RE: The Emperor Has No Clothes: Is PANA actually useful?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

For those of us that are just trying to follow this discussion,
what does the word "posture" mean in this context?

--
Eric 

--> -----Original Message-----
--> From: Narayanan, Vidya [mailto:vidyan@xxxxxxxxxxxx] 
--> Sent: Friday, May 26, 2006 2:05 PM
--> To: Sam Hartman; Bernard Aboba
--> Cc: ietf@xxxxxxxx
--> Subject: RE: The Emperor Has No Clothes: Is PANA actually useful?
--> 
--> > 
--> > >>>>> "Bernard" == Bernard Aboba <aboba@xxxxxxxxxxxxx> writes:
--> > 
--> >     >> My question is more why do they need EAP in 
--> situations where
--> >     >> they are not running at the link layer than why do 
--> they want or
--> >     >> not want PANA.
--> > 
--> >     Bernard> The simple answer is that there are 
--> situations which IEEE
--> >     Bernard> 802.1X cannot handle on wired networks.  As 
--> specified,
--> >     Bernard> IEEE 802.1X is "network port control", which 
--> means that
--> >     Bernard> authorization is controllable only at the 
--> port level.  If
--> >     Bernard> there is more than one host connected to a 
--> switch port,
--> >     Bernard> then that model no longer applies.
--> > 
--> > Yeah.  I guess I wonder whether you are actually getting 
--> > network access authenticatino at that point or whether you 
--> > are getting a service that allows you to check posture.  It 
--> > seems that a service that simply allows you to check posture 
--> > should be not EAP.
--> > 
--> 
--> 
--> I fully agree. As far as I can tell, using EAP in this manner merely
--> reduces it to a posture transport protocol. The level of security
--> provided by EAPoUDP does not seem to be any greater than a
--> kerberos-based authentication done today in most enterprise 
--> networks,
--> considering the presence of switched ethernet. Hence, the 
--> only reason to
--> move to EAPoUDP would be to check posture and I agree with Sam that
--> making EAP the posture transport protocol is a bad idea. 
--> 
--> Vidya
--> 
--> 
--> > _______________________________________________
--> > Ietf mailing list
--> > Ietf@xxxxxxxx
--> > https://www1.ietf.org/mailman/listinfo/ietf
--> > 
--> 
--> _______________________________________________
--> Ietf mailing list
--> Ietf@xxxxxxxx
--> https://www1.ietf.org/mailman/listinfo/ietf
--> 

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]