On Thu, Dec 06, 2007 at 06:10:30PM +0100, Wojciech Dec (wdec) wrote: (snip) > > IPAuth-9 Should be simple to implement on client (PC or CPE) > PRESENTED ANSWER: Yes Implementation does not require changes to the > operating system. Open source implementation available. > ISSUE: I believe there are overlooked OS impacts here. PANA requires > that a short, but not too short, temporary DHCP ip address lease for > authentication be granted before the second post-PANA DHCP lease is > granted. The OS must be able to handle this IP address and config change > without disrupting applications above. If the temporary IP address lease > is presented to the OS for use by applications other than PANA, and then > shortly thereafter revoked, visible disruptions to applications may > occur as sockets are reset, applications which received (or did not > receive) proper config information in the first DHCP lease may not > receive or be able to handle this config change without some timeouts, > etc. (think about what happens to some OSes when you try to move from > one subnet to another and receive a new DHCP lease). Bottom line, the IP > address to IP address and lease to lease transition has a lot of > potential for race conditions that could affect applications on the OS. > One way to mitigate this would be to not present the first DHCP lease > information to any application other than EAP, but of course this likely > requires OS changes.
I don't understand why this is an issue. IP address change after launching applications can happen in many situations (e.g., change from link-local address to global address, change from CoA to HoA upon successful Mobile IP registration, change from using a physical interface address to tunnel inner address upon IPsec tunnel establishment for VPN, etc). IP address change is something OS and applications have to deal with, regardless of whether PANA is used or not, and I think many OSes and applications already deal with it. Yoshihiro Ohba _______________________________________________ Pana mailing list [email protected] https://www1.ietf.org/mailman/listinfo/pana
