PANA enabling IPsec based Access control

1
PANA enabling IPsec based Access control

• draft-ietf-pana-ipsec-04.txt
• Mohan Parthasarathy
• NOKIA

2
Open Issues

• Can PANA session lifetime be greater than AAA-key
  lifetime ?
• Reflect what is in PANA protocol document.
• When IPsec SA expires, do we re-negotiate IKE SA
  also ?
• When IPsec SA expires, AAA-key might have been
  expired sometime back resulting in new IKE PSK.
• Negotiating just a new IPsec SA (IKEv1 Phase 2 /
  CREATE_CHILD_SA in IKEv2) means we are using old
  IKE PSK ?
• When either of IPsec SA or IKE SA expires,
  negotiate new SAs based on new IKE PSK ?
• Lifetime of IKE PSK ?
• Does IKE PSK expires when AAA-key expires ?
• Currently, IKE PSK expiry is tied to the AAA-key.