Interworking of PANA and 802.1X
draft-li-pana-interworking-00

Abstract

EAP is a lower layer dependant protocol that has 802.1X and PANA to carry it over link layer and network layer respectively. 802.1X cannot go through any nodes, while PANA can carry EAP through the network over network layer. 802.1X is popular on legacy terminals, but it is painful to upgrade all these terminals to support PANA. This document introduces a PANA interworking function that enables legacy 802.1X terminals get authentication and access to PANA network without upgrading its software or hardware.

Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.).

Status of this Memo

This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”

The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.

This Internet-Draft will expire on May 13, 2010.

Copyright Notice

Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License.

Table of Contents

1.  Introduction
2.  Authentication Scenarios and Interworking Function Deployments
    2.1.  User terminals are directly connected to the access network
    2.2.  User terminals are connected to the network via gateways
3.  PANA Interworking Function
    3.1.  Authentication and Authorization with PANA-IWF
    3.2.  Termination Phase with PANA-IWF
4.  Security Considerations
5.  References
    5.1.  Normative Reference
    5.2.  Informative References
§  Authors' Addresses

1.  Introduction

EAP is a protocol that defines an authentication framework supporting multiple authentication methods. EAP runs between peer and EAP server, typically over link layer, e.g. IEEE 802. With the effort of PANA (Protocol for carrying Authentication for Network Access) working group, EAP now may run over network layer per PANA [RFC5191] (Forsberg, D., Ohba, Y., Patil, B., Tschofenig, H., and A. Yegin, “Protocol for Carrying Authentication for Network Access (PANA),” May 2008.). As EAP is a lower-layer dependant protocol, different protocols are needed when EAP runs over different lower layers, e.g. EAPoL[IEEE802.1X] (IEEE, “IEEE Standard for Local and Metropolitan Area Networks—Port-Based Network Access Control,” .) for EAP over Ethernet and PANA for EAP over IP.

Clients may used PANA for authentication to access network without any link layer authentication method involved. However, legacy terminals may support EAP and EAPoL but not PANA. One shortcome of 802.1X is that it could run only on link layer and can't pass through any nodes.

The intent is to define an interworking mechanism between 802.1X and PANA, which helps 802.1X terminals get authentication and access to PANA network without updating software or hardware of these legacy terminals.

2.  Authentication Scenarios and Interworking Function Deployments

ITU-T Q.3201 (, “EAP-based security signalling protocol architecture for network attachment,” .) [Q.3201] has defined the EAP-based authentication architecture in NGN, where link layer authentication, network layer authentication as well as an interworking function betweent them are required. Figure 1 depicts such an architecture for broadband network. The PANA-IWF is the function entity supports interworking between 802.1X and PANA. Such function should locate in the device where user terminals are directly connected. Though EAPoL could run only over the link between user terminals and the PANA-IWF, EAP could be further delivered over IP thanks to PANA.

Benefits for such an architecture including having a unified authentication point for various interfaces, supporting authenticating peers indirectly connected to the authenticator.

                                                     +--------------+
                                                     |  AAA Server  |
                                                     |              |
                                                     +--------------+
                                                           |
                                                           |
                                                           |
                                                           |
             EAP over                  EAP over            |
 +---------+ link layer +------------+ network layer +--------------+
 |User     |<---------->|PANA-IWF    |<------------->|Authenticator |
 |Terminals|            |            |               |/PAA          |
 +---------+            +------------+               +--------------+

2.1.  User terminals are directly connected to the access network

Legacy user terminals supporting 802.1X are directly connected to the access network. The PANA-IWF locates in the access network device where user terminals attach. 802.1X runs between user terminals and access network device at the edge. Such access network device is generally called Access Node, which typically can be an Ethernet switch or a public hot spot in this case. See Figure 2.

                                                     +--------------+
                                                     |  AAA Server  |
                                                     |              |
                                                     +--------------+
                                                           |
                                                           |
                                                           |
                                                           |
             EAP over                  EAP over            |
 +---------+ link layer +------------+ network layer +--------------+
 |User     |<---------->|Access Node/|<------------->|BRAS/PAA/     |
 |Terminals|            |PANA-IWF    |               |Authenticator |
 +---------+            +------------+               +--------------+

2.2.  User terminals are connected to the network via gateways

Legacy user terminals supporting 802.1X are connected to the access network via gateways. The PANA-IWF locates in the gateway. 802.1X runs between user terminals and the gateway. This is a typical case for DSL and PON access network, where the gateway is integrated into DSL CPE and ONT respectively. See Figure 3.

                                                     +--------------+
                                                     |  AAA Server  |
                                                     |              |
                                                     +--------------+
                                                           |
                                                           |
                                                           |
                                                           |
                          EAP over           EAP over      |
 +-----+       +--------+ network +--------+ network  +-------------+
 |User | EAPoL |Gateway | layer   | Access | layer    |BRAS/PAA/    |
 |Term.|<----->+PANA-IWF|<------->| Node   |<-------->|Authenticator|
 +-----+       +--------+         +--------+          +-------------+

3.  PANA Interworking Function

PANA Interworking Function (PANA-IWF) is an intermediate between an 802.1X client and PANA authentication Agent, performs interworking between EAPoL and PANA. PANA-IWF converts EAPoL message from 802.1X client into PANA message and forward it to PAA. It also converts PANA message from PAA into EAPoL message and forward it to the client.

For the PAA, PANA-IWF acts as a PaC, maintains PANA state machine and responses to PAA's PANA-Auth-Request with PANA-Auth-Answer. A local IP address for the PaC and the IP address of PAA should be configured on PANA-IWF beforehand. PANA-IWF helps exchanging EAP messages between the EAPoL client and the PAA in a way of re-encapsulating piggybacked EAP message with Ethernet or IP header without touching the content of EAP message.

3.1.  Authentication and Authorization with PANA-IWF

802.1X clients seeking for authentication can reach PAA and get authorization for network access via PANA-IWF.

An example authentication process follows:

1. 802.1X Client sends EAPoL-Start to PANA-IWF and triggers an EAP authentication process.
2. PANA-IWF sends a PANA-Client-Initiation to PAA on receiving the EAPoL-Start message, and starts negotiatin process with PAA.
3. On receiving PANA-Auth-Request with EAP-Payload carried, PANA-IWF converts this message into an EAPoL Request message by extracting the EAP-Payload and adding link layer information. EAPoL message is then forwarded to 802.1X client.
4. 802.1X client replies the EAPoL message as normal 802.1X authentication process. PANA-IWF converts this EAPoL message from 802.1X client into PANA-Auth-Request message and forward it to PAA. With PANA-IWF's interpretation, 802.1X client talks to PAA in EAP and performs authentication process.
5. After the client is successfuly authenticated, PAA sends to PANA-IWF PANA-Auth-Request with EAP-Success and 'C' bit set. On one hand, PANA-IWF replies PAA a PANA-Auth-Reply with 'C' bit set to finish PANA authentication process. On the other hand, it informs 802.1X client that authentication is successful via an EAP-Success in EAPoL and finish 802.1X authentication process.

3.2.  Termination Phase with PANA-IWF

802.1X client may request to terminate the session by sending a EAPOL-Logoff message. PANA-IWF converts the EAPOL-Logoff message into PANA-Termination-Request message, which is sent to PAA. PAA replies a PANA-Termination-Answer and clear up the PANA session.

4.  Security Considerations

802.1X and PANA are both EAP based and inherit security properties from EAP and EAP methods.

5.  References

5.1. Normative Reference

5.2. Informative References

Authors' Addresses