Protocol for Carrying Authentication for Network Access (PANA) Framework
RFC 5193
Network Working Group P. Jayaraman
Request for Comments: 5193 Net.Com
Category: Informational R. Lopez
Univ. of Murcia
Y. Ohba, Ed.
Toshiba
M. Parthasarathy
Nokia
A. Yegin
Samsung
May 2008
Protocol for Carrying Authentication for Network Access (PANA) Framework
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Abstract
This document defines the general Protocol for Carrying
Authentication for Network Access (PANA) framework functional
elements, high-level call flow, and deployment environments.
Table of Contents
1. Introduction ....................................................2
1.1. Specification of Requirements ..............................2
2. General PANA Framework ..........................................2
3. Call Flow .......................................................5
4. Environments ....................................................6
5. Security Considerations .........................................8
6. Acknowledgments .................................................8
7. References ......................................................8
7.1. Normative References .......................................8
7.2. Informative References .....................................9
Jayaraman, et al. Informational [Page 1]
RFC 5193 PANA Framework May 2008
1. Introduction
PANA (Protocol for carrying Authentication for Network Access) is a
link-layer agnostic network access authentication protocol that runs
between a client that wants to gain access to the network and a
server on the network side. PANA defines a new Extensible
Authentication Protocol (EAP) [RFC3748] lower layer that uses IP
between the protocol end points.
The motivation to define such a protocol and the requirements are
described in [RFC4058]. Protocol details are documented in
[RFC5191]. Upon following a successful PANA authentication, per-
data-packet security can be achieved by using physical security,
link-layer ciphering, or IPsec [PANA-IPSEC]. The server
implementation of PANA may or may not be colocated with the entity
enforcing the per-packet access control function. When the server
for PANA and per-packet access control entities are separate, a
protocol (e.g., [ANCP-PROTO]) may be used to carry information
between the two nodes.
PANA is intended to be used in any access network regardless of the
underlying security. For example, the network might be physically
secured, or secured by means of cryptographic mechanisms after the
successful client-network authentication. While it is mandatory for
a PANA deployment to implement behavior that ensures the integrity of
PANA messages when the EAP method produces MSK, it is not mandatory
to implement support for network security at the link-layer or
network-layer.
This document defines the general framework for describing how these
various PANA and other network access authentication elements
interact with each other, especially considering the two basic types
of deployment environments (see Section 4).
1.1. Specification of Requirements
In this document, several words are used to signify the requirements
of the specification. These words are often capitalized. The key
words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document
are to be interpreted as described in [RFC2119].
2. General PANA Framework
PANA is designed to facilitate the authentication and authorization
of clients in access networks. PANA is an EAP [RFC3748] lower layer
that carries EAP authentication methods encapsulated inside EAP
between a client node and a server in the access network. While PANA
Jayaraman, et al. Informational [Page 2]
RFC 5193 PANA Framework May 2008
enables the authentication process between the two entities, it is
only a part of an overall AAA (Authentication, Authorization and
Accounting) and access control framework. A AAA and access control
Show full document text