datatracker.ietf.org
Sign in
Version 5.4.0, 2014-04-22
Report a bug

Protocol for Carrying Authentication and Network Access (PANA) Threat Analysis and Security Requirements
RFC 4016

Network Working Group                                   M. Parthasarathy
Request for Comments: 4016                                         Nokia
Category: Informational                                       March 2005

     Protocol for Carrying Authentication and Network Access (PANA)
              Threat Analysis and Security Requirements

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document discusses the threats to protocols used to carry
   authentication for network access.  The security requirements arising
   from these threats will be used as additional input to the Protocol
   for Carrying Authentication for Network Access (PANA) Working Group
   for designing the IP based network access authentication protocol.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.  Keywords . . . . . . . . . . . . . . . . . . . . . . . . . . .  2
   3.  Terminology and Definitions. . . . . . . . . . . . . . . . . .  2
   4.  Usage Scenarios. . . . . . . . . . . . . . . . . . . . . . . .  3
   5.  Trust Relationships. . . . . . . . . . . . . . . . . . . . . .  4
   6.  Threat Scenarios . . . . . . . . . . . . . . . . . . . . . . .  5
       6.1.  PAA Discovery. . . . . . . . . . . . . . . . . . . . . .  6
       6.2.  Authentication . . . . . . . . . . . . . . . . . . . . .  6
       6.3.  PaC Leaving the Network. . . . . . . . . . . . . . . . .  9
       6.4.  Service Theft. . . . . . . . . . . . . . . . . . . . . . 10
       6.5.  PAA-EP Communication . . . . . . . . . . . . . . . . . . 11
       6.6.  Miscellaneous Attacks. . . . . . . . . . . . . . . . . . 12
   7.  Summary of Requirements. . . . . . . . . . . . . . . . . . . . 13
   8.  Security Considerations. . . . . . . . . . . . . . . . . . . . 13
   9.  Normative References . . . . . . . . . . . . . . . . . . . . . 14
   10. Informative References . . . . . . . . . . . . . . . . . . . . 14
   11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 14
   Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 15

Parthasarathy                Informational                      [Page 1]
RFC 4016                  PANA Threat Analysis                March 2005

1.  Introduction

   The Protocol for Carrying Authentication for Network Access (PANA)
   Working Group is developing methods for authenticating clients to the
   access network using IP based protocols.  This document discusses the
   threats to such IP based protocols.

   A client wishing to get access to the network must carry on multiple
   steps.  First, it needs to discover the IP address of the PANA
   authentication agent (PAA) and then execute an authentication
   protocol to authenticate itself to the network.  Once the client is
   authenticated, there might be other messages exchanged during the
   lifetime of the network access.  This document discusses the threats
   in these steps without discussing any solutions.  The requirements
   arising out of these threats will be used as input to the PANA
   Working Group.  The use of word co-located in this document means
   that the referred entities are present on the same node.

2.  Keywords

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [KEYWORDS].

3.  Terminology and Definitions

   Client Access Device

      A network element (e.g., notebook computer, PDA) that requires
      access to a provider's network.

   Network Access Server (NAS)

      Network device that provides access to the network.

   PANA Client (PaC)

      An entity in the edge subnet that seeks to obtain network access
      from a PANA authentication agent within a network.  A PANA client
      is associated with a device and a set of credentials to prove its
      identity within the scope of PANA.

   PANA Authentication Agent (PAA)

      An entity whose responsibility is to authenticate the PANA client
      and to grant network access service to the client's device.

Parthasarathy                Informational                      [Page 2]
RFC 4016                  PANA Threat Analysis                March 2005

   Authentication Server (AS)

      An entity that authenticates the PANA client.  It may be

[include full document text]