Pre-authentication Extension to PANA draft-ietf-pana-preauth-02.txt

1. Pre-authentication Extension to PANAdraft-ietf-pana-preauth-02.txt Yoshihiro Ohba IETF70 PANA WG

2. Changes from -01 • Defined ‘E’ (prE-authentication) bit instead of ‘P’ bit • ‘P’ bit is assigned for “Ping” in pana-pana-18 • Updated calls flows to be consistent with pana-pana-18 • Revised terms (simplified) • Changed the name of PAAs in the serving and candidate networks • Local PAA Serving PAA (SPAA) • Remote PAA Candidate PAA (CPAA) • Changed the name of PANA SA between PaC and CPAA • Pre-authentication SA  Pre-authorization SA • Changed the name of PANA SA bewteen PaC and SPAA • Active SA  Post-authorization SA • Removed non-important terms • {Local,Remote} PaC, {Preparing,Active} PAA • Added reference to I-D.ietf-hokey-preauth-ps IETF70 PANA WG

3. Example Call Flow(PaC-initiated pre-authentication) Candidate PAA (CPAA) PaC The first PCI message is omitted in the case of PAA-initiated pre-authentication Pre-authentication trigger PCI w/ ‘E’ bits set PAR w/ ‘S’ and ‘E’ bits set PAN w/ ‘S’ and ‘E’ bits set PAR/PAN exchange w/ ‘E’ bits set : Pre-authorization PAR/PAN exchange w/ ‘C’ and ‘E’ bits set Movement PNR w/ ‘P’ bit set and ‘E’ bit cleared Post-authorization PNA w/ ‘P’ bit set and ‘E’ bit cleared IETF70 PANA WG

4. Example Call Flow (IP address update for pre-authorized SA) Candidate PAA (CPAA) PaC Movement PNR w/ ‘P’ and ‘E’ bit set IP Address Update PNA w/ ‘P’ and ‘E’ bit set Issue: MiTM attack with is possible because source IP address is not protected IETF70 PANA WG

5. Thank You! IETF70 PANA WG