PANA Network Selection draft-ohba-pana-netsel-00.txt

1
PANA Network Selectiondraft-ohba-pana-netsel-00.t
xt

• Yoshihiro Ohba

2
Background

• Network selection was defined older revisions of
  PANA specification to provide following functions
• NAP and ISP separate authentication
• ISP selection
• During IETF last call, network selection was
  removed from PANA specification, with suggestion
  to define it in a separate document
• This draft is submitted as such a document

3
A new bit in PANA Header for NETSEL

• 0 1
• 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
• ----------------
• R S C A P I N r r r r r r r r r
• ----------------
• N(Network Selection) This bit is set when the
  sender supports network selection function

4
N bit Usage

• The PAA and PaC advertise their support for the
  network selection function in the initial PAR and
  PAN messages with both 'S (Start) and N
  (Network selection) bits set.
• If 'N' bit is set in both messages, the PAA and
  PaC may start NAP and ISP Separate Authentication
  and/or ISP selection

5
NAP and ISP Separate Authentication

• Two PANA sessions are established between the PaC
  and PAA, one for NAP authentication and the other
  for ISP authentication.
• For the PANA session used for NAP authentication,
  PAR message sent in response to the initial
  PAR-PAN exchange with 'S' (Start) bit set
  carries one NAP-Information AVP.
• The PANA session used for ISP authentication
  MUST NOT carry a NAP-Information AVP.
• When a PANA SA is established, the same
  NAP-Information AVP MUST be carried in the last
  PANA-Auth-Request message with 'C' (Complete)
  bit set with an AUTH AVP
• Issue PANA SA should be a MUST considering
  crypto binding (see below)
• When NAP and ISP separate authentication is
  performed, cryptographic binding MUST be made
  between the two session
• How the cryptographic binding is created is TBD

6
ISP Selection

• ISP selection MUST NOT be performed over a
  session used for NAP authentication.
• ISP selection MAY be performed in the absence of
  NAP and ISP separate authentication
• The second PAR message (with S bit cleared)
  with N bit set carries one or more
  ISP-Information AVPs
• When there is only one ISP-Information AVP, there
  is only one ISP choice
• The PAN message sent in response to this PAR
  message carries at most one ISP-Information AVP
  to indicate the ISP chosen by the PaC.
• In the absence of an ISP in the PAN, ISP
  selection is typically performed based on the
  client identifier (e.g., using the realm portion
  of an NAI carried in EAP method).
• When a PANA SA is established, the
  ISP-Information AVP for the selected ISP MUST be
  carried in the last PAR message with 'C'
  (Complete) bit set with an AUTH AVP

7
Example Call Flow(NAP Authentication)
PAA
PaC
PCI
PSRSN1Algorithm
PSASN1Algorithm
PSRN1NAP-InformationltNAP1gt, EAP-Payload
PSAN1EAP-Payload
PSRN1EAP-Payload
PSAN1EAP-Payload

PARCN1NAP-InformationltNAP1gt,
EAP-Payload, Key-ID, AUTH
PANCN1Key-ID, AUTH
8
Example Call Flow(ISP Selection w/ one ISP
choice)
PAA
PaC
PCI
PSRSN1Algorithm
PSASN1Algorithm
PSRN1ISP-InformationltISP1gt, EAP-Payload
PSAN1EAP-Payload
PSRN1EAP-Payload
PSAN1EAP-Payload

PARCN1ISP-InformationltISP1gt,
EAP-Payload, Key-ID, AUTH
PANCN1Key-ID, AUTH
9
Example Call Flow(ISP Selection w/ two ISP
choices)
PAA
PaC
PCI
PSRSN1,SIDyAlgorithm
PSASN1,SIDyAlgorithm
PSRN1ISP-InformationltISP1gt,
ISP-InformationltISP2gt, EAP-Payload
PSAN1ISP-InformationltISP1gt,EAP-Payload
PSRN1EAP-Payload
PSAN1EAP-Payload

PARCN1ISP-InformationltISP1gt,
EAP-Payload, Key-ID, AUTH
PANCN1Key-ID, AUTH
10
NAP-Information AVPISP-Information AVP

• NAP,ISP-Information AVP is of type Octet-String
  that carries an NAP,ISP name encoded as a
  RADIUS Operator-Name attribute value
  I-D.ietf-geopriv-radius-lo (see below)
• 0 1 2
  3
• 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
  4 5 6 7 8 9 0
• -------------------------
  -------
• Namespace ID Operator-Name
  ...
• -------------------------
  -------
• Operator-Name
  ...
• -------------------------
  -------
• Namespace ID 0 (TADIG in GSM), 1 (REALM),
  2 (E212), 3 (ICC)

11
Thank You!