> > To:
> >
> > An EP is located between the access network (the topology within
> reach
> > of any client) and the accessed network (the topology within
> reach of
> > only authorized clients). It must be located strategically in a
> local
> > area network to minimize the access of unauthorized clients. It
> is
> > recommended but not mandated that the EP be on-path between the
> > PaC and the PAA for the aforementioned reason. For example, the
> > EP can be hosted on the switch that is directly connected to the
> > clients in a wired network. That way the EP can drop
> unauthorized
> > packets before they reach any other client node or beyond the
> > local area network.
>
> That's good. It would also help to show the traffic authorized by PANA
> in figure 1 - it flows from the PaC (must be the endpoint) through the
> EP (must be on-path) and onward (down-arrow from EP box). While we're
> dealing with this figure, I think the IKE/4-way handshake label on
> the Pac-to-EP link needs to be changed to be consistent with Section
> 4's discussion of the various possible setup scenarios - use of IKE
> is possible, but not required.
RADIUS,
Diameter,
+-----+ PANA +-----+ LDAP, API, etc. +-----+
| PaC |<----------------->| PAA |<---------------->| AS |
+-----+ +-----+ +-----+
^ ^ ^
| . |
| . +-----+ |
| ........|.EP | |
+--------->| . |<--------+ SNMP, API, etc.
IKE, +-----+
4-way handshake, .
etc. .
.
v
Data traffic
> > To:
> >
> > In case cryptographic access control needs to be enabled after the
> > PANA authentication, a secure association protocol runs between the
> > PaC and the EP. Dynamic parameters required for that
> > protocol (e.g., endpoint identity, shared secret) are derived from
> > successful PANA authentication. For example, see
> [I-D.ietf-pana-ipsec]
> > for how it is done with IKE. The secure association protocol
> exchange
> > produces the required security associations between the PaC and the
> EP to
> > enable cryptographic data traffic protection. Per-packet
> cryptographic
> > data traffic protection introduces additional per-packet overhead
> but the
> > overhead exists only between the PaC and EP and will not affect
> > communications beyond the EP..
>
> "are derived from successful PANA authentication" --> "are derived from
> successful PANA authentication; these parameters are used to
> authenticate
> the PaC to the EP and vice-versa as part of creating the security
> association."
>
> "for how it is done with IKE" --> "for how it is done for IKE based on
> using a key-generating EAP method for PANA between the PaC and PAA".
>
> There are two points I'm clarifying here:
> - PANA is the primary authentication. The output of that EAP method
> serves to authentication the security association in the context
> of that primary authentication (i.e., Pac and EP do not
> authenticate
> from scratch independent of the PANA authentication).
> - Remove any possibility of confusing PANA's use of EAP with the ability
> to run EAP between the PaC and EP (e.g., EAP can be embedded in
> IKEv2).
>
In case cryptographic access control needs to be enabled after the
PANA authentication, a secure association protocol runs between the
PaC and the EP. Dynamic parameters required for that
protocol (e.g., endpoint identity, shared secret) are derived from
successful PANA authentication; these parameters are used to
authenticate the PaC to the EP and vice-versa as part of creating the
security association. For example, see [I-D.ietf-pana-ipsec] for how it
is done for IKE based on using a key-generating EAP method for PANA
between the PaC and PAA. The secure association protocol exchange
produces the required security associations between the PaC and the EP to
enable cryptographic data traffic protection. Per-packet cryptographic
data traffic protection introduces additional per-packet overhead but the
overhead exists only between the PaC and EP and will not affect
communications beyond the EP.
Thank you.
Alper
_______________________________________________
Pana mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/pana
