:
"
When the PaC wants to initiate re-authentication, it sends a
PANA-Notification-Request message with 'A' bit set (a re-
authentication request message) to the PAA.
"
to:
"
When the PaC initiates re-authentication, it sends a
PANA-Notification-Request message with 'A' bit set (a re-
authentication request message) to the PAA.
"
[3] In Section 5.7, change:
"
The authentication and authorization phase determines the PANA
session lifetime when the network access authorization succeeds. The
Session-Lifetime AVP MAY be optionally included in the last
PANA-Auth-Request message to inform the PaC about the valid lifetime
of the PANA session. It MUST be ignored when included in other PANA
messages.
When the Session-Lifetime AVP is not included in the last
PANA-Auth-Request message then the PaC has no knowledge about a PANA
session limitation and must therefore conclude that the session is
not limited.
The lifetime is a non-negotiable parameter that can be used by the
PaC to manage PANA-related state. The PaC does not have to perform
any actions when the lifetime expires, other than purging local
state. The PAA MUST initiate the re-authentication phase before the
current session lifetime expires.
"
to:
"
The authentication and authorization phase determines the PANA
session lifetime when the network access authorization succeeds. The
Session-Lifetime AVP MUST be included in the last PANA-Auth-Request
message (i.e., with 'C' (Complete) bit set) in authentication and
authorization phase or re-authentication phase to inform the PaC
about the valid lifetime of the PANA session. It MUST be ignored
when included in other PANA messages.
The lifetime is a non-negotiable parameter that can be used by the
PaC to manage PANA-related state. The PaC does not have to perform
any actions when the lifetime expires, other than purging local
state. The PAA MAY, and the PaC SHOULD, initiate the
re-authentication phase before the current session lifetime expires
if they want to update the session lifetime.
"
(I don't think we should define a value for "infinity", because the
maximum value of session lifetime is 2^32-1 (4,294,967,295) sec =
49,710 days!)
Yoshihiro Ohba
On Thu, Apr 19, 2007 at 08:59:39AM +0200, MORAND Lionel RD-CORE-ISS wrote:
> It makes sense! ;)
> For the PaC behavior, i think that a "If PaC wants... then PaC MUST" is
> acceptable.
> Ok for the behavior of the PAA. It MAY initiate the re-auth when it wants.
>
> BR,
>
> Lionel
>
> > -----Message d'origine-----
> > De : Alper Yegin [mailto:[EMAIL PROTECTED]
> > Envoyé : jeudi 19 avril 2007 08:32
> > À : MORAND Lionel RD-CORE-ISS; [email protected]
> > Objet : RE: [Pana] PAA initiating Re-authentication
> >
> >
> > In order to reduce the optionality, can we say:
> >
> > - PAA MUST send lifetime (when infinity, it can send maxint).
> > - PaC SHOULD initiate re-auth before lifetime expires. A
> > "should" because PaC may choose not to extend the
> > authorization. Or we can make it a must with a conditional
> > "if PaC wants to extend....".
> > - PAA MAY initiate re-auth. Now, this one does not have to be
> > related to lifetime expiry, given that we put that burden on the PaC.
> >
> > Does this make sense?
> >
> > Alper
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: MORAND Lionel RD-CORE-ISS
> > > [mailto:[EMAIL PROTECTED]
> > > Sent: Thursday, April 12, 2007 12:43 PM
> > > To: Alper Yegin; [email protected]
> > > Subject: [Pana] PAA initiating Re-authentication
> > >
> > > Hi,
> > >
> > > In section 5.7 Session Lifetime, it is stated:
> > >
> > > "The PAA MUST initiate the re-authentication phase before
> > the current
> > > session lifetime expires."
> > >
> > > I can't figure out why there is a "MUST" in that case.
> > >
> > > As documented in the draft,
> > >
> > > - The session lifetime is not negociable between the PAA
> > and the PaC.
> > > - The session lifetime may be sent to the PaC. If not, the PaC
> > > considers the PANA session as unlimited.
> > > - Both PaC and PAA may initiate a re-authentication procedure
> > > regardless of the session lifetime.
> > >
> > > Could we just have the following principles:
> > >
> > > - If the session lifetime is sent to the PaC:
> > > The PaC should re-authenticate before the expiration of the session
> > > lifetime. Otherwise, the session is deleted by the PAA at the
> > > expiration of the session lifetime (and the PaC will purge
> > related local state).
> > > The PAA may initiate a re-authentication procedure before the
> > > expiration of the session lifetime. Otherwise, the session
> > is deleted
> > > by the PAA at the expiration of the session lifetime (and
> > the PaC will
> > > purge related local state).
> > > Both PaC and PAA may initiate a re-authentication procedure
> > regardless
> > > of the session lifetime.
> > >
> > > - If the session lifetime is sent to the PaC:
> > > The PAA may initiate a re-authentication procedure before the
> > > expiration of the session lifetime. Otherwise, the session
> > is deleted
> > > at the expiration of the session lifetime.
> > > Both PaC and PAA may initiate a re-authentication procedure
> > regardless
> > > of the session lifetime.
> > >
> > >
> > > With these principles, it is up to the PaC to maintain
> > active its PANA
> > > session when infomed by the network (PAA) of the authorized session
> > > lifetime.
> > > There is no strong requirement for the PAA/network point of
> > view to .
> > > It is therefore up to the network operator to configure the PAA
> > > expected behaviour.
> > >
> > > Comments?
> > >
> > > Lionel
> > >
> > >
> > > > -----Message d'origine-----
> > > > De : Alper Yegin [mailto:[EMAIL PROTECTED] Envoyé : jeudi 5
> > > > avril 2007 10:06 À : [email protected] Objet : [Pana] Review
> > > > pana-pana-15a
> > > >
> > > >
> > > > PANA specification is reviewed based on the last round of AD
> > > > comments (thanks Yoshi!).
> > > >
> > > > The spec is here:
> > > >
> > > > http://www.panasec.org/docs/editing/draft-ietf-pana-pana-15a.txt
> > > >
> > > > And it's diff with the version that predates last round of AD
> > > > comments
> > > > (-13):
> > > >
> > > > http://www.panasec.org/docs/editing/draft-ietf-pana-pana-15a-f
> > > > rom-3.diff.htm
> > > > l
> > > >
> > > > Please review the document and register your feedback by
> > the end of
> > > > April 12, Thursday.
> > > >
> > > > Upon collecting and resolving any issues, the document
> > will proceed
> > > > to IETF last call.
> > > >
> > > > Thanks
> > > >
> > > > Alper
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Pana mailing list
> > > > [email protected]
> > > > https://www1.ietf.org/mailman/listinfo/pana
> > > >
> >
> >
>
> _______________________________________________
> Pana mailing list
> [email protected]
> https://www1.ietf.org/mailman/listinfo/pana
>
>
_______________________________________________
Pana mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/pana
