PANA enabling IPsec based Access control

1
PANA enabling IPsec based Access control

• draft-mohanp-pana-ipsec-00.txt
• Mohan Parthasarathy
• Tahoe Networks
• - Presented by Hannes Tschofenig

2
Enabling IPsec Access control

• PANA protocol - used to authenticate the client.
• PANA protocol - also capable of sending
  Protection-capability-AVP (with
  PANA-Bind-Request) asking (enforcing) the client
  to use L2 or L3 cipher.
• But PANA protocol does not specify the details on
  how the L2/L3 SAs are established etc.
• This draft essentially discusses the details of
  using IPsec as the L3 cipher.

3
Pre-requisites for using IPsec

• PANA client (PaC) should learn the IP address of
  the enforcement point (EP) during the PANA
  exchange.
• PaC learns that the network uses IPsec for
  securing the PaC-EP link.
• PaC has already acquired an IP address and PAA
  knows about the IP address of the PaC before the
  exchange starts.

4
IKE/IPsec details

• At the end of a successful authentication, a PANA
  SA is established between PaC and PAA (assuming
  the underlying EAP method is capable of
  generating a Master Key (MK)).
• IKE pre-shared key is derived from the PANA SA
  (TBD).
• EP securely receives the following from PAA
• - IKE pre-shared key
• - IP address of PaC
• - PANA session id

5
IKE/IPsec details (contd..)

• Manual keying not supported. IKE is used to
  establish IPsec SAs.
• Both Aggressive mode and Main mode is easy to
  support.
• In main mode, PaC and EP uses the IP address as
  the client identifier.
• In Aggressive mode, PaC and EP use the PANA
  session id as identifier - part of ID_KEY_ID
  payload.

6
IKE/IPsec details (contd..)

• After Phase I SA is established, quick mode
  exchange is performed to setup an IPsec SA.
• Quick mode IPsec SA is an ESP transport mode SA
  used in conjunction with IP-IP tunnel interface
  (IP-IP transport mode SA).
• IPsec tunnel mode SA also can be used.

7
IPv4/IPv6 Details

• Draft has specific examples on SPD entries, IPsec
  processing details for both IPv4 and IPv6.
• In IPv4, the SPD entries are very simple. All of
  the traffic is tunneled to the security gateway
  (EP).
• In IPv6, there are a few exceptions.
• EP is the security gateway a router. Implies
  hop count is decremented by 1.
• This wont work for RD/ND messages which assume
  nhop count 255.

8
IPv4/IPv6 details (contd..)

• As IPsec selectors are not capable of expressing
  bypass rules for ND/RD messages
• - Use just fe80/10 as the on-link
  prefix
• i.e., all other packets are sent to
  the
• default router.
• - Bypass IPsec for packets destined to
• fe80/10.
• All packets are tunneled to the link-local
  address of the EP.

9
Double IPsec

• If the PaC uses IPsec for secure remote access,
  there will be separate SPD entries for protecting
  the remote network traffic.
• Packets will be protected twice. Once for the
  remote network and once for the local network.
• This case of iterated tunneling is discussed in
  RFC2401 (IPsec).

10
Open Issues

• IKE pre-shared key derivation from PANA SA.
• Use IPsec tunnel mode to describe the IPsec
  details instead of IP-IP transport mode.

11
Question to WG

• Should we make this a WG I-D?