1 / 13

SNMP for the PAA-2-EP protocol PANA wg - IETF 59 Seoul

http://yacine.free.fr/ietf59/pana/draft-yacine-pana-snmp-02.txt. -> Yacine El Mghazli (Alcatel) <- Yoshihiro Ohba (Toshiba) Julien Bournelle (GET/INT). SNMP for the PAA-2-EP protocol PANA wg - IETF 59 Seoul. Presentation Overview. Introduction PAA-2-EP basic principle

nelle-bullock
Télécharger la présentation

SNMP for the PAA-2-EP protocol PANA wg - IETF 59 Seoul

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. http://yacine.free.fr/ietf59/pana/draft-yacine-pana-snmp-02.txthttp://yacine.free.fr/ietf59/pana/draft-yacine-pana-snmp-02.txt -> Yacine El Mghazli (Alcatel) <- Yoshihiro Ohba (Toshiba) Julien Bournelle (GET/INT) SNMP for the PAA-2-EP protocolPANA wg - IETF 59 Seoul

  2. Presentation Overview Introduction PAA-2-EP basic principle PAA-2-EP within the PANA wg Back on the SNMP choice SNMPv3 applicability against PAA-2-EP protocol reqs SNMP usage for the PAA-2-EP Re-usable existing MIB modules additional PANA-specific MIB objects Next Steps

  3. IntroductionPAA-2-EP functional basic principle AAA auth PAA AAA backend PANA auth PAA-2-EP Install filter PaC AR # EP PaC traffic One single IP subnet

  4. IntroductionPAA-2-EP within the PANA wg PANA charter: The PANA working group must mandate one protocol The PANA wg will not design a new protocol design, it may involve the definition of extensions of an existing one History: IETF55: PAA-2-EP topic introduction draft-ietf-pana-requirements-0x.txt IETF57: PAA-2-EP protocol considerations draft-yacine-pana-paa-ep-reqs-00.txt IETF58: PAA-2-EP protocols evaluation draft-yacine-pana-paa2ep-eval-00.txt Already a fair amount of discussions on the ML

  5. IntroductionWhy SNMP ? Consensus regarding the PAA-2-EP protocol within PANA wg: An existing protocol (no new protocol design) Basic configuration needs (no ‘disqualifying‘requirement), but No disruptive choice No immature solutions Follow the IAB recommendations SNMPv3 fully satisfies the above conditions v3 satisfies the security conditions widely spread for monitoring (« get » messages) « Set » messages allow simple configuration Lots of MIBs available SNMP provides a simple solution with a high-level of re-use

  6. PAA-2-EP protocolSNMPv3 applicability One-to-many relation 1 SNMP manager (PAA) can relate simultaneously to several Agents (EPs) Secure communication User-based Security Model (USM) provides authentication, confidentiality, integrity, replay attacks prevention, time windows for the validity of messages. Notification of PaC presence SNMP can provide this feature using the SMIv2 traps Accounting The PAA can poll its EPs and the counters considered good enough.

  7. PAA-2-EP protocolSNMPv3 applicability (cont’d) Peer liveness SNMP periodic polling sufficient for inactive EP detection Rebooted Peer detection snmpEngineBoots MIB to detect rebooted EP Authorization ACLs and keying material Re-use existing objects

  8. SNMP for PAA-2-EPRe-use of existing IPSec configuration MIBs IPSec configartion MIB recently splitted into 3 separate modules IPSec SPD configuration MIB module (IPSP wg) Rule/Filter/Action Policy structure Various IP filters, including IP header filter Notification Variables re-usable for the PaC presence trap IPSec IKE configuration MIB module (IPSP wg) For IP-based access control (draft-ietf-pana-ipsec-02) Pre-shared key configuration (PSK) Derived at the PAA level ID_KEY_ID configuration (aggressive mode) PANA session_id

  9. SNMP for PAA-2-EPAdditional PANA-specific MIB objects PANA-specific objects extends the SPD-MIB Link-layer Filters PaC presence trap Keying material for L2 protection Current version -02: IEEE 802 filters New PaC Notification Browse the whole current MIB set at the following URL: http://yacine.free.fr/ietf59/pana/dev

  10. Next Steps PANA context usage examples (section 6 TBD) More Link-layer filters Might re-use existing e.g. ADSL ports open/close Some additonal objects design might be needed L2 protection attributes: e.g. 802.11i keys… More ? Gauge room consensus to accept this document as a PANA WG item

  11. THANKS

  12. PAA-2-EP protocolRequirements Summary One-to-many PAA-EP relation: required. a given EP relate to multiple PAAs Secure Communication: required. authentication, confidentiality, and integrity. New PaC Notification: required. EP to notify unauthorized PaC presence to the PAA. optional (PANA can do that). Inactive EP detection: not required. satisfied by other means. the architecture can take it into account with e.g. a request-response mechanism.

  13. PAA-2-EP protocolRequirements Summary (cont’d) Stateful approach: not required. the PAA does not maintain any EP state. the whole solution does (at application level). needed some implementation guidance. Accounting/Feedback from the EPs: required. polling sufficient for the PANA needs EP Configuration information: The PAA-2-EP protocol must push DI-based filters and keying material down to the EP.

More Related